From 09ac7385218e665e6896efbc45b61efa1cad1831 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Fri, 10 Nov 2023 10:25:12 +0530
Subject: [PATCH] Repackage ZeroTrust

---
 Solutions/ZeroTrust(TIC3.0)/Package/3.0.0.zip | Bin 0 -> 98745 bytes
 .../Package/createUiDefinition.json           |   2 +-
 .../Package/mainTemplate.json                 | 243 ++++++++----------
 Solutions/ZeroTrust(TIC3.0)/ReleaseNotes.md   |   6 +
 .../Workbooks/ZeroTrustTIC3.json              |  40 +--
 5 files changed, 138 insertions(+), 153 deletions(-)
 create mode 100644 Solutions/ZeroTrust(TIC3.0)/Package/3.0.0.zip
 create mode 100644 Solutions/ZeroTrust(TIC3.0)/ReleaseNotes.md

diff --git a/Solutions/ZeroTrust(TIC3.0)/Package/3.0.0.zip b/Solutions/ZeroTrust(TIC3.0)/Package/3.0.0.zip
new file mode 100644
index 0000000000000000000000000000000000000000..4620f23117e7714b8808ee25917e02c2ff9f59d3
GIT binary patch
literal 98745
zcmV)SK(fD3O9KQH0000808&zFSC%ZiN^c1O00SWa02crN0Aq4xVRU6xX+&jaX>MtB
zX>V>WYIARH-C6x^+sG0Bzd+w%!4|OON~E3O(88!M(AjCufZZ6jdIoA4!HQgoTQ7H+
z-K7;JHPC113lw*c)+e|}xS8d*NZCnzX%80!2D!VO@A=K_=)-S+Lx}f#6UHo|-U0Dq
zYg2O&1o?`eP)V08Vbc2aeWsZos-)O6!JfbGKO3i--Ep=Gjx?i|{q5wKEx6>CE9swQ
z!t(DD{~t!l-+3d)E2c6MOe3!|9%^OO!uk_OyFsBie8;o_LU_2vtk_PerU|of2u^&!
zC0GoVT<~SR0889l@%L0mu(+VYuu-)$r-p~7c^DQWW<t$VTX6m}PnN{!@NiaHN7I$R
z<TlRcnPD0@TC@<_#%YrO9bdvCmrMj;ED$odQu=nT)U63l60oWXPSsMG{P3Iduy5{`
zGmorzWMkm?$FI_N@ES9|jBWM)^-Rv>?(SceWe2;v<XkXn7}0FOG_i`<n307NLan%5
zk~v!_%?OvqQXy~!_l*)6YIs0qn#?5m@4tQ^7tXk?ZE}6Va_Y#;+zd(+<mzwN*=oj0
z#V-qDCipwkYN|712h)?I=l<R>D9AhNei999X{Ip)u@kxm4aoJaR4YliF<DazdJ8dX
z0#k4;r8e$#et1YyrY(h-M9tAS+>lbD5lOqYOS&fW(cmBusbZFtniABBIHd?`MNqBU
zeyLV>93qNPlCTh>pPK}nqY0WCMG|UB-eyd5JR|s0vIym9P=$=ipJ3+%LQP9%$&r$h
zg-%(Ls0ef?6h$-6eYKeQG31GrpdJgASp%8G2jhYjDj}Jqa{>I93NlVo88Y`BI5!pC
zy;?>SgK~i?AmfP4GcKYLu!dY$dgRV)W>O_L#jlN`+1re32Pc)Z&%XM@hP2OhF7X;|
z7iFO}C~hMpxeP^yCPhsp1Z*#}GTTOEus<XdNyXYiu9J&Quw2~1^C6@TUAvt0$yLk+
zBT9;OpO^82dKn;!$p}n}o;(sNiwM=MRM1&q2~L9W(craFJEg$#OvY%|2=d&<L}m$S
zkeLPpwSahp@Gym|E;n6u$-+!?Fw#VaF}Dy3W<*}fB?t?6IKutcsmb*=xOe8D9Jf%F
zlPNg|R!&gJ4Pv;>C^Dd+>I!s`44iYv4WDy?Y*10BMaef+#zMw}q$ETGKrA5KkBgUh
zJ=Z+SnJJ0Dop8vr6?jD`8i8Ja0g6eUW<Wflc|ID($dCW|_xIPeEgJ4U!$_~wf3;fq
zNmWG<i<lg98I(c>fX^H?3El&Zu|*m$v<(j-A{>*4(&_+SK)P2Mk6a2It1xq++vXo~
zLw!h`0HSM15GQ(~r$WFI4*(9JY(Pi=aTH($FbBS%p$nkC04%Bu5&V`B_{b4JSrz(p
zRn``?coFKk@o8pNZd?PFCTo>xciN;BlydP$!ToXx!5^_ys5L4Hq03S~FEdr$!dkOG
zBD=d~Ho0V~m#bvLmFM{J^(muT=5D5QmDwK6I%w`XjS|v_<e#KVrLyP4A6NAtQsK}W
zHEO)c=FKACDF3ht1i(rmJI{UP+KcPv3DRs{UPFD!?R!>rOF_lC$#vU@RGdhI1>OXe
zXH1Zm+ye>?lXa$kfLe=$^TGp%q4VIOJGp=^!FbJsH}%VX(_})0wAWnFf>8{}%?<4K
zcoZ?$MSaVoyxN6DqOX{PNN&kOtHfaomclA}>mY4Oci&RVa|k6^+1YIoy>#d+K-sh-
zKgCYz<vVU5X0UMtm}n9zAB%^QaNRprq0ww2C3L2!H|TgexvErYN@dq6YxlubSo;&5
zOi~VLWVI6Quapu~j#_xGGAy{j4w%f>wZ*VBQcD=>gh`Lay(nxzoDl$L1z-n@TC@RC
zB3|~r*Gt!r>w#c$Y2!i5h=ZYz8V*N$!yB({YG`JR?F*7vVF&KLdO2-JCiL+(b{v5}
zgvX$noWKam$W9|0J~n|~(3Fph8^qzWy=Qyly+4ij_IE(wKJQi{^?7mikq$gk33NpM
zu~z9ZbfB%%g3g)1<NeW)3RsDii1N$PrSlI!^A^?{Q4j&g2s`8z7XoSo_}z6fHPY7+
zVLmY=jMdO0Skv*TOB@z`M+LatIWVE=AP>kvo*sjpb^`1S{X0AkU0Hr^NDjYtwGCL9
zfmNqKQ5SpQ`62X9#aeIt4dK85+MmSHfws}GK@mkeA7;7DXWqfg+Zho&=Dr${otZb9
zc}|l4-TNINeX|j#Wqa4fh^EDANNOG`0_~<m53H|`f=4fuw*#rW4cT*AoM^iXdN6Pm
zHXKEUAGxbCHgOmYTk3{~jb8h^V<nrQ+|qt7XvC)6Is<Hx5aP@=Qk!LUvwC#QFt+TS
z?Uc2xX*h+`-$2E=?R=uryf}9%7Lr3AWnMKd9quk@Dl-k>W(gfz%tVS!Ro+JP0*2tB
zxQAP(tkr7>a*^j3reC)W^2uZYF~9AeKFTi>1RL6A%U_P1>pW^{@p9>VZPo6ZukAAW
zxZy#bt`&b~!#f^58_kffJHbuT?i_UeUSo;{ZJ*h=Ah`ap8W;o?x?|0$7#A1WG4{t}
z*UfB_zi%%*!JPXaZ^_I2GSc~=GDv5l(mA><+wfnXtvk~8W}Q3w=>gzAdmspMvPA}7
zGMiuWEl=R44|2I{sA~}oHysakeAHREX}&i0s`ZE4fT}s|$Ky%w_UGbpFS94&aleG0
zipP~?zXUvP4?9cIh=%JDfNuhA6;2i(1J}^?y6(c9PgvTN%ohaN+M2(5kc}7)s>U`(
zYnyQhu%(h0S5rR;-|*=0TxsymxYG1ZJ{oWSF7QZxKf(N86qHGElOq#jm@#g`a$XG3
zj$$g89ZP>UY*+gH-(b6**FB)VAu+vU<e1%YHvn@(fC>O3GKCm1cpW0&P`H@j6z_kJ
z_h~uM>c{)@-tEuD`(9>G#QS~;KNasQ$$lw#U#e9DeAS9`Sa90qlg?^P{#u7I!<%f5
z_mgTW>M;Mp{c>R#8C<@eTnve-W_piS4tT@4HeS2u<pdStH*-G^RDw<`L5sV0LjdQp
zZI^;+%;4%kB@z$o^gyBWA7`U_e%4o@knT}2I{r4B{|xo2j)q@-y()gtstQ)A`j;zN
zeGrvDRFeah*)(fUW9s?TxG|;mt`}Sb2!G~K210D`gu%>+z0IgF<ri+UQnFvwoHr&o
zZVFTC(3-$_EzQc8LF-68E5kEA+{)3Pvnl+6|33jxO9KQH000080LM{kSNPs0`%HHM
z0MV)r01*HH0BvDuZd7G$aBN|8WiD!SZ*J5)+j84TcJHamKXl~8k}3p<3-7kP(a4?|
zWqi>}D!Vq4Yo-Y_NsK@Mg9b#=9_J<RNmVM3soG8D6Y`Sh{gnNI>?h=$)3}l#MQdkk
zW^Gdf`f~2)^y$-0fBfseVr=hkr85(AzBgifvm}Y+sNGgA`kV)RD&`_cbp9cYh3<s&
ztWUNr!yIZxM>EW}D<VH!;<!sOk9?j8{d*Y(kM>%GzzKr{`re9IdSQTgOx?i0S^r!l
z+~o;U@DUrJiKoddjB)5I&xu1BP7<aunMP3<C;u?d+mIjygwV{91c|dQLO)Fa8A~#P
z*d&bEKZ!WJj8mB$T%MlTx^cLNQ$HyxA|7*~1c<EA;fD@S6wz4|G$zYPAQG9xUNFt^
zBO_k$QUudv2EAt4?1~9b{p2n8Q<`@b3mK-dBfg5mG&(rcb1d(xu-1f<!IDnwMHx+d
zufv3;Qn)QPP7@Xg;R=@}A&a<_jK^~=Np3&}GGX7n%#dgovoQ5t4W?>e2<>YgyG{tx
zzS9|dCzuz=L~s|OvScRMcZ)E-kr8)<mXrA%Tg*IX#yrVf5qr0QauSDg8vgQ_6%+Py
zx<9FhPr0VnLGC8sRY88XxURqy0pY>^xtNl5giP5klexj<x{*u+gA-^KXg$bZPAoM0
z!ojEgR%tZ{`+5KV;o<xHd9Sg&g|p4pwiC<ma(pZRLdgwYhEsMNaDSP2js#tbSg_K~
zF2IMpK=`O$DUvkW%E~wlZ%hqAKTL(|E_tsz?Z)@(oLjWYoYFN`D*k`VV~>x0QFVU^
zbe>OqY>hnM7UQl8C<pu0xPSP*9F`l|YbCDD%$GweLDMcnCXC1joVwUY;aO&yQ^8ux
zU$uOw_5tuEh;JQ_0#hZw?5XmQOERO&+{>f++K3Ys^-o>1k=1v(N>=A(6N(^t>K^PD
z)~TNc(woi_+0KW{{T8cGy^fu{aTQ6vPF+O8L2a1T=uq|P!d>?dTl?*jjtk+Wv6n0h
zdiGoQ&DIuUZNHTU-VdozesNGC{M$y#tF$+aSk+k*j5_l~&3Pf(HA$BS{w5MJg){CK
zOcucerM`jDCW^BR;4BW^)F}wh1eWj{QIkZ~@>*R3MYrGDUyS$Zfhh@IC<$gTHcqFh
zxvePx_X%BLX^?7e^DBDcStvbEeX-dss-v8m0z1QwH5^*5#yhU9bvk218#<GYHturE
z9+;*(u-sClo8eRqp?Or*7;+DIF^`hvaUAm{!N9!jVE^j<{ssoOd*_;09Qz_pa9)mX
z#a%bixdHpn;<h~A=C&I-s5wHzs6WXWc>G{zC{})?W!)n-@w4U?O=iEsHl&!|Wclq^
z;jM@R9ysD81pRsVbSd~;D;9;l(dP^<q`Lc*75CVAV$}`6@|F!t-&%h?JnxLEWUCoa
zmHzb+O@wauRmcK8hnCTaA1+q>vI#*0hM&bBBY&GeHd0>m#eBq1;fIm`U_U&|$XIv5
zCKlG*Z`B%CxP;X^`1ZNDeG|z`E^p3-+8w)U3s`fEU56F|+;zf=(e5~Hi_2N}x}5bO
zhMK`_bvUcp;jEv`;jEn;&iVy9oVBaNS-)6^v+j4eRW8Zs{_*tu_|kK3L~^gg?J%_N
za63$Ba=81aZE-mJUWc<E#85Mstqx~5JDmNKIh?(d!`Z(;hqHHeIQtjtaQ6KUx5j0T
zaFxpkFex9-WL{}rXL4;UYwFFo%a}vnvU*fehy;GF6wmARwbIU-w(Ese$#xWnx1I~Q
z+L^eD4OuQw+-gN$rQT#2maPi>S`>?0Pb?}!vx;A1^<gb5thg?#)ztT{8l6BZE2-6q
zu7Eh>$~QqN5o*5@cfb*nT^2SDnnS{NDQzigwAi+7Zf=6yx#82*J#NhqDwW~)C1;==
zAT05!#m9{0T2ZqIrC3DEs~W6$Sa`{-Jn^_ys${jgAwivUFUXZtN67yC$3X?6OlTF0
zYci%XzkR<lzkXozsoq&YYUpe5to+Z%`fH=7t(PF{gweEZ{!z{A-#5&CsDl&$ZoGh^
zpq%koxD5l=9NpB60jREFXmho_=w30<3z0~wxF_Dca^gU>0_n-URS2Kf5pME@Vu0&O
zTpIEs`kI7L#Og?*Q91xY3ebt~eGu+*#o6A+>%GifuJ=aQxM>#%rVY8z^<L|G&jYWL
z&~*g^(IVh+2+f%Z!`ljgZ+`I4a<WcgZULwyHiPE5G=X=<9Wm^8wF&P#TBpZtZQSb(
zwL#b5+;Ij2)9w&}ov<MDG~#RFN7Ul;vGA$skH7toe`Q~#uozHB#*Jwpm-1Zvka}P<
z(2~Td$ofI62`q?G@hNBF;<-A;frbh9rT7E`(Zx}mgyib_I=;RRP}(1_uYqbj@4<%=
z!=Jwq5`VSmMUmFrr%u{{p6iSvz_b<e>u@7r)%8iuf3Ji|la<DytF@~Z3;AYpxJbu^
z8+>~THW7ot*TlO)x{z$dOM;}1;cz%R`e#<D!-wUP<uxo>ik%-BW;)Ew-@u8!2f;B}
zA?(y8iV&{EB2*ZF>E<gYnPVo9(Wnsn-g_eaYtMB>@NOo8mmy^Ms|;M0Oy;pQYr5Vm
z8Ogh*F^^{LxI|2H&-_62T;UG6squjge$ek(+Rz@jT6a7dOeVGqe+LingQ|k6dg*P@
z%N&&IU62&2yh2zYaQg(q6}~rz$PiOoi~f}gmFavAvHyc$<K?OzR<uM?XGaW@eM~sf
zOxx8NvaO7|4h3=&vT&SO>u9lDf6(PkCI|IyvagTZEcX*6FvK$>?>^kwZn*C&lUa`%
z+;u%=#rf1XinnF}8-mPFVQv+_UqxKAMBB2u!Zoy>Wg1$?0Gk|J_}UX4YXV`~bbAl5
z#Nr68YKGlEpBa{nXGZs@2AVL2Z3Nmht?pbpc}HpR7p3{lAuRcxOb$FSOB426?AZ6$
z+YRF|2Q$AFcM%U<8c3XB|0b77!fb~Oqbm-v(!Ami1%0@FLoO^4*XNr2$Exdm`pY-_
z&okpo$nVa1Fs+$!XM-8%cma!>DjR!+0_Yi?fq{QMHOfwD4U=cOE|O<Vn?S5~nU*o^
zZRoSQL(5QoD0UD-xHy4*RXD#c@{BwX^t$%2(;srp7KW>JET^Z9ow3j?*PNK<csv{o
zArKH8nJj%JpUCrlS-N7TC}X?swtFBhlobsW3d-CqjPs?ml5^A&RLsz5>Qi|;Ww@dL
zBD_1orNv+dGl%dGUtk;QCNpZc3~F$EE+sWg?h*|$eh#XdaW`C0cO3eHdLwlQg;=1T
zN$8{!6{seoIaB-H+z;dksGxS-X2LFWu~_H}TMy%D8+Fr$?#kdh5XsGk;pT8SY|{Xm
zfIBX2MkxzTKz-uxXHTcko<<z@$P>^Gbv-i2LtBh#noBLO%$`25*gzi)dXB+5`oPq>
zdcTWJ-F`>w>xR)|L%m~~T<`Sz_yOq|rlxl-n;9nq-LQMi?CafLmsz?wV5Y72)e}K|
zYwM=ng~?qLKQvkISQ>yFp7eDKhW1R0^>nk_(R)@Gkah95v~-)9`f$*Pz5$FfhD5>;
zKMD#^fKWatZrjM~D#vN;A3QP)tJAUUzG?QmL&NIZ-QMAf49p>NJRFh??4bohux*?5
zb?^nPr*{T62?Y4C%^`j=A#{LE!_iEjUeo)wrN(L<VBgN3X&y)ck~@x%_)+xRrcGib
zF_4&mRjUgk)a`B`rLLYp6c#)U1}G-0-%-yfQuvn%)I=Q(8bp!tIMgj58o25YkOvz-
znG|~#GkkpjRGE6eZ((-_KiF;PmJQPBTRy0w3v>=TwSHi{-_g5v*VmAU9uiClEc_4z
z4KxQ-4}6d)l0NJV>lA<#yC`l10b4?SxI%)aTSFv~y0hMu*&0lL*(Ws(^#=SJ67Uix
zgY^z{vtzC^p%E9vrMAW<i9tg-d{_w)bBQ<QxIekmz=Ji%Fl#DkgAbx>KYJXEW%T4J
z#I}G@+*C0F0v7Cn=bpbDF+5jb7d((p7_~11#>5fpSw_|(A>9};vlHDtQSS(7#KxiT
zK7nLp>IEasG@?6J`8<h2No(?m#lnYRbt|4EVKmZg=<~%S8EFWQsAgxr;CK@jcUM%?
zNJ0h#Eg<Z22J4)219?w;E0!&lp#X2d(6g&wI$w^Dq+=?mvyA5V2YJ1362^0>hm(ot
zs3Kq7Htz23dOW`27l$kB&;_x-vh-N3Eya<%x<c2Vi_~I@Z^fc0AZ@~h<9b8&W%J_p
z=n?x$r4j5R;V~5tP&1b^ywI9o^QF7Xu*3%HzBEs#Sg!<yao`%JCNm&sI)e_#31~rU
zLC)&Tyg)E8i8z2kEk<j5o8u)XoHP|dwt%-7X0W%OOtH>HO;Tq>LSCW*Fd!5x7qerm
zrn0jTbh2z^Z+W`NzQROK!Bai;>$^z24}7TNFBXUyRfrj0w8Yx)A!WI+MuSyQVn&zb
zb#{zv0;UgABq$Dk%RL`OP8B<ck|CIa&WyZ4!av2Lk*se+;kC?ATI3>{f=dF*Q7g+=
zTx4yzJiyFoFiRkffrKVrs@v99_wQ@Bl2yr_AVi>6kaRH>iI{mnc^LT1rmM_2sceP>
zTLid?K}JvfFm)ki5V?5B9;Sk90j;OS1n9jaGdoEEffcDe6G7}bGqNBmccMaYEa{|K
z{4Wq_-sJ_3pAt-Vk~N+1*aZ`X?TL?&Aei6{B23zVlp3rSkmNy7ShgkJ*mB{ikZ}t@
zh)BcKh)g90)?*Pkz-6S)%Rrb@JRhQ%4ddh5;Vm?H^T;Pe)KD0KQ(R+Wv`x|$+y@*e
z=_CyO6@`LO#;NDK*bG4`&9Yp^7a;jSNHhb8NvH}mCqLva$VfS^`uPa_`l>it7H*T8
z&mj?&Wf*fqN9wg3+ig0xXy-Sh+nBk^L)P8|xxrF)#o=aCHJGXqXKl#t=bpqcC?64K
z4Wy;f-b27|`bL2)_Q6kK2O9>{X9^<*>FmAQMSFx=Up9TDY4pin3->t}9QpZ?y+upP
zPmVyJMMP<_uTvBccyDD^%_!I!Sh8Ag48bz~5u}FaKkZkc>rIy1aj;)Q1ohCKj-v>C
z_g;+0MLgbyGe3Ej>@lm%z^jS{sM4(71mh6A4aqr+1-Ta3D2!A?%>Vn}fBVC~{5QKg
zb{w?S(mZU)@XPCb>=m7l#UpksB@86zEG?yUm=${|JJbPN{44Zw&poPuIea>fpDA*z
zj2w2A(cRz)JJ@I81C+#2tkXgTu!79qf^6M6c0#KZtT_UUjjQh(1YRu*ycIG!xe8F{
zUXX^V1Y>z|hf%AvnG*uR@DKuHU45M_>TVAp(kZZNf^b$y>*l1rz(eT9uyjlTvZO#o
z$x9LNnt|M}Dmv$O%P)5DEb<nBwL}4}(AUf9JI&)bJ9&BhjvY^@v6ymjo|1woELZ86
zFjK10rZ0;?Z1Siu45|T11nR3#6%_r7b|&5wa};zsa3)wOG2EeNL44mDSC6M+H)%8k
zR$v<P77dRnfkNM3qi~Q@cuw~iYD$7N6?|9aOlPzTvge_b7As!+IE8h-T~z-{5~Z3;
zLRulUg1d|})ivftkuhY2*+2Z}{{WF!C1o!lx^Z^;yu_yt-Rp=l8e|)nk6VxdWCd6Y
zT2@I|gI$yV8_M%Bn3broxKc+{ylF77@Q}9JBw(ACD`p+B%3Hq#(jZCjG04unbiONN
z^kt?=HhE{RUIcCwg55rVCy`CPm!r2{45<v*i;y?4)7p`tTQv)y)2s$XDd_LSm{vtE
z`_^GDza7ym#8~6y^g@Cg@tp>^?^C$Ibra=9J7V+7$y!uQ-fD!ndgdy7fR<{_TU50@
z>O_&;9XG88kZen#&BHMy=CDK*^iU{5i5E@lw0t9$>@61eca-XlSZcR8exuT!KMyZH
zUt6vl%3ak|liI0^YfrM=U1o)RyliTds>&F7279ceovrNWwEL`QVHdD7`+_?+ST4X-
zbOvkMh~)<d>=~*Q_UDw4J<Ge5te&YPb3K)6KssWtLYR_W)qy2krJ)D9t{(y*nvwUe
zr%O3GBleOn!xT2-FJZ~2y7^&?ozbR0JDO6E4&DTUU4V%2RQJN+u$MjP8O7K$tn$wU
zuzp}d<FB!*013~5*|H3SJwH2z##dAp0=TckKom4K$rv&LT<3yJvh~79vAxBmTiH0J
zE6uw$w25594A|o|0}^_Mr;@N?g{6)*!KFQc&CP<)52rZFLxjQ&=N{%QkkctI8gmH~
zMF62P46+TgI-UVRKnjL?22}9EgXQEFH@xE|eq%jWq{1-R)<T9P*_<!)&2n|a?qr!t
zw!1(!io+LuZS&!VEC>_Y3FFpUm2K2ETt<Qx-eSkiI9-5RQb_^$6|iv+Xt1Pu58_T^
zNbIpm?fF#AAOgu#foWRX-Iw3BS9en}v!#NBlgVS9TuEQ>XJaBt;;l~*CRg<gs$k&a
zMo1%{2b7&nQV=9I;1Hs*k;!c(4CGvfj>nT+=fro+=IBU&{O!O0*HyL7wL_*iExt3=
zj%ZFhFM%9_c}={)E9z=Og2r(S8Wrk%Cj5wj>nX&Xc2bp^#e=ZV!iAQE?J4EKIV8$D
z53{S6v%(IZFc^&rZ((a;3Lqu4B#yEHSXw3`0w)pyq$eQLu}BsIM)N|tXx3G6=Dg~#
z*JLtvX02i)nxIovC9R4+QWeL*dXP%RQB{iAJeR`174iu@V|_FfGT2YR4J85tVeZ2(
zw3KBb$wV=ZSzXO&(YABqb;v9V-)m(;DmKkvl~}TJ%NkhWNy&^S=tf8c%m+Kfs4&KO
zw5)Sj<pbsr`B;i1(*X8CWVMRbs)W2uI=pazywC<*$5eSk7VBgusWQF7?g@RayUJJy
zZ+OX|sD{dFHMfBS^}iN)vQbQE+|CS7-ifS?O)8U@r_Y#;t(582O~BpGhaWMO1+YpQ
zP^m0GFYfndTkfsiR3rfSzYl1%S;}f$e*=3`j4^nVvjpMIr<j_!nlqPLoM>e_0nl`Q
z!$FuIgsa1Lv<*YrJo4In4$}bCm!2<h``<o)(fQ`~)vI5DgpN#m(tG^Fk@0wb)O$QT
z>KVr4#gU1>#z%i=*<WUV9;ZjiWB+LKcyjc8G<_Vx8~5f%czDd{{$NpO$W-<MQ(lJ*
z9=i{#%d8T<3eoTIIGyC$Q70W(q|Fwhx5Xl>R8U+GeZ6*r6ODmG?wRSxlP`XNG~hB^
zxybmNwTl83&Akd;yal?O6*Ti;{wzEs;tu}<Ak!G`N_}a=m#T=tPO~BgrfpdfL*fBR
zJ(qPn$#sbR+iD-Ort2TsQ!#&5mZ9E^zgNp87G|+0uU-EBccb6`4u6(q+Om|Ziie;l
zJb-e_lJ1WH5A$|`-zo4tSZ#y~AKB>*E<db7+W)inz1wXg$DXf(O?DGIhiwrcKme0?
za%f8SXh*UYQTE)MD95J(G$mY<goYp`E7>{ce%VjEkFfg;`%Zb1t?F(74G<s!O7xgA
z<|H!lue-Xsx_(vF-PMH&A(2Q42MjkhZn<&xN1Va}aR6857DfzIiv`NmEbuR=*Z;9X
zpmZ`)3VE=H+w{U1RVY3Zh#^#JMgZ5XsNm^L3&Pk3wx*DopayRasOJS(@L+QO5v(Te
zd?0~y<}<V@HBs$2ag6a9%LZc&+EEm)<^`(H=787mIYqvTlFJAR7%z&y1&t~^FR5H|
zBZ)Mfvls>on6HJ(qbbmc#uk6N&=lWYShb0KC0?AEr%OYVnE@+J(9F^n7X0FR&Hx-I
zi6^45+X&#kn&PAJSlWF+^9{%rE29_zXo5zDG-k0X8qgcCFqexZpI4I~W40ye_DHw|
zf*g>=)NbP#h=K|wq_a*e02#n5=x=-$L^ny-%mAXnn8xur1$l<L3c>wy4QBl+8f=pm
zk}JqWd^ug)g|ptta<nf@FqWY4Df+KyZeROb=?r(W39qRkau9Mw06H}dvZvXSK*!Gr
zA>2VO&5yN~5@niLn=&-m!g$I@ET7x~mkY)vUq677&lR?qc~(m0vjpqJW{PkQUn6N^
z$Y*4#^W@+k#`jRnR8G04&b|no$6Ds=$Qk<7?p!cBjYXa`TrJTN)3_a|8m!f5-jRwK
zM|hF^j43(SKvK&ceJBT4I1_oHLyz?4g6?~DA{cuhTe^`r3fN%O0i|^&(~cbsnJDu>
zI0q=Ge%5=QO%%S+e%j#*f<=!082Elo`6N8Y=-Cq7c+}uo1?kEL*<+((kEPbeVD4Xs
zh)Cd79L=tPSQw3b>h|4DEZQC8GdVdaeUIY{)Ze^gufR8{i0&vMpd^!8ib6M0%(Z(m
zZ(r!j>w9mGOS^^RiW^9$Va(J%eVzESO6V9@YRgzbsprA%*LAVSbc}n;IK(!nUWX`n
z-H6)C6wIs5bTj5V8LKF0&lTmSYR{8!_9?gCI&<k}^p@Y@OF1rcd&hK-29~KaV(2a<
zreWK}we&7=?7r7!jt@_Dfdy<b`H-soq^W2oU;t?eBl^C;&xNIgb5j-Rf$ln(F<c9L
zo8*>@#suVpl)Rnw0D%!mdZc^cQF3$8Gi;~p+G(pU=o|(OC++=wlHNW^cdn&_;1$$g
zU=LsXo7+j`xwLP%Jw|lj_K3-RgV4aBB(M$7Vyvs%hOve#7`9!$@Yuod^T|Ih&d-*2
z#H>&12T=VHsEKK`kxrXA<FP|28TWezF{v34x9g7yZZM(U!0&s#b-lMTXUqSRL~()a
zGIlTpYoE;z5(dTxE9v;^H|<Th_+jbsFnM{~{+=5TV(Agl3^#dHw8w0hmy>?MjRpL|
zsO#&M2NFtWKyI%<^9B=OhL~4Or1Z~X(K|*3uK8-rmp$Eju9aJmhMuRm1TRjat0+%?
zZ{5KE@#jfy+-LiD#3o1i>LuQSKRmS@{^;PJq}1f;-{240zuXSKyj=Vf!x#A9Z-z>Q
zKDqZ@`t;~CXiskMkN8%e`{Y3<eFf~c)$g)(D#;xUw`p!g!!QZ{4be)#HD$?@4MYrw
z$*=7zS10KCDiR3|xV1vQvVn@jN2X$!b}fIjq4qbAP`ijqp5PF;2AhN>_czJFN%Cv^
zs^8DhyN|&H$(Hn#e6WF%nx$+{CI%Vn5|ev(`zntxm27gcp~~F5+AsKzsPXT3<CnxU
z?ttbF|B)yr;dY*)1$U!tx03s}#8VdJ+)^|^z$Kpqsn3bzV7aT_=tc2KvX_nfyy^}q
zr-J|x2Kk*}!a!6i_5sPJvs0Wc$yJ@c2zM=jn>A6`RD1L4d2rFr0Bv>4`zyZjQ8MKh
zRkJ^CCIFxLeZOmiHRo7;V)|gsIiBed*KvE+*zk2j-)0AN7-wplhYzIxt$^#gect{Y
zcbJA$?(pY*Aa8LU^;tF@_ZjdcE3+Wi^CCDEi9M>wESwSHPv)p<K;qKy08Xuhe(o8+
zufPm{#$u63y7a^3p^y&T0QMWvXQfo<s7v=>mJ!E$t!e#Y;~Nlw(vI=6T;;iqiB8`X
z+Y-0flNrVddZysHpFIs&-jKul*u$N4$Q#`;*!tr>v0U0EX5a1+Pxr>e_j`^LSVq9S
zao%Y#T;26tTPI^rH;HL>eL_9cAXc~6HG^@_XR<e%O3>kOKSk#7n-H0;l){@m?b0{j
zM3;8bF+HZX*JZ3noS@H$IUd`@^ZF+7$A)3*<6d{{I+xodsR8Imqdv3g_fsAQCr$ff
zzvaPoP16skO>CP|V(N}doNiwybnF}buHNf<j+sXVQ2IS)QHS*Vevg;{1;p_U4}KYa
zlR1{-(d|sf)Tc^ZD%D-tPiflZCN}KqeH68=R0;QJ_p{4|Gv1J~``EFaEO&_=Fq;}C
z(H#>k%du|}*9<H|`<@lpmeHlQza^&dIKzGlf(Vf`?1=pq1m>Ggw`aSgZvljuwAUqG
zw`&pG>h%C)92V#ZCRp|tNMcj5s7#SADOlQDdK+Hx;=aOYy70EO*L-t(ayN^_{lwDn
z+=iH)^5)tg;f4y|vITNFoLwb%Hq^WN!9%J)Pggc2cQ#bN`oTl0KYTk%er}4=XKy~F
z!s8jvYT|_CA(K04l1Cc|So7sW2s#4E75kHtJDXy~D<3?hdN8T@8m*z2Ocra`a0~V@
znoOt{3AK>Cy*Z5Eps<IKjX<Pqp-OIVlA-di+JO72cCQY&i<#eFIpA)aU9Yd}9&vQb
zA|`YD;CK5z{0ThTwM<<%d%S>JwI~<{T75t5BZQ-d*2z9vN2=@GH-f%x^uS>rdj>en
z41~Z646v51zH69n&y=e$nhHS%vHK|tiiyy$OZHYIns#w!#_VSoD`r?j7Vl#hchWI$
zj=QF9Ig}V~*CD2DGUAO{m*~BqYx9_EU~K6egN3=DvVf*>!%o<5A#i=K*K?^ue8)3E
z@za2K1_Q^qKkn<EV+W3}Zz%++m7f~<`zaG;-b%wh+HV;#J==9nTPL=GGc!E{j6=(|
zi7_@UP#b~c^!zPlB=f-bQ#KS2vSF9(w@6ryIrf;L6R!uJg9%!MctPJHeS?kh%nqlA
zF|DmcLVCV=$2aHo?x(2K^ynLQ<9>^g?F4<@H!R{9JzToqGl)ask4|l7cXfwZJh%8Z
zVuU@N#V7VtWQswShJCZ&vS9|)#pORlx5h3p8Q3VE2bYF!^}Ml9S(hfe2EWpfy+&Yc
z-+WEEfiX>AVUc@{R3J&lA|>UVI1n#Q^+XD3Q{@J6zJG9jndI0JQe3_@a1m+aa29mn
z@8@(^9p9f@v866oAExt-<uL$R`DsF)dr>^!Fpl{%@U#m|>VkWyJD602Gnj9{mNjU|
zz%+9&&ouJ>251+RgnX;k5_EPD&hV@`nQe#X<H^neDG-TO=Zd}W$UGWZDvOc?v<WYG
z_PuoPHw)6dFQRVTfQMOM#>)xcttMZ*7ulSZ1U=A5zLAT?i?aIV?qkXi2ubS|dl2)q
z$@IK2r=YS|6FO3cSCzu|0_M~8-h{W&0)MRCdWgSpcV!@Qki4kawNebjq9%e7Y88fO
z<>0BO2V|*szSPH!*t#w??XhbEOj7XKaBADt86&#xQX2GwzM+ey+_h>+NgoOck@E!j
zC_6PxKGT$kvT3N!9`)>=+lo_KWR<%(U#7{~ZJQR(z$>N4uhsYtCvnzQo$RJ4uONN8
zshDJkM0qjk(@n*QN!#*5<g-mh<mO*1POZzmvZ+8Nlvh<?{*_GyimB4_lH{{ZMU+o=
zmKRy^?xreo^OzOgntNqafi-=Vs><qrzKM{c1zgz|tMBDbI$Upk+O{oDN)jhAW$(V8
zN7Gbma_x{m_(|rB`H*f)RTa*!WttX&E`t%=RhsxyQhjf^kR;Jz`P_Sg<H;Fo`DcgO
zv8CFdzUQ4L{x3dZB7JlYgI?lcW!0rz)A%Eu-ShJTS)#R`cM3XAR8YSpdUK=bSf2kO
zyPPt%$Z0DddpfJOzTh{eE0`&Ch?Htd#fhG3T56K(SGy@0V^cc8TnO0>Frf=qv8)wT
z7p0>CSbEAwlD5~%d(EgTq&83MN*t1m7M^hj05-exLo{Re7ttrC^6eULDr{svyUDjX
zOf;~1%jZVy>YZ3=WtEz5+U6uraaP+Mt~yW~3w`xjX@!r+ukdV8O7oX<wFCjjlF|gY
zn^HCtP@EMTv#V*2FY=8nONQ{PlrNSZypvt4NuI!GhKAp(#aEPae1<mvoj9{VVGB=|
zt6nMJNYd0ED_9>*+2K+D)AB}sin25d=_IQVGZSZ5nDj$w8D_Z6F30mo<>EqS>5|7G
zs7;EL3W6}^X$`VFb9R*zT(HNN&<M5cD;6mnD40u4IRGEd?{AdS(WlI{15<)26r+iq
zUSZfFf2DNS#fic^UeH)==}OUDQ!s6WF+BD5=!fj$Kb9(WuP@HB3!Y(aPB2-la&r-3
z4%j^Xn3{L>jzan9FDJ_LF#eRkQU$QgxM|u4n8PkN@NaJv3CNCb%I@9BoIlweOh)Wy
zm$N8KE|)7xCbCmFM8`_a$>?7h$n5hCNQT0r4`)M#4F&79DF-l|aH|RjW=Bac{NzlA
zVD(<1g-M2Pg;hy{K!pv#G%RohzbbO;zaL*@7kR<Ep>Yg+Qs_a0GrNlKXG&+>E+=@X
zmdtjRaZtIP^E#I|z^&CA>h;x}s$x#@d<W&y=Q-uX4SwfpnH$#eHO+C8@?&ALYk5qV
za)(Eg)$Tvdet%N&7%o&bKTzH~8XDQfn<eP}!==g)=yc^%9vHfq=ltB$*8`<EFgNEs
z+mmRn^6ly!Auq}`w4d?BkIGA_tSGFB?q;fB@=N6t9Cx$ar7A-5oP^}qwH!G(m!OuM
z-cm~caq01FO-xleHKGvW#diy7ay-xe%bWK(Qyo)4KKp0x)-UP%Swxi1uRc!c=V$0e
zy%DFyVScbbJjd9m*x=5BB$9(Cc~`1{m9qc!pa1VQ^fwFO$4mG>@5HdEL`Dm!5#PX9
z1VgSFoh+{J1(V?J8D`6FSjrEDGA^P8oir;VM+nBGOWxOBzSN4<A?NauJHZ(!R`^tD
zljK`5)~Y=d_YM|O5G}n4d&WtA{`?OmhfU{-?`Zr@OwF$rnp}4@(F<w+;F$tIV(uf%
zrY9zh<dR_Yf-yFi=Bc|(Lx!M{r2}2e^PV+a4NJ}<gw<1!B*bnRy9A?px;BXX9WP2|
z62+5~<Y@>zU${KAko(;HlXCAj7OCxUY9@FA@37)Qj2f70H$3S-2IP5)b}%0_@C$E6
zxy5{Nmxa*9rf>wZP!N6*9ewtB>^6<OK3dG7gBoz%$>8ZpPx4ssE!I~n9jY#|)}8c5
z7U#ua#x=C(I+_G=b{hcQkK~MN_WaG92hsnwcJ`B@y~2`{obmA)Mn$0eX34?zB9H`)
z?f&vl{TB@O$a&U6L%7_pw8JpU+u<Wi@$j`*be`uJk9S=pwTe#QRVlA!j7%58i}9Ac
zF57xFXDr!IRCr$w-u(Ljcds~xi)NO#Gp`L+8jK=0TTTIyUh})6QJ8Y?Qp~wTDjTw(
z8F=UzQQ+k*W5%aN`C8m`nt^@}r_1T<xk$fz7+!@7EXAmxb9ItqzvU~hf<!-lEsZjo
zHH8D^#})F;a_Voug<i<XBq%BPAzCC$4a7`uCL@SJukK|7aKijYCZd@C^@`0ts$=dW
zAFdz8Qg{69o!o<Ah}?aTS5ie*=9Nt%m0LtW@bh2)@(5ww3FZUkl=1U1UsfQUw%Mi=
zCf%xZW>!U|X;-xRFe@n3cthuLF{sQR@rmO<Xum)Btv3PB<{-uSk38?g$D|Dh1-O32
z-==9=CFsk8-)p&RDD?N*AO0wenKtGvosBl;&1-FA-fhggjd`~*?>6S$#=P5@cN_C=
zW8V0;jd`~*@47`iB<8(|OOFu${*MTIIP-^}Yhbc%s<)1RD}&*yzU-!`dMEFm=7p1&
zs(r7e^skA%%QyJyTg|Y#A`tM9Xgn{V4Zc5x;QQAcQ+&hd{IXG4v5mlgT@m<It+zs}
zUEVi^^I6{Auo;ix@$d7ew4BTRAWZxId;XY*2Jwrbx(b-zO<7+SALJi%Ac@nl@SSqx
zNg>9V)pb_fype`>^D3OH4nBe}WhfiC#qZvxtBMO>REofA$tqW^(r=#3OvqE4*?F|-
zka=`>f;bP)5a~PZ1j*&r6C~{%fONjvIRIX3I|tCt0km@f?HoWm2hh#|v~vLM96&n<
zfPdRLfOZa`ZV?Ze16bwU;|2edFn(F@G+F`wH3a7+uSAfd4bne_AbpAKuf)81ozhrQ
zA&#1qkTU4l=W&olns>Ynsqa%recvZ+o=gO{jYw}7k^ZHP|JHQ^+xYKjt5VzeZyW!u
zOIaKLZR5Xf{I`w&DjaI#zis@tjsJ>nZR5XH@!v9cAQ#Wf#Xgg-rt}jdpqN9<V2wTU
z?71fMOup>m3glc6SpyKAYX3~5T;IhQN&5xEa>`Ap{TCiv)AXP!VTd*t5kDN2KFGT8
zA0HBR<XNSW2wu`^*zs+o4VQDMcA+Hs&T@RO#13a7(m0qi`a(-$mKZ1;o}Lc16L!lc
zT2BUS(Llp!<B^Cq;>YWwo9FCmIYAd1xibaxjDmlx@il-iIQ`#blu-)GTOQ@Q{FXx)
zJid62VZ@Ro1C1gUy~{RYaoI*J8kX8dEZT@gUCP>sMH{hbBNlDMLg7#wv1lU}ZNx%!
zYa6k6+=#`mmzgW2Al-8<7sDLB+`Os|_0!8r&DANUJsmOV4<NSiNpicB#4<R)iZ9{4
z@(tfmCD)29z!<{&i($ncZ|QcO)7dBPZ6)=lYvW+(3ZdwAw6YgYSr9I#;uWL(m6PaB
zJl8u~R}rIRtr}Lon<Z*!isLC@mklCCS{o|*nnFd{*t=Yb6YXjt+UkH_t^3!CQ8i!q
z^wic1CF<o1Hs$5Z{EOMiOk6)!v=9jGRy3_szXqvbtLxAoUI%LE>I#gy6>R8nD5}@2
zt5=b2rPFt?sUII7$5PYEuf(Z-op#6nWz~*<MDe<>mYO>4cz#mjx$cV0m5Gc#|GvYW
zn&cQxehRX1f#np692Dt53ggV|Qjg^ZNrRWeSkfHEM?Zs8brBUt#zGuwt<uAzjzEuo
z`8A!iEYUpHhG==+(aEQ^M=d8Y)PsM3flDw#y*R*gdarPr_W=77yv7NMVT2;5rEQ*`
zu$<QBC$;5H<fS*b!W_^3Ew!Kh<ZH@5*Ro?(H9xa($JmwJti<Dh!D3Ep7|$6aC|p_$
zR*!$39leaR*h%e5)p!^pc#WOndCPDov%RD781xO24IKw=nLG>`&G@&+qYG_#4}NnR
zdw!iz_u{hFv4|<hP6c^+;n{MwjVI7fd*G!8ij#5?diFQ;tYn=U9}IB)_wTfLflcga
z{JFxRGr^&<w-TNur6tq&t8cDjQ`!3&@83z@=LvX@uc5f%-B&!UuKkXCU$@8sxG7>1
z=)ZNe;~7W{e7N)%OLcOpc4*`H@Wrd6j&^qb;`ogJb2tJgdi3J-82%Z)I6uo?mBf5N
zH5hkNlAwn9Z3uo&`edDJ$BWAvh;vzUpb~dGo$?SrcNKY5gZs8%7AwSxpd>V)1Foc)
ztb?C|6@#0bxX6%>_O>`r(}XjFQ_hmJ3#jAh#o&l@X7Dz9XI)EyBD7+((`Xg~h$NRM
z=sI3U%Upn03T_sNRhW_0rZjm6jg?}6{hvw0sS+j}r15iYAj5)5qXs@d@BT2H^Yh{F
z8_B@2oIu3T61dJW)6OPz211`c_yKg%BsabFr6u9b2Pp9H#rYs*4hY2InJO3OXZ)Yx
zJ1He{7?lajNJ7mDBW~eAq>l10(KadNgJHh^m5%3qoP-XvH*<P(je8R((VWe<69M&U
zuWzMq6gYCiDC+6enTM?ZAEV7u*yT7MDv|chZA<#Hk;uy#x&h9gfZt!7e0fmoilero
z1u0VlO;&fWD4k}l0f+<>Vo)*t^U&4|hMQYcSJtxL!T>i1tU_ZjcBqZ+XZ|%bD*Q)f
zTfTtaDIJDq(VXvQ{vc;WPUQ?!qaIUd%<g{$tjX(9RG@s^Nv)c_TDM!*sE{-Cw10&r
zN)1yNM;mnB0Ou&tX8&FC{jUm*qoJxw&y=a&#~Q4K_MayUH55G9S?i=#q&5o|vnVSS
zxV3^ZbW6iYGNeWfd43YnKzl{uxz8Pd!kE=Yxb%g;TWI1@x(Wciz&WD}Xw-sDCgD}S
z*;yz6g&~~_+Nz~ECTkAHwV0RIq>`Mft<w>>RyXPr8~iy6fiKb<9^i_(S$>JcBQ_Jq
zWu}1?YqzBB(x6+%f<i+M@4@*E{iN5DnMZZ8!XvijvAV2E)0{<<(7y*Q0x$T&GdrU^
zJeg7PCAH0Z_e8=YlH913N8pDG9rYf@TQt^2d{Ia0*Jf2@t=fY4O!g9ILR=;K^I}EX
ziVkB(9vlX3If?vFUi7)j_%5{YI0<qEz>WCRBDw(vML;4HiLr$#=rX~%JjGwKZ>t@V
zik@DFD+#p{_lq_GF3lyU#Ra|1?SX7DZ$Ug$PeN5B>wUrcu$X(A*zQ%<(E4ICS<b~F
zFeHb%i_WJq_B0c0$l1bWqhXaJMOKvYpo-vPHwuSIE`Y9KDIBr|Kne%x;Wg#^D;}@6
zSNeCY%U`#Nby|fhB~LJhd^TqoF<9x9b^UQT$}Yt~I?i(aC}vH$*Ypk-<1*fwbUgn~
zU7{iSra&<tZ)ewGe2r#nR>!KYxnI#VN{>x*OW35&Ece@Mxdxo9(b?ei5lPybmdtqu
zEe%7CfpQB_Y}Hk9_1-FBl;T2fmPx#?j<f=)P2_Ktlx^g14c`t=2j@ef31@yZMfob!
zsiN2>;?6Esf?p43S4!c#<>D&(3Mo7iOV^SANG7jTyTDcD(=d)3^{ymO?c{1Qw!^Ff
z@c`pswqVAz_va_&19?T0KVaC_(9cN65QzFjzzc|$SJ%a5?Y{<5ufQMq#AE954Un>i
zj$}v78Y*7PZ8@pUn4+cjld?ZY(Qd+4OH7MX5cVs&fgd&KfL9Q_(_J$qbZutXMhP2c
zTZ-W2+5IGp^AVSANMCR4l{BO(UYYRpHD64Sqf3FU`XsKHX$dWHDOt6YbRM?O@;kOv
z?YEK4hsJ`-4BjSqR-~s~(LIt)p9M{}5MpW7)->1>N3tA?iwt`^A{f;mKU`d#jUG+%
z$~alZH9=`2i#0{?{Pj?6wGz_Es;xn4?pdksDbiQu9p9`9J}`LXxVpK7c^k<{XRWfk
zb?Q84H_Jsr>?AP*>Q%WK)-B_I7530saEFUTlI0YSQgNY@%nn$i5jR$+`0wyfeVHs9
z`$axgNlc+31HOf5l~r5o$@P@4p9ic<+a}++u)TCek{hak#M($z8ed`-*XMZ_i%*Jr
zBR1+`s7vh7JCBwC_``7SFT<4p{qb43DX=Xg)+)g&kt)#iLliG~*T7(}oax$@z~W5#
zdOGV4mNg1H>tepIx;PKJbu+Tdf&|3t$u5v5UVUWRO5&b5{ig`>isV-gi3W`-%xslL
zzH5lkd44B#nJTZCL)!=?M-!+y^l^;RS-ghr>#50t&8h)cJw2C<ywP7ya<h79I9<pc
z>Pd_eTE&w=G~)a@->nXHAF@f9pD^04U8yi-4@)K}w=tm$l!Gy-jl$Wd>u9nbYLl!S
zrQ!gE{59gM7^<y{dbqnv-snh#Uj{f6d5^9+%k60WYAF?V+apj~m$EhLIDrr?P3XaA
z2E>BBtkO!P$zG|-4I+rn&1P1vwyf_46`GM%t|*_;eT)mwwP(j?qvvb5-GFj+Rv>$)
zvE@9FnOwBZMqy1drD|woZPl7%JWSHZpe|pa7g;)!Sf9)~t8O=19EnL=AXW|O@IdDc
zt~r1q$JZf?1-onQy8NuyCc#iyoyKv>orVUooFe_Zxqr=)RfHWaTVK>s#;Epe^losj
zh<AP=LP>6nqkJlgwNkFGdd;sI-zejwYZ^p%+VMph^VV3d`7S6UHnXBm2aQBt8aj2=
zW?Apm(oo0IMS&TK334VfnWR?Tvkzx)*Qut8=2uLmuUMAV&QJq+d_Np!F60OByjSz4
zR4fIpn<gx4R#`u;PA}9_Tu8Q@0Vz_E)sl|_Zb5RRiIEZtLG#ZfTwSm^yt*sSs**A&
zb@MLLG;nzmo5WGKAg!8pW#bI*Z=9BH0IG*2>4{31R!}mv1W<9f_}JoAQNA5Q@!|9Q
zTSrbgqsmlR)to{pMIfCQ#Y|IQlBg!)RhN>w6VRE4uNhA-qg{&I@Axva3pQa>wkYoC
zs?mh1g;I*WR7(oihx}`eCDFjY|55xqoXbsl;xbDa^EZ5VWnW&0->%q>CmycZg(qIv
zxcN@JmNg~6=MMX*m{H|vWD3b~8*5CzxZLGl^1~gaxu_6?ucl!~pF#Y@Rg-3w$>mqm
zrg$lGnN_x^JVo!UxP@KcatnL1c{o)okF%3~{hs76u%UhTH54mQx6G&MCU7k<LX0#l
zqj|h`?>t4UNcYGe_~I)PKoLZ0ui}1r@pmwWZq=fh7l{<5C8!Ff#Uj$~p_J^1!;U7a
z;QPBZSq0`?=h@fclPkvOUc`5Suu$OfYVj}1s)RN{aeSZgl+Nyx+JFt*7RkN<5DUQN
z1XqZP`00dc(Gqvg^Ih^@^qKFN7yI;)o;jlvg6XM{9=_}vI`@V48cJoKDWE8{Ef!15
z$s!{1r%FIL^C!!IRd|!?n^<%HEy*aTV(DLNG*%2271EDz+qHIlxG`|jDb!KnEWgl(
z*UbOKIRk6~17{8|VoU|N9FDP*eh;?BjNNJFeN-=@z}u1bW*G*oFlZ|UzPwbuP%6)=
zKs2LJ>PoTdK*jt!xda8-*@HMK$ZuipoMdcr6@2*{Pxk|T>`=m-u1(B<dBp9FO=3H`
z!7LVZb(5yw*38*c7{*EFo{XRv7jOr3t|ZdgkhBMj%u3uQXV1rDY5MSF?q$7T6nf$4
zr29x6Fr&AX{C8>JaC?mCzU>i{`39kZK}ld6p2b*Kw+)dI09Qb$zXpuINtQ#VzGC!1
zE0G(1s$^p96}s~Md{WYhuNdFxtbV6T6s8m6ypiqDJsMc1&WNGAl$eHX6W7wa#IgHc
zmpMK>)z`EGjQnd~xZaEVLW368L3)EE?IPYJx)N>8?$ODFgfjv*EWx~|6Jc8%c$5Hi
zfqc8YUVR3X=;#5Ie>@}aW+MJQNo<!5ys?=xh9O4DxZg8~NzH(`U4Kldtp~Il_<gUp
zjyENJJYjS`JMiYwUCa*te7ATp^*@He%XzvH@nif6oEOmkAMcoVL$BD!tHA#q0N*rz
znXv0YtibfGGj6SvHNJFw6?G>c4XEZ^{DKc=^mKA5wYU|hew5_>v3F`FVM6fq32w`|
zkGC*xehV18lzFu1MA3)^rs3Jf1*1?RfZp4OW`Y%`c=UWnRnpWNCY%_<Q!&SJfcaZz
zJbCW{m8B6F>Cel7Q;z2i!0E1I+K)d^Qi;o{?`AIXO)(Li9Q$t94Z2<3B}UH&{obPi
zaSX>I?pP0eis0*szNkf0+EC8#gx#Vq)6t5FXP44V$~rI0SCs!&hDJnIS3SARj<J`=
z5hV|jl(a0y)H>Qro>Nwwu%f+u*%k4ffBoP8t${EmVxT5n{@4HcpZVL*i@_OL^cH=f
zq+k{O9LVG~r}#zpm;5W6va~*8fQ4(fY`kM4toYIEs4+aMM(HD&IqU39%kh1~q8_0x
z9TU^i`^0sbPR7(QShwG^sogIFq;+<tNZzY9BS+2yt;`1+nVpRpA_KKHd6c`7BQnO&
zhc9$PY7-R3J&$_S>3Lzx)&*Jlb;)r>7?6Aw%>y;WvIp?A>Ss2BsFf&#z$^|>j08yl
zdv8I?=y}w#-GKOxYXV4l4DbmCCxBDe^!%O~*mMh!8iiN0<Jn0hgNXGJ3O@|Rhb=sP
zlklWYPVOF@Y~KYR&FvAx9ruVCm_DIB+a+Ve=z5-GSi0l4;M4$|nA&^0!KiX!(Vh(k
zhtJEn{v>crne5#Pzj$=qPyJAm#zcRcMOY$U2Z1{F7SH;Q7wCrX5N6sio~=M9j_3Kr
z2m%=3MxW8Xy9J&J?r-UJ6+Uip?VH54oZAJ1W*FVv%YVKA&h@F&XPy%f%XDmFQW_A-
zY>#*rjETNO4bvUBIJXh!#83tWxifGp)ALUZ%GS={?F`%kSr>u2h>vycEy(G8yT?p_
zOnR0%##se}cq}l8(X&ktfX}vFwgt$Y9*&0%p)DDBg9*bkJ_W9bW5v!yws^jbA~|tN
zsKYG#7Vtn_z14zZ3yLWyemQKk`u%R#v%93rEQ^@E9);oL^oeKtR$upg7C2sujT^C%
zSC`Z#hxV>evL1vyG2E=!R;xXGJ9?uyzBPbT9$`slqQv4gnZ;K`oN~O^GjN`6gRy4W
zggF5WY~S_?HOF0I_btnH%)UW&e+!%hb~l7cJ~R$PdNqq;kz!Rv$}|CoL`m7tNjLLe
zKEhSzEmF2fS&fum4lv!G<$3*Hm*``k5wmOPfR&y}{I1^hT-LQ*yVn9{J;3D3WJf4j
z6EL0_O#T$kg6J;JTFrGQw0dwlXa<uNlYe)j0-`QW6X}`%4DE?ujt2kD7(!*gO<n{X
zoh=BSM;|0!D)1@ZTU-rXIyUUUC64cQ0aqQ1P|F^ZanEoK3m&*ue+yg%mNmrHq>Cjw
zw#e8b;~HfAasU~0y9V=2o%np&r{Q|UvAQM!o73yNJsnKXZVQkb0a9x6+$fKChL$yP
z<B6eVv9-4$)lS$I_3wG=mqpg_9Rudc;OPRUXV^V^?D=3JGtdW?V-k1lQNoxVbOA8!
z!0T=Sn0feXp|gd~I>X}u(D~&M)TNHs?VB!PHh`x|!P)efVZkrUbo%2S;A;kwErM1d
z=of;{`XKVe&=V7zZ3U3kGnNSk2D6yMB%70)IlB$n-QL2V<Jr{j`ILBO-zR2|bqQsT
zPnh9Zy5m}I-}ASCKg>AS4D=3Xu^b64;I)8P1L?jT;2D8q_w=zve1pSW&n2#_o21`!
zb<gk}m-+1^<YvI*I$=jBms9pn49Mil3}_hmURrV%=woA>a0g>i3vSfKTJ{#!%(3C>
zez!-Qz;%dedwp<O9fRnGWAqHe1Jtv&fHm0(+iac?U%r||Ub};$1-XVG_vNszAGm&C
z^gYrW`vEa63kHtC;4<(%Ti1OvU}lST8?jC-xDjJsYV4h1UmhP&yF6Ja1f4XEX2O-l
zR5??+(4GyCUO#Z|(C5Vxo-UAxBwBlneE!&WEuYwy2gujeyTl6&ljuReZ|VAY+-J@f
z$R{|Tj2{rPhWNMoeT#rC0@lF1UkeCL%V1rD>BQ^$CNVvnC#051Jl{23EAYUGbXy?Y
z2!x=VcLsbl(BO&T-{?M`L{|?3yO@`;xA-=u{T}T)V-f^iz&EDD2=&3e^Sic1`$6B=
zEq@Dq6P#@bYVxBN$yy|<0b0K@pmhzsZ<@3R=Afkmpmkm1=(<h1x=kI|xAnksT0q+f
zXo;fO5vCP2{1XGP!Ib_3AREuy8_9Jh+Oxq=qX#;0^iD2UiF<nsY`Vh&%N=)#Z@M-y
zO;0DT>Dk1wyWOs(`(xd4w*WR^ZbMXqFZgC1OeQ#K!L0?ihl1M|hq|8I^Uc1+h}pyF
zzu|!I7El9*5(P6caH#9pE!1s<I<7i)gmX23;G2QIQLjZm%XIu8aB+<KJ#g##F7X&R
zc$UF@pLWM~pKcSj1pbbC&GGNU+3@uwx@*C&1;0lEzb}A#f$O=tY5Jt^dOi#x&mhz`
zZ9-kv4UBHzcDn5{l^Upb7o*Df;<%@xz!QVMH&JwjQp8gLB<Fr=$Ai=DaIbn1%N4JP
zq(h%vk$4I8?)@^&9l_(9;aNj)gfBiq$9){0wBYy+fnz3@FfMv6nC%Og>0`sA{eF)G
zflZ0&dVSC!9wlARp~1Kx7(vhcm9Z{0kUDiCuWtPu+n{)>LD^qDoNBLV9Qqmi;(`=E
zfnzJu(UL#VYAahonhDDOMkq5)I49iZ)5D|IFvvIb6u6WyzM+M{^UWP$emStnS|gz~
z5?UkSD>o9-iZ8C`j4qVZgm+~bY|`*g39zfPsvgaPn<(6NAAhwMoMBxqu_}|*wOCic
zy2GP}5SNV1nyFP!4+j@#_@hO`77bf8+!r)VboC&(#RKhwuLd2Pd(8U)l4AblbvS2t
zbTWBtOcdK2$FlSm0`m>!yiZu)5DfXZl?hbO6(yUd8vpD2^P|_t=SM#cPEJNGFn-Ix
zsJFnlFThw(5<3FFDj0ZTXqRNP+ZEm=scKrpD@Q!Z|1B}E_;m|k-za?bTKL)*_*xn9
zI|8t3&Hlt7OdvJR?hbBlCZW#<*3JM;IB<8&BQ&cmg*S3X$1TL=8_N6Vr@`xn*jDuC
zv{F|toN3RvFL!o!ay%Sd9KU<}W^e%>-M^1AoO*r!?(N0lyLacxz2V{8pN?KBpCyjq
z**my%e5Aa3cK+`5@rk(eyv5iSV_S^<+A(&pyWReE;pR!A?C38i8g@VC-QHE|x1T2@
zNUGRdEZtE)Q{ew&!DxD<6takdisW#E6<oG~&=%!(iE?cs(?>x$Uft;D$<Ck-wf)n^
zvme>L_JM+8*$tL`V)x`0i{D!u+oewk%;&s+EJRD%n5=zC*S#DM&)<#Sy}o$y<I%r=
z7`#8ZXd$kJxZOfr>&QJG#ASM7M>toB1y2(54iBS8KaoPfT@XYuxk(o$wV;=8C^G)B
zu?__z!MU^duP}6ZHaI*yKN^jW+9fUD8qA3S-sTSY)?xGT@ZD&~XqiWmCkB)sPVXqR
z@o4mK;bSA^?G%e9EdCs}*#OFMQg9!c-w-X84_nmxc2KW%?k@KdrPOi0BdjV_<WCH&
zvTYi<U41;u&3D*pXyP(j#@Z2QSPdA<ZP)X$9NfPyiy?yVV#~Vl`|z5!OFN5mb#fe?
z!_b{hfuU6F*6B2Xw2DGncx&NpAK~pa196|T2ZLKOEKb>Mxec}f7k2?SE6R2&(5YKn
zl2@kRpzN<6(6nQ?Kc7O;bfK6-aY1CBKzbSBM<36`K~F%CmhI_$Y_C(`bePqpglSth
zv>d;cp2<1}k2U)^JgElkbzlAKKmQl}uLbWf0N$N4BkQX~^mgar-Z-qhy3zr@GY7UF
zNIWG20Fd$U9@>wyU6^;^k&!TvWn=!e7V+{8P52J1N#>9$G-;;-{mM#c;coYE*CJbs
zY!5*;W!&xz%F4C+6N4_flxXR(`3yJ_CmCn8XM-QNJzZ*(TlXogjl`lhLO<>A)`=Z~
z8}Pp&m=zb_BsfyoKOtA&U@s851hHzD-L$CJqTU{$o>*O)YR{b^UtLgmVp#Z>C7s;I
z+K1(224l<%C%7i<l+NfCo3h7GH~KTLj@+u%k!e~Txt+F=&T?oJ9n}yW#YaB?G#)Y;
zkoef1#?j(li+f)^?untB)61D!-WdwkhJyw$ShsFvs`TrJPA$pw`lP2nj{wj?0A8_c
zdK*S_?b-XISA*wGOaaD6E@8YN076j^0g0O2qrcX|e7>Oxs|N{#8Y2G6_w9UU3;BBt
z`H!_2NocYWqjUfIfq1_Y;4Rm*TjA|K086$W78*XM+VSDe7uHam>tZAb=lq3xf~O8~
zRBCraR>orohsS3P5h!=yg{GW!5iI=$j<YniceW9ZX@^O-XveZ!6oKG~(&AW)WBZF^
zC5rrVJ0$!1T~}V67}x2rPDb??TaHsluRK|J6~~Y8WxA6|c!emaT@3#1_;@>Lm8eP<
zyjT({#gYa69EL4!<{Qd+-4HiLpQ&ATJPR;&Ay|V6ijH_ANB1$*s{NNFuWB-|-^}UF
zb%tGH9E@ZqX7@AOOMUiSYZ10Z*cM^;0%2Em#RaP2ok401JoyF?^lU;GxW;z}AR6AZ
z5L$rH6%pSxp0;q>!f6YqEu0En^97M~6<3}Zm}V+6m;K;4y4Vg%t3$o%XZhod!>G;f
zTEN%SL-Y9EMMF$&7~4%=*M`vktkc_YZi|jBI_?cR;)vZ99M(aGCkuvW%Q>!e{Z7Lk
z#HOEz@uwXwzRke#M$}9~Q8AfA#p*KLaNe%Nt;#rXe)<s5%<oSrLC#D(a0^z2WV8s{
zB4~@CdxN0w#^cauTyyLkN9%)116=)kt}=C@?gj#}FGC^qAHp~k3yMWGsW7Mg6UK)_
z{+7gC05^CkOwcook8u0QMO5G})^(X*XPahXV*x)3E4N5@hgL$FHSiQ_C{~bJG}_-(
zUJu1fP0W?#2Z^J}5+x-jKJ?fmx{}C32oXQT--~MoCgNlg-GRhvk}3_9=qC{H7*Pn%
z715w5zIGk0$vL}PPAK4&7R~|~cJmNkT*iQnczoH5g6zB<X>XQcz#d7x&ggBGcJ*A^
zH{2d0x^H`+U4785fk8=N8=l2jSGNsA3<Nfrd`RW}A-pY9*6-(&5;Z;WqUAzc4Q?lW
zto=?K<w{i%W%fyOPqtL|XkeK-BZlr$Vj8whTubkQY1a3;%<<u={>Uv&q^N$2lZO4U
z^l;;F`teG`^4gGhESkP<@~EiV&4LM;=ufjCVwIz;+&a(;#g?1kTMO<wyTI=Iw$p?D
z>^c1a`qOcVqnj2no&MM|e2+TJZ)z8)?En7z2U`WQI4JGKIivpK1At;}yFduj`_X09
zV&7tyO0+J8N&AaKPNg7$y8bJhN7}_4+M_+YI38-f7v1OSNM5VBV`(lO`~!+03oPOQ
zXECq9u4Stu@VTnBQzee-yF{t1r7BVCu|~Bi^RMYFjHg_)qoso|07F$nTO1WT*w<Gx
z(DjQ*EtP`P!+*gOp1p9!Qd0=kg*J@>Hi56X%c3oEWa7tQi7aMdPJtlCe7^97c5xlX
zTGCui>~x8>s|fmYhI@nfcWA^+LVmembQ&XF&=jDtqj}445_F*ISqP>{hrbUl1b9nD
z@-wE)+0V;x&P}<LTAuzF$^pMCB=SOs-s#N+-S--L8W_Tek!qF^9nSp85;=<vp0T^~
zI?+)>q3meS^ygZ-wM08#PMDzjS?@VcW8C9gP{&W#A(;5lY;s@L+4w<4;D;wf)-WBk
zY$s;~s1FSc>p65@hf|u-9|Pa7#YU{VaB;28mQ!fKGFB>x#$%8SFmGS{$(w&)DwTht
z+Vz}`U!p^si~x}^`2`0WF8{yvaq5O0q$U4<_O5lgaT`m&3U{kAlhl|Jue$6`GG)u^
zw6pEBD|R}SO>d<@5|o*yNQRWGR#K^&XW0F<zozEZ<_Y!@_M8KN7hNn$ZO7Imsi|p;
zB!Ghh;G7R14uH-LhqlE>FfO{3?j!s3BkKkHFK3I+1O%FU05ozr8ZjGqM^;Att1Gp@
zgDHcKmBSyUXNAA9MW{irJ+L|8*_D7hlq5=&7#$ktPz7y9CYP%7J(xxCTJYCre~zXT
zt;qdGHQ77XnHJrEXK}imrBq#SKAVZ0x}W{I%RXzVq<Qfh(h&^vH8nMXr1Zze1Nq~7
zfaC|ls~Ol-#PD-4L(3JTKXbbkZCKiP4-9TMf%@tEPBw#{hB^#QeZ$w4ztF*K=(cWj
zJ*H<}+v*RDVZS{>D;>hwR%})SogWCVmw<og9glZM?_d3N^VQXSp*!tGeFOd~1=}`F
zcgor4gD@O0riVS-(jDdm`q1!0o%PLt8G+yP?E6|zj38<(8Z6!Bkm=5H&bwmNbjvZ*
zT^lj&tM++>s7m{aXItua4?b=McmL(Piz$p;4FOt(NOttn2$OX2Y$cv&_$NKkqo8Zs
z=FoPcQQtfrjz?pA_`<cveN%o=L_hIvjCKCY-KTffAF}tK4u``Ac-aiU2ixKIM#$){
zd|&gls#%^DQ2g@Z`bN9H(gud1yY{aN5$muD{uXdaKmj(N5Q_zHAPf=u&2FK}lUsNJ
z+9rY(fDrR<p&%{hEKlI069R|JE<*+$6HRy`*;oNz?xJE2xbY`?R7hmEkf;Z;0mT!$
zAeObS(m3*$C-RqKwKa+t6ZwfZuK<-+U<rjsXew~ZigvLT@-%LsJ1K^OF9087crnYD
zT9~I(&2s<L09SIUJrhd`1wgf{u6@<LBv44Ws{3;3<uD*#C;AnX5f!}nq@#^NS=+=Z
z;UO_-^k~EYR0e#;q8No@iH3L=fjCIokpBc^fiVVpFK2HmV|W*Ep6S9ifM&`?sz6mh
z!$Dj~fC1m<jms6_K?Dw+3Ze(v1UVacT*KQ0j`anLp$tZlI*nHp36PUOI6f|-*<3R8
z8pA6|5?-MC1-!07=%a*@*uvLW(7vwy_~7X10OYT#o!_A&OOkY+_%Q0WVMdtZ!>>#i
z2C4KI5;)oe(;2w!A<NSM#~<dy+xN3?lOOtf@UG7tIMzl=`$|0#WZYFl=!@RHHS8+p
zqv%rpjhAOJn2Ao7O#T9P=u=#U+7c@<{6M6rh(vSM9y~2T94$R4PT`JAJg0&FKq5^W
zA<_yl+#ZMB$D_;3(I=YKF{;K{EEXN+|JX^301QXm^`}!Gz+%APcW!6Xc-!jFCdzG8
z`TQH?*Z`X4fB<oqC;Sc2=yg^IBv#-9!~y_kFie3Vi-rsn*!e9005L)n0cd5Vv$Vj|
zDORb#Lon-IxjYI2768o(OjDAB0&5{XD6U<BG;5_Qu!ba^>bMoe=?am$Rp#BCqx&U*
z{IOLh_VPKZ6_c(M-{AS=;u`Xm1@AT_!}iAJMpX!E5xP7yhydLPs_^MKM|KiL`Nv=X
zw-AZ^Mz11PwxeC3@&Fi2!7_kg4Gt6(j9Y3r!Sq-FwniTR`0M{@FTmXdvTaYQvzxF=
z<M$Z`v*K6ylQ6mvx=FRpG>%A_N)Z@-0cKTym!yk?QZB%9$4ia*KF^S5CQRKF1$qGD
z;A6#*jS;T~JdO9pa2KN;TL1B()X@RW=cmHo(dce8+8D+9R5qJV)=6=hL)RESdq}E(
z&)k>qznJ9FxV@;)9g^-lrrOv1iE!)TRA;X@G<(r_IPTf5<@9>CVOoa0gX-J}TKn$9
zfYw!2JS}Dw#9T?1o$<uKowEF$c4xOEHa(R>Mxbnlsbd992{*2QQBm|bnLw9@x(ht|
zd9`Xx0edw_dzGglAU47-?ZN6QMx|120ef&{L_4*ruP|$62o)1+t_c0IGy?pJnHN09
z6?3G^GVbHps!9T_htWjF?80LaR7eGf%tvgC*9Bs%Ih2VUp9Ha7+uAHO0@6?8SS;2f
z#Ji0qw|X?qm_MroSgi>P4BudVs1kLsUb4Goa6yH@N#yMct}4tjaYib}9e}xspbgbR
zbVbeLXiieF^7vJR(F{CDrx7&v4B#TQmhQ0v67u9O%F{%$zatu97;=CJHKMJ8iztq@
zJ7iM5C5Eu&LR9!n%UFW&cgmIuxN0m=!I#ap5!EOok~`WnMWfQ+irr%p|G+=xq`XRE
zsE^^#viHE>cSz^4eEQ(1=@|mgXRNK?BF5ZsK{x3_FL7k)OY}QiSN2H3Nw?qY@4>L0
z3JlACT{wB?_9x%`aOZ#Pr0qrB15WzB8#)8q&_iQr=uYTzorN9%%RUP{*7LY)x03V6
zH(&g)cpYUg&rjRSd3rrUbB#>Ei-^a;PH7(+{FW9%Kd<*Cv6d&HaFo<I%ALczedUi1
z`MN#BHY0Q3TBk$f%rRb^4&2d;Ly+&F_s@uYD?GAoW61gne`{N}?|iy?RNsLpOdm|7
z-Tt7r8CWaX2}D*K7PVU*XMla8B%0!;w}>J<0ruc`1!5(liV+2ZO%NfN2*^+1%R64o
zq6v6A0mKnd0>qrMIPxP5B*cdR)&giPice<Z&O{03AUi-(`Gh4hdZ42<WXv#DK!l~n
z>7pt<#P|d>E!cKMS_)C&r8t*16ev{4xv``ZiH?bz6_^|Zr#%gnlovh&FHYMe=pp1?
z^@5TE<>yi1<LqPE5nX~wqI_eakX51qy7b=xcAc?z05UT`&{<AbfioFQ3nfkQU4gJ3
zkxM}_ooa1<CLr=!=6@{e%l8#o+E6KdgH4P$m|6(W&M0ci@KPjaBbt6_A4fDG2nBya
zdYLEXJLuT8w_9fhP-RKg^OaZ;Y`8{ys}t@;@PUTG2VxPR(tJ66r~*@;D*(Tr%PfnN
zd(NaHuoG2g<?#v3X9&fQLT|rCQ2q#xsy(LKkMezJG}($uZPhi~*ZAmAq}8+gW;7hT
z<5T-|VD*Nl_POgEf+GJp`O}M=?&}*(9%6M_tqngIb`-N_9Facw$OsS&jJz<1ewxpH
zr0;Zu4%>!nG?UY3qi31}r%en&>Evg$u~aP+H$wxNcKv#^x*mR!-gGt4h5(4Qwf9AR
z?Y&|Z8_Vsc^NChog0peGU2d#_@3M^x?t(ep5TsfmjdI6L74Zm2L^!<_90SkiIKw2+
zbs|LjiLY%*!a75h#Tk}>TfQ#SkeV>QwxEDe4Nq#QlsiwdoCDfKZVI&}_S+*)Pd78w
z;(QFTV=CbSLWL;|8vH}h*cwA3yqHzeoO7OO!ib1#9^z#adaWHYBP9mcnl6Y;mC&~=
z4OCMGHi*a#EK186bQh@PEkMI8x=ZP$$7c)96N)oER!j#<d3__scQw3m$SKu<=HQ#h
zM<+*z>Yk0}e#dnW>O|V3o&E6LAnXS|ANF<Tm_De+vvsd$0lu@$&<kB=I+oFf+r0hH
zYl~&^7wK})Ues^X`OVzp?O51HMxvXeFk22MaH=er^3F79U-_d$r8bP2UUY807@LOa
zjLt`A=Ggchl~&wlGxijn`}hvNq#Zbq!Ej>WPo99{b@)|3IIXfPjTj-~?Kz5s36y#1
zTLZ^xgHc!FNx3{h=~03U0Lj9TDtLW4+~XiWfWcs10aF&v5HPI-I6`WoFFWXa#_!=V
z-NN!3PZQEi$FK$`+C{k{kC6LI#r!p*cupjM!;1SL$erRANkqy((5Ei|Q|2s|RV+hE
zD_WP5HUnoH>-LiLn}Q+C;k)@%TQDs3j>l<6SQR5W(>!2e{e5;TsviUZiwnLXQWS$T
zWT3)8MY^u40=p>mgbAq=PcO*1<ROK2@ln;SPGq?iCgn*%ZK3%b?@t35kI}5Yk0A<7
zY-m%Bhee?X7%>4l(M13&0`WY{BWUP~k5mBx1!W6jehkx|Pp}RY`pWRQ;w3e$_JZar
zIr6Ybze+;7;9UE^zy0^$zk7Xo22FYiZeO=e?XpyEGyHpjJ@+;R<kbPt(p_Y_9OB)1
zMq91AmSLG)W6+g3>1E%cK_(ktuNuG5FX}C?L!tUtRm<z6TFb)=#9e_tOZ7(QgFHkp
zE;?BdZr-H06No+`hHr$xK|_%(1XEa9!b{7v&BsTgM~C5`jplyG@DJ!>+atsM5d1?$
zQT#Z6^Zme>72kjVuDz&xL{U64e&50*w;M|BD|~dQ-LZOx8QIR*8V`FTcjyk!2X<e6
z5JXdP3RThV4~Ora-hj~iBg6K=vx4oCMiv{h0E7Jj_tF!$xdEvk)(b@us)UcMo+_aY
z>{i>$);5rByu_gfqy>hPU%i|olxh>WtH?$8NW}2g;z0%5TiU0JZ?>wvUK?i#B2(>l
zo)AX~@M)5>DZyTP!IbvvtKIVktqb^1(y<@{o6W%W0XB>Z6&>X-eJBXP9AHEk8a&a0
z9Kcs07UIF%M+HvbeJzGA-^@))he4~i?2ZfZ5LX9yIu=M57bykIM!rPyiZV}=S_Xvq
zQxDG{#)2iLr^o~ZuJ|{`Zxk$#Q0v8d1y}MCwUjlJwINoisDd1DW`Kdr8s-eJ+yld@
zHmqS|wdmezYoM4#_$uJnn-jkcVwEcp+nVv{!0FZz`S_sf=-}uR>gqWG&?mt!TXp~J
z5zDUnZsuFJ)^~jm{MJvu!TG$|W=p(g8V|H7{&_Kxn~;Ih-$QONLjN*Niy6kkP3fG)
zIc^|9DhA!g=;lJ~ye4TPb?+V0f#^`>p5;O-Z^R?FjI>~$;<-Q?Esu^Wlu%_sfqZxf
zIxc?BaI1RiQ|w>r5emlB8)s3-kh?49$Ql*e*I&JYqQeM$=`Aa6@t7Vg;Ht)=5y2(o
zl2Xe!%Vn8M20s0k2s6MH37?5vrg#}gxvNJhpsabV9q242L?=FrW5h^U0{p%4V~_g`
zkBE+D6!GX$oMRjbXjQFPtHYLv5-fM~BQzjJUc(SfUd5YgSxPitS*SP`DrtsTVrH4R
zq`J1ojVF#?BpX)uPbjJsr9^?(+ME{5d7LQ`YLTr<!)4Q{h|e1ERMOCvFzWX(PU||T
zsMdO6f)*@;6(o(DCR^6UpUSm74Y#p?k)s!S!WTLX^6Ir{z2@bh&7C3Ez#UjUx4joC
zPlEVWIgRTd#-I12H*e0oi}s>EA5Nq0BP;(WjA7ll3%u33f=`494(Bk;f!TATv3+iw
zzBo0`&fW7DeS6eq<?&$0zTsR%NIpulW%Hjhzx}S5`1}#Bm>8+Hct%KsI<)o*<E&_f
zrRoi0R<jB}^1H|fY$xndTqaw?AFKJwtrs!_<te}u6nH=%Zeu8?wLF=ql~{BtY2u|U
zr`c__!xfzRf)0-+#uwkge40-v@?PDpLx-^l&nni%Ce^N83^OA~)6q`nAYo1`W3&a~
zL?iXeHPK37T(it@^%Gqv8rv#(Oc5N??E$c0RdtHFSNM69Q4d8y@WKR){ujq0;;JFc
z)<qs5uuAvGdW7B>SMRioa}631_eEgPAr}#ceyRf+f^sA~QA;mA7A!+`AUYvH^vv@N
z=dX|mc@MEB7!?Zji1u4oYHhi(qiqK5tB2mpk?poMPMdRm!fOmnAG}AO^>x!S1Kk1F
zrhBew>Ym{{J)>v2d^16P-!%rOLgA~!WJRiC@B0j@toFI$NbMm9uk&`>T?VTLSa}`0
z*#h=`4e%d7#tr>fx1Wh_6(|E!j$vU<)J14mhPnZ*vP>&!yE&ggYszc13Zy!TJi|oI
z>~KdC9{s_K4jCkr6GqiF9Y7$9xt>Ey@j%>Srjm1UJ(^gg;5RhRP`TQt^*rlxoa0t5
z@;{y07t_@YHWm<^EkCq~Mi%!MauIxB5f{OIYNG6CDPFIWOg=uKoHC!)%j&Lp4qre^
z%dxd*EtvEJBD7&8?=LQH4$GB;k3<-8dSC9R0ranP>U1q~7xzlweN`R7HwLG(l?+GX
z`PmXOT>t!RsXou-WqfNL`DC@xPB!($wTJj!S(%ec3}M#5$4bMGcZZ!Sj{dE<2Miw1
zqM0;&Yw+P*cp_3BnV}SGbO|lOCL+m~>6$gIr|K#jSHRPmxR>x>r6^;%nd~MVzxT;J
zOL6Mg_Mz1GT-&E!P4IB%Ze_g)Jm&Y^Zg^dT2l9f$Ngf5wyVgYP46YAJ&*TH-ohFxT
z<_qJz)__!UnG7p1C?CAeq#iMAoJxWY;-IJ=gXi;=qO13x=j0Euco71Wiu)9yYqEJP
zyl2h<S>ZI5lrCNaJi#a(k(+Q^P;cXxpUqzgoRjysw?gv%yn1!|n`^V;fk!X{JEuda
ztD{vf3h6$jgRI>NyIF{)?R++R{W?2Tt948LBzi4P#PiYSC{F!%`zf<&-JV4)zy&Iz
zp>;J@+~#^^Hl`{a;)d_hhJ{f)tKYa>1CC@?5xScnHbp0EUm5#{nXjw$0&Df&RO{p^
zr|DlO5iLx|Rq$>-MzI+$2{T(pk&@Zmi{+_yUAj`m(ESwV?RW@2#;NK->dy%quTI~q
z@*0O%A*s(36%s0AL>phw92RD{F&<oi<%nfynmnt`Yj|N4dS`L3qIOSN;utY8U-h`=
z<zVsf>{R5~eN^VZ)10?JT#Pd~I@Pt234BSLyKvjvvMjZuy-XMQ=tT1YY+<}bDG)^&
zC?<QJM9^I|r7#R9C=WDi6eK1T3CAJ9@Qj30B>wOX1uWnsgiaWQ$$Joi!{^v2Fsq(O
zY6DOR9f!a<k@!T+g9OlPH=H9@9^EC+oUH<lF>RF7ZC;T-k6BK;;)<F$sMZkA!Ii5G
z`BWV-AzG7;n3$w_RTpYAQX~pG-`rZ_WHQ_kDI=}vq6O>)LOwe6V3x-44*5`d^;a~b
ztGV81vXyD6NJ)zAAXZ{<S;Z3zB)EW`E{XTR6|E`?2e;zQ;}8!%qYKWUw`qBbU5<`o
z%b^j<=h-~Z(gH~&>OH)6U>q_swUa6ePJK$1LJUdFLt5Hs1Uv7;gqVi=VO&U0?)cfy
zUY6rbnUJ~#c^K=tt%3)V0zc!NTYdT#AHn~@XYk=${Pb;=t9tt#{2y8{S~hz7cJ?z)
z;_*Ma=@B}F`uT6=i!<iG1DlV%6xmud6zbJU`4O1zZ7J0+4OH=V-@-?n0`ph5pb%lH
zmd@3;JEW0Wsh@|5(>R;4wwGVN-z7plxq5hzAS$-L3WmChnOO5IU%iB1U|}XI%?{yI
zI`#WNxiCOAZQVuIzCWncSDb-!yUM{Oz=W2o$2-cVRO-h;<&ve~Fr~*MlN1%9UhXJe
zq*cETD;^$$%R%l0lqivmdbz83N~?YyRQwI@O}}0y{w-uBsT=ifN9mYU{e4i`Z{{)H
zJtf`!-UG3bTs_o&!GDAt|Ah~Jk?ZSdbtOB4mRelYekr{rt%}x28u69~jf>n7$A)<N
zUFmO7EX;S^6Wy%7Q4|YJ9O|SCPNNPWLsZfAS&2*2pWQB6O-{rnSz_XMUVC42bi<ST
z9bKukhR4fRRVf!9ESN|$$1?Pg^|<aBeOn)}{y;YwX94Rw7Poxil-rb2)-fuC<Es1o
z8WM?$mk~_RlW$<qy@FXW5@o9KaicT`XoTdO(!P8&sxL|)MtY4C*Cc4Pd1Eq*io&oJ
zdXwWs4*FU-Un+23>o?xfbLn)&3>Yux*p^7Wd|Lx6VlKN$;_cJyRl%sW_ANhTaX|uL
zAIC#48ifbaWnN+j81x(i{}aOQ+q4n|9B11q2(zbhkFjx2%294OeBksvPw#m?)1BeK
z)CWD=)BC*;-f-sjdg^ZQy*oo4j~!{3Xh6z68|Jt>Mj!fuXK-8RP7vsh;}4-@3<5oH
zJ;uYn=`r)rj-jydarTK4$?w@5N8TL_)9`FQ)U7^u01bGCJ_sC74}-vP!=YmYL+jw~
zAZIDZ+8@*;YtIHb?hfG(t%2*aP#?Nhs5|a}>C7Jtbvq0^YtT1M*9;Hr5Hxi>&dwla
zy?Zvqad!mU?U}a4O`W@ZpgUpUz&ye2LBH^Vq3QWUr*9nC5yUM1ID3L*AogsE<L(NB
zz~$c1wDln$n$Q(`rarU{Pq%uu?J~v!(?8TE2u9^dyMkbY_H2sd?h2M|1>gfh-DLxe
zeeWAOV^*M>R_GbVaA;fhp;iIut>f$nM9l5k49DFK0%iy1(Brz-=QxXSU>0F>ru#!?
z7-r}?w&@<&4H_)tarTEMQMzZt9CycXIT(n*v2@FJhq}Xqp3YpDUf6~`=-bRS96S?+
z@~$G1vnZA^KXszk5Tb31juUF2g-Ug%YZoKvi;Phq+$LgnHQrnFBCTSbwQE|p#oc68
z9Lce)IbI=Iy+5r_$<&X7))h|YxMVD^={*&D585xGsnqKCK_Yy`3m9#<i$guxQR;ev
zgUTI4tI4y>HtfGuU+s{k%0xXmNS5o`=^m%*bPx4%*UDCvRy{gMhVvy1uE<x)DDU@B
z?{|nHldGQxiExG2p5QrzVG5RmR=#0?*OshyjR#7vejOyj`2X2^*X1^nBu(^HV!EbF
zWLYM0<xMl}J`_n+aat^KM5^kXBg$xr%mA4!5Q#=6q-OWlv3Y|vTic&&wzW^NKlaD&
z?|PJZf!#+q?jDznyaAaYNRd*MRTTkbWZc8UFQ2;)hawyZdy5XuLw0uUVYH4j=}n-@
zE!r2V8ui0coxu%xH6@3eLmq!fqKU&!BDkDni0wE0CQ3LvmDys{YYT1As#f)jwFDL~
zoJvcezFi!75q?I4VBqic{J?j8yr}!!+jhO(oh`TB-R<+?(C_jc!GP6j#o*-VVtJYz
zoVXJka!yZ?b6bi<S2y<4TwBd=G@Rb2xV(-&<pbXB@tt<x-QFC+Dc{)&+@1dRj=SRx
z+dSwE+JmiNNr^3GrJm-7Fj&EcOY*e0M86Ys+gm;Ewujw;+uw#OVAtRF-7Z`Pfj1oN
zw7I|JmPk3;r@18zj=bTLJnbzp=x%RzcXqek_6~<FF>HhQ9(ddhws{+#?SN>#w5B(e
zFrMa~Fh!(>i}JKLMSHW?2@o;>djhTwe|zW-crb8-?ykp!t$x?<43^v!Qr>%-8$t=I
z4Hx5SZwAhHdfR-^b-SAbpb*|>#~lR0w!0Z@V(H;vduLe#fDpW&=3bCWgN94-w70_6
zPA}Nqg)1W9{h<qwfiCQJxw|vm3O0wm{#Gzp7D}WwA5U{Pq>7t{3-ZJ_1mE1;ZU;km
zxI6UVqTsvkV0+hhxBKm_old*$@A_LyZirOf^fY&bp)PB<Bu{%w@NFOhZNBAlkG901
z?RtKD$KBl7?!YDqw*6l3N!f!+%|Z|0$b0`S<Qp(ug-hJoR^=Z2C(b97O(vS4gC;uL
zX8gsl%>WLrgK;>=6g9`8$d#1Td?+)_P+D*dC<SXJ-a`*d8D~p|(xMCv_<I_LQsoSa
z9U0Pu4ZUzQo60bu(DUhxyy`ckE}Q=U%{Slt_Ny6$?NxLo!>|0G|N5W*Cwr%yA$1w*
z(%c}dBI2q}10#~)v~WSf@eI1^3dQ&zVGZLw5h+bXivEToI^qnuxRSB!dt>0wU8P80
zXW2fz@M7UYTcbOo9hn!jHRVG-MKwu_Hd3s6JCIebvw#0D|KorEum8y2rBTKX&9s-4
zHmYVcxcpSCW9&{jmNzQiNsTdF=>$|dgo-O7s>I&SgocrLFj3RA_afwr*z+}eJD|cU
zVx6%~j<F5g@3aMe`&Dg||McH}`}N(==$jmh2<&E~%24#j8sn2Ki$5+77LzBhr;$#v
zEu1p^nf*T)VpY5QXZL5F+03s>?z=n9)|l%C4EaDFZmtQ58Z7$>Z>~C>$PQU-(y6S?
zRZHT2#OkUiWS_kF#jI;@c(s!$nCy+`U)MY+f!yVk35F6Vw8**L)$^mzNInED>=Gj=
z-zlBxl$iXRroH*uDF)T2plxZKco~LGNG2`u=Y)@E6iTJ_TFnbHCkETguS;CJ=^ti;
z_(;WtYrU98pJJ|#YRkO3jbQewHPzVfyDw?s;$p|@5tX|0q7FezeMsk~y<P|ujH~qH
z@!5GcRUCVXi~_}NJc0El5CfKecYL_<;>cmAZ#Irk>CfSr!`_^2oE*cSgN-+*+1nHS
zVCnXxjCMm+X`Y%;u+M2UV*41kIwp*V;A<YM(|-G*`J~mFMmM`#TOiGDx`TcnxL4lk
zyF1-r$Mtu%`<*u5=9__FnQOJ8CntL+oWY-&V0TApHmLMRIkK+&STq!Cp8q-V>bMTb
zyGdz>phUQV82lrENVIV9fvovB?M(Mbgd`-}zwFK8aw?z-6(wV}Grz?;t>wxrs&XGA
z1C24dMs{*5>!0_+qQ)?4z<5sIjpvK1dOahK^bELPURhthkOWq|7u%zrNJhs{ZR_ow
z!Om8<4a_+zbO*a#*Bkg-?(XjP?(WXO-|1{_-FaIds!&|%rq(|hB1cL^8jq$~?~uC0
zt7+ZQGr2to+Cgup?*=`;hpO>ycURa;Hu+As$Acju;~z-8)nirEBSU+gO8E}&Hk=*f
z*84mC@Jl&W$1qm!GY@oxEA?bipx1M(i3okRmrDXHM?7I77UNII<?d+~H_PF&|G?te
z&5ehVnVC1ey1eoJx`ycO?>Pc?fz~+Rt+PR%F~+MijcZwa=H!0EkigIs+$u3Idqja)
zzGKf8vL-qHTyQ6zzWo2hZ(Gk;<~vmSjD7b{ViC(HK|E98YO~J{!+0|CZgEgdDY}RR
zA+L>pQ7W$aisZ=gqiS-|<TEk*g1zB^;vF#pXl0{?y8r#({`*T1;&}ic_TWDOM;)$Z
zYrrFdMfb1>_VMlbntP+<8j*j$TX*2sQ=Hj`wfvB)<2(Xpv{@CIjuhvc%Bw)aW^?8H
zR!$Gp%_)ql9+%`LV{DqOiQigD6ht#%uhyvF>+9cPt{geRe~!X2TT4&bI!5NIY;f*z
zq1u5j&U8e5cbHhdvQy<`cYAg#Q?2X|O!qj(P~<QxndUH2onYD|CJ_nm!q~A@A~O?Y
ztq?et#N6o(n<uk8Cw^Y2cPLhq2pNl_C&f?K<egqAKg<+7Or+ZjHlPe=-wXbbosm`}
zU~$4HI$a*+M*#+!c>~O1JuJzjT;n3#YWH{aO=uK-IgM`gEiA}9JbdGguf(-qGc4{M
zZ$i95=0?Z;SruMBG;YbZ$95k@yw2~rHx)IB)mt2`lg>wB0Nrl+08l85VvxOFc+>2(
z5vO;qS`{lnO&P_~+0+85IG3up9OTuM^ReU&a^(ei$d#Y+-~|~x#4t<8nWZ;{0pq?K
z&u%~he@VZJL1E&O3&B1`<}{@I9Of6gkrOzJIdL_FFI1ZwF1qk$cJp#7(l;K4S7Cy+
zbSwH<q<e+F)(ffodQP$cm71KhKm36n*U1D>#*om<d|^5OMZeOvPV-W?<_@z&o=69s
zV0tKKOUNgheb2p7xdn<fXJOoB@4WPG!qFoO$QuG#SAfOZ=UndmFJ?T%P+b-V(k~y!
z!~-cI(R(QPAxe~4vlv)-k^G{7{JUaz77_e#=Cf~S5d2GuIa7U;Wf&i<w37Em4zjEO
zTFQ8J0mbm=*|{)qu&^_VgptoteG<Z)EKRNp$a<+_z_&GLx}@g&+tgHml0hQ2U6JS7
zAG4#I3GisA-k6UtE3!x`{F-voPy#Ao1(C}dA<y%2HU*YwD#AZ1)dl;(!~D0fjvGqb
z8WW#J+}x|sM=FPT0QWz_EhJq$g&&RJ#ZgfM497(J|GXX!IVPouHw33xlLflB%m6ib
zpQX=2F1q!SdmKf1al?zn-pd;<8w!(`rWAR|bzX$*5i%ZB3%-?wa;Irdxq?V6nx|v%
zH#C+2om9e|<Z~{{<Y#k+*dDv_K5&dxy@m@vBV#5E-ROtZ2;k%jF6e8YT*-8nPOdpa
z4JP-?o=ZK7RH0p}W?8V6*PZnJQU%L`)iU2NQ?4v%9!I^Xg|va}GOL;3GBr@88ilo3
zUXjASV|i7|hj1M14QHcKgnMeuJkg|DDQUUvJ#({Gy{9g3<56uTj9I^vp*uCyEV9HX
zya^N5l@~`77C^!lwE9J(SDq#h@G82(#DYd`(G@!rN$^7G<(SeEirfUKuffN9ewe<z
zHyBco=WIXt^Gqb@r5{q@nh3AYUZE%m#~i^yaLY>`#42~1D0fU%^P>@&td8e1>Uf%}
zb7W_Jq-Gz_9@-y`bUcDaTdBkz@qnZHhrMjUpR^808AB?@+p8F*({SG6S(>A$_M9!R
zsu+v}{`+ovik>#iHiHTkgL?Z*V}i<ZV$jXeH2%T;!-yWBg?s}h+`1xx$G19r$Ev{B
z2hoV~)F3y5k^z0d1@eeTMmti%kt<53w~o>_QC8xS%5Q_E33Yvi@(rf<#k@p<g&BH2
z?k`j_1F`Vfa2BgqM3NlI)p>GQ%nJjuRRt<;jL7q&(sd9hQ(?D}`hJABpE5N2f$-9A
zkw306#szrq8CJ9YkQnR}(UqE0pgLYeVe9$D%^^o+VzJ@KQQ|#z7<yOZD2Bts6h*>a
zcSZu=$V-q|)1IP@c>?DG8FMIc7!Ijk60+buVIZk7H`zI#$TnJm?uZ-9jugSv7+q-I
z)+t!4p`%CRYsxyN4nmDCE&_eeP#jte{Z?pqv9xKDy*em&BP)CfqWj_^(ThDFOkMAw
ztpr1yhc8#`=(=sm7h$Gb^h5ex0Ifx{dU6Wr>HMrW?}3rfyOm1`E{IL;*fj)9@1GD-
z`t;mkhesRxM+BJO|M4q9O7|>MdLg9LBBje(vq<UcLKZ1)k<w2bDXng@vm4-$eQz49
z%*tv3)AtCN9z__?_IKJwQqKk`*cFR>zOcw=i+r}o=Y}_%^WerYYZbe&RxvSw7Wu4-
zTIBP69q^@*!gA+-G2>a@ocIMIpCw0F`<}e`yr^c00kT-;FCWVc>jawwrB~7Oy~}gt
zS4mp@t|%HF!5U!<tUX5Odu`oeXZZUbmRY-e5su*Y$6w&V$cvLp5HjH*TuB^x(aRtl
z4%cvd#~k(Cq$L|ipRk^S#JLVXqM_;r??KT52xvwd4!b;#@hkRtZx3g1oe+`f7&1lj
zN9x@(D#x(kv-i+~`JQ@+4bel<qWW1*1U-?T4eg-#=iM`!8#wAz<dzD<60q;Yq_y;$
zP&DnP=t{BM`fTUAww%y}GL5LlNXPRePr5}cJ^`UDJ!y}Jw}G7tdpCqx`I{73YI8T~
z0W1usVl*a)Gnq{%cnnGHS|!wUoh5`CVKkc8XGwCF>2@-k{$&<X#QBHqd6tYW({%|^
zd(d7R6#U_~{9YyY@SF_0<tL$AvHJ_a!|Li^iXg1z_0I<+Hib9BrGj_>d0&;D*@EEU
zpqM&MUfjw_Lvu4pnegI2Uh(l|I<>~td)XIc7~Xs>p?+Oq6IoehID#-QpwKmaU~+T$
z&4t&GAocmJg}uWt!E;})kj}`azu+i&vm{z@lsen_vm~`FXW`X29ELuuomR9U<2qLf
zlfzodBj;3d%KoDRP$-stQ*3}*0_iePSP9BpO{Xgmo@D4!AkV7teC^=aOnBgQ@>Ye3
z)m$|S=^mp4J7SZOHzpoc6(@fB23yB+{x!0dvEqXH_+vPY##m0U**6-kB`V<`L!n4?
zKwv^dB233E!_$ufS&+xHrpA{?4{0rrHe91O3&5wUvkw<+*qmcZ8io^p_knm=6-e%J
z*$9va^VsoW&3+RG8n$par6}dMt+Md43xW_IkqwO<&<<wja7%m$WiHp_F^0^BdKt=6
z@Dtk?I}}fzO!Qi3Li9^5aZcPsw$c&?Ja-7yyJ<1k6Ll9cq(|czVT=^U_-GtVq7V))
z+lQYNS%3oqGBhweqxsO*PvJO-KBY_FLbd|-_GAhKj4sNSe!<o8eZ6FY$3(Q`stCcw
ze$xKu2t*<q<6LWKjTtOO;Bq%6N|rv9qJKFWb1p8nxUTmU?>BAe_uZH27uD#zsK3Rt
zQ3JWUe|UMkf705ggL0_O$w`ek$n}=2Mi&-Cg;y7D7~>45QHM|VEqeBTI24PXwdh%k
zo=tVI7CozaXVJ5jvYSQETJ&r^^sHd9@soOe(L`DRZN4KGK$|%R7C>tOw2Lk`=K*ZB
z7C>tOv^8v>7C>tOw5vbhO9M_1EP(cD185&vSk)qf|5XP<Z8RP7(kq<~b4(4U<FSq2
z1{+l~!ELb7*ajQ5(A}>?9JIkktyE}(joM(Nx}GN+Z1nCDi-ueknNjH;g?zwkMZ--6
zvfwu}kJvx|LD)F)3eK>alA#cjww#JrG7i*Z0nf7xgJl>j!%&-IS%$$f43=T|Y8i&U
zhI2Fn7#^6e0ILBMW~$74?^<UJY`}EJI3D}J!Hg5)C?br}ji59M9+!`PfNyYLUaiVO
z<1qEWpoYS%!$!;r#ReBNEC<m*a<Yhg4x9wKgJZrs?q83g(Gl|vNGkF*aGGEcSZ%-&
z2kyw|<H+<lQn!TkfWzK}&c)bN8k3xGwG7UW=YNPD6}&u&WZ3i&X7P$tOYj!{Fy;xt
zc`4+297jG{)dCjZ#<&hkd4Z^DuYoGB>2VRt8q53@&S={CsII>PwHV8nTI&UndKTNq
z)Bp)n|F5$UW)-ms&)NA5y=lDBbMjG$lkf`7k*cS$z&y?C<{YTK>|7$7aKp3(*Z1NK
z+&}I4TzLJwp4=T>pAI8kGQph!hyDBROEsk8bT`A8fB%!i;Ln?VjWItw+BiHl<2AoI
zr9TI+W%OqHb8>89==VdLEezel&@Bu-RS#Ggy6T;Up;vOPj}L~v;)|jLd#bp?xauZZ
zQc0WVI&+HJxu^m4j#NFQid(Us%2@s*|Ac>#ZO=XsK7IJfe3wJVal{Jd40}fxDQJ+1
z-BADH$fVY{pP5CfgVxh(bRUgIcZI~nX{xsU7{)UUY?P{9Fv>_Q&t+qkt_h;RDoh<r
zJ+$TlAB_%q0^37!R`B>ZmNO}#mP+3(Xw?Drfhd;jEmgGD{=LGR<$F0U(=oTpyEnIu
z&B`WXd3X!W+@Hd(I_Ay+^aND|^t?pV=9|xJDDJ9TI`RG-O{<#e)~(-E43=pA7Onhd
z)uP-ea`$<6=C;_G?**Ay9MdPWeek7KhwZru$MOJ}3Q^Mv;53Tj(@>qCJ}Zs;Qx)6C
z(RZ8<HdMyIbT_jMjE;-h&T=kaD%)@Z4At!Bu8f1IrOMIA@(z}Fz{V`^V0nj&`FFeJ
z9qzO<p9t>|O$CMeG8qT>-$69F{W|!ESJ9`tG7ngVWgINyU>OI?I9SHv^X$wg!Z_T*
zc=5LQq8W!Tntuqq+h};py=k`1b$ls(M#((Z7cmu;90ha<_yVZT@)b+-6_x|I4?1f(
z0LuYb4&V+P0OGI@z3GQ9l?S+}3A8Y94)?+)Oe;8rS6-Z)L;*|)5AZf|%6WxqcHv+Y
z<$^kJ;rWlXokwpZ2zigOwF8V(Et-M3c^OXQgm?<*DE_wI>Rhv`N}|z6E-In+WF1D0
z_;&8){TME<F%Lvuf&^YqqBy}zdF}NlU{p3dS>QZc&%OGNY$?a*Z;sgh`T4g8e`4pj
zqkKxj_ui~&g3${v5u~%Gf7=ff%o8u+jYPb<zW%QLUN=PV>3M!T9U0*c(b*=c40m{W
ztS)8s_A_0Npb)AF8PGs4CTzC7b3FM@Zh;-GWc_21C|$5EimtY8_iEd=ZQHhO+qP}n
zwvE-c?c3kp=bd<Q@1M-7zcZqua*iATbC{xGhdS;bm#rU!6=5qE43C`k<;6#K%U{E~
z9#&(+a_`^bm2n|0>Mn}2eYKihgE~8KYP~GR%f3HTfK48Dr5s=aU#jhIUb%0l63EOk
zwCZvbktd1QkEYJ-WXkm9J#VBPg<32Efg59?vHPwt*r3?znZZTct>kwhJ_v|uxwtQM
zeAU)pthFh0d|^pi=;`t=PCLJ^@R&~7Xp2rcEYqEZ058+-#vB6Tx;5yLg6H$LE~Pe4
zD3qx*0kcOED0kxr@4Mtyx$4PmmxOv?TlH-9RGsmZPrc>w#nzsfHmQ-!B<?9#8Y7Yn
z5RLcc!WB_Eprmz2$>%#h-Gw{kSV({1t{y_~A2mV^lP{x9y`R2IzLWAsf{TBm<M>lJ
z&|QLerK>IdrtAR-Cuf!jGeBPE<~UUA2gS43H}l>uYM}fp4-xdLU$nVUt;iHSeFk{X
zGBvft2FddA!MK;_yBXr6JN)P6rJ!wEaJ^=!_oesuRP^nwiR<yNc)B~iHLLPGq<(dJ
zZpsF0rTzE<)7iAatWy2dO8d)=`-x8ax4CgnXP;eE0R;U>I+sNf!88;(iJq8F7vE)R
zn^3+CKL~UqD<=7_n&{h%1goYly(c|5e&3Y`MC1rT@rH9yfk$844B8QZrZ0#Us}<ON
z3YzlNh=~4Opd`c&<PGfJX&8YWv*Ax3a7mqkYQ>L|HQ|r;bkWMKeDJuaZB6|i_<6+V
zS$!y?#1;XoI`m7Kmdn}i3JBquJ0<6)i4z#m4|eg51hRcz42elc+My}!+{5qEtl*;V
zZ~h^c56Z~+<1=`w14tlv*-Cj;GK<)m9fSR^4JYhmPP5g;d*<fmh7@CJ`E>bW5_KYo
zj6`Q!x$qKDypgo6<TK+@iBK{m<zMJ##ngC(k>yd2OxMT`0d{7;NlC6LVYq@Dx;Nm`
z8WByA0(Qdmti3Vn3nxSM6IS%r^1~Mcf!5sk0>4*nmzZz0Ld#`QR6IG*2C0=6qGC)(
z?#apbLM61t5}D(V#Y*4d&MdapT1FI2=S90irw8*w3r|zDZYBXfM$?Zkr2B?l-mzon
z#+=8OL2z|hj|*{I?lVP{+OscfGKr{h6tGA6kG0m1pZn+KXO+agg}e-B2mea%7-NRm
z074@LwE}O2>N?xK20Z<~JbF4UiW!6yPQr3h7-{L7>g??7n#R_|K1m~{j*LL3D$yTq
z&qrEwJC%o0!yF1EDta0ZxU1--2};dNU^nDKWHCHBD;U{tFPGwCL=40Er6!82oF@NR
zxR-&x{MfcOPc|9SU0TvrAmu~`i1XD+YJUTk40HhHf6JE$NR&@Ymp%r!PgF+PZ>G}R
zh=3v;<zdX7wu@>uvT}u$%&g$)q{U@0Rj}{H#!_(Rl*_1K^%3RW0L^vzhfj~mer%}{
zgo4-L)U4hUGl|)3RUE9g1WpG`?~jnOf0G6rPY+QZoyiJ7FRFqNA)}xNB^t&B9%)8t
z-4#HHBES<1Vq-Qwh%n6@lu*SuBo(j}3F3<ZDJRkhbFfi7kWT|gML;6^HpR!jEZg47
z8;HXW$F_*z3_Wy_o7|CMfcdMem1_8CSirF~RWAIcl$EkFs_!H0Td_Zwp!usJKu6dg
zFYe0ucw__W0594BGbFet?)<)S_AjA$Vxd!$fWknn$}iCbj8pLo!#4n81A;05da&KY
zi;H5z60W((h^4Rc9m5MZsEr}URrx7Nk&Lrg)xK@leK7HM5~hvEj#a~5o7F|bpx3Ji
zDF?tOX4ZZ?M)EX=Lwy=IxgAJ%GFin0zEBj3?KcR|QQwoB7^MuoyfAieP+<%hUbcJP
zH?*tVh_up5-VP#U^MnBf@2@JE(ohgukKZsw=&w7p57D9{$%j!o(qxv}@el)P3VZ$3
zxawrq)^e)APF<yZk<oPgiXtEu9XGL#J>2#AqWLSm5LnLgn<O~bCrUj4CiA)U*9ClH
zVm=18%S-dE>pxttfYy3&I&4+NSZt)*<xIOMWH}C5I_KQcp*6BvuyZx4^MO<&Wy2XD
ziD*z!*j65({qc}S`uPPB8rV_)GQ_V|3%(Mxyh}lKP4MPzQHusJJ6?P@|A=k77mWPT
zoGO}|cYA^zkKPdrXB}pPfchs2+FRl^IJ;hdwjkt;e(8yEy6e4Js=IwS=<k`#m2-$O
zS#sqa$k#AMkCy)G$S1VD4@k|JOU|AH*e>*LuTv9zKY)OCl`U%ii*4vW-o;7-L+Iqu
z>$^1Ob(G*0;a8w$c|V^fy&#@kq8e7rb}_}dlRX;q%ZNlpAn#sCFu(osnv;#Xj8AuI
zY^0n<s$CS?YX>0N;OXQ}bUhy4S4R(-w@+A^s?z>1I>eR5J`YSaSs={t>GjmJ?CEt?
zaszLA@E-)gv@&A{$L&QL9CZ_aY8D(XQhDHGOSiz1vFd$B(wEIjyHEded<){(1vLvO
z^d#&`LN{dDhd;jit<|Pf4>%OwBRwCa^(jY*am?CE7VeF&dc>&vrqDf_56$5T+jo&H
zeoKuz;5wmT5uIGH_YYbjcXG}@AH83$`CP$pp0{}BIRkqd;VZC`dI*;Xn|IAhx&5im
zU_K}rOD6xpyMawJ(-mV*MQjI3I;Mt98I-%-4jy?ndy565#Y{tMOqxi&%?V^-CViIG
z^1Z98y%$ZJ76Cul{%ox&InB<XqZJMP?V%wSVApJm2v6Jk25%EHDT&(;>oC&I4ZL*Q
zhQ_v&Os&}OqMQ*&uqAbfDAtw}Cd|5d{rRB>7$zN}7s++F5S}XNjM5ip$@hdfg(eZP
z@w~AA3+S4}%L5Cb+hpB}M<uXT<kh^H4fti6?EEP*t9Svm_AGngC#IU;3~nueQB`fY
zs^1Q!|D(3JcEB7xZ2)ipOTJaVwIzLJEZm`bYRO$&>@K5g>t_om&?Sl4=9yei{CIDX
z-P7=kmx`VPkeEn<Q)Z<8AGkELu|xfRM)HOPo7+fk6a?%O8N(3&!Z4SW^W^`4Atk4!
z@vGM+Dqd>2h{!H<49^z;8z^icwKM^RD6V*eNe55iT?U<h!M;(?d9y<dd4tp`56&S$
zu+Pz-kKMXb%N4_kf@35|E#;MgE&bw~B)zIE&0LE~uqzYf&t;oTR9ChE7r3}#H3W|C
zQ+ldcvlxN!R2Tq8_>_Ruch<Ey_H$CxP3VWg))Kkx|2R;WUc}u5?}tWHs9*|cc*Ony
zN2&X@xmoeefkW|h624vzIP3|(>vHkLp35jUC~aR%v87CInLlu)LIc{vRT0JM7BET0
z-+^KqV~p!e$wPYRh9)B`^`gR&hZ{3Lys}hV(yz90ITAF)c9$F$+mg}6!Q4rvjxEC7
zZTeMf0d$(}2RcZhL6nnXlQQ-EMgdH?ALSe}#$8TMVcNpS+o$)Wym9|1_{$A?lG+`<
z1nNbI4M3xraFGGcgW*%~Nf&p?`zXoObP9`zTCYT!P{mZF$ai0A&NDD(pk7$4<4!(r
zL2W9wspcS;685X*XVr(i94Pqd{mkzfBUj%<Ua3n4*Fig_*ELn1Il!i9F5lH+cS&i6
zFakA0NY_FRcv1X%0Po#Jf%-)e$|XW`=kT#Ox&)>rl@FS@;gsQ#E|P`+<70^|(XsKa
z04m9Xt5>e;FfZA0PO*LpMteXQS=7`H1X4d5VB2rc8*}9Ed0X2u0k;U3%juudkT!FL
ztMu?2yY>h?l>d!U1McQdird?2(Pal#+qWSWz<7}W0Fg?O)q@kf_e*Mmd?g)+nY6oP
zi!y%C_lNPX%tK(P1Xx+i2x7fX&I_p#!-V$|)MldJu7e{<oUexVsmU+4kWFy)gZ!&r
z7)v454fV17WZ&DuRkgePA%F8MCFSINi$^Nbe!Z}K3XG8_6D#XS8F;XS=)1u4X^i@g
zXSV7kA9lFNibeWSDU4$&(-+`vSx7*=wi@6~z1E7cweny8eZj-Mlq4Ybk+Y@E5RF`$
zb{!&cVJz(<aG^GEo!>s@@>|&Y?|JpV^3sTXTZ~WxhFbseh|n4E{x>pf$kRPhL{Q{o
z;jj+QpEe_e$xyv#!mZA)7wsrK{v8YLRdu*rqQG081UgL+kp6Py<4<6CVlxoN-^_Q5
zM*#^6Hmram-uCr4Rh=`dG(ihGtXQktj&-F%Wr}3#HL8mckt!uzO}g&m595ZlfMfYj
zjU|B%J{RpJDX}Gm=3k>4Dq2_nyxi0-o}dFgTQ)5J!#|mN(_D;1;mJ)}&pGX#6+4Or
znRjI^Qzk1nMlvoi<x(kajCm50mK#fyWvw7`>VKBGCj(e|%26P!y%e!_l~x~^4l-+o
z`U>{M)k*G~2{wcy`_Jye$Au(T#7FQ$54@nD?Gc9|c494!DB6VvmomPm$vXUJFfT41
zNdqre+#F!OXCBAq{~)wAyudv%cKKj8(!x&KEr5KFc(oCHoA5*oGq9(Ox08~PItt*%
zdC}t6AmPL1KT1|eYb}qva}BD2KH0z*jIzY#4j#TAF$Fc7vk+M-*Hb-8sGTNb$W0(I
zQySaEJBD5`2<3h0I{|S`AFOxh@(=5b-YoGC&M@&qlK3U{i6&@+?);2W^7Kf7`Iygj
zPUf^}?=7z`&=yhp2~}23*W=dfwuxRc?8pvam@;3>7RPWKI9DSr?K;ZH*|kRbU*!U5
z!gXb`X;nG|yh9Mh?^%;Qu#vGsBdf_dMd5&U`XUA!{(?r}2=Pur!2(V-Z6W$P+Kg=^
zh2#Y8Hf>-FmzcYM<j+9O98O`mofPw=V9jq<*Ztt+cM7E7*E+ymZE?zZ0tu5b=kL}^
zpLDnV1k?|_5Bta*d)4DU0s4>elO=WYzXV+bI3J7G^4A|gka#eJTUnV;2yZr$wy&x2
z^~9B&YTy694-E+EZRf0>uRy-<OZL`g=AQ`k4g_V;y3h=d8Nmr;ISXaB(o=q<?IyL~
zTq`wS9dFDyC$iimk(OhIHPH~n(<Pwj`I`C~^JdGHng=ZI5O4L4Oo&4yU6?ei2UK&1
zYr`Azv<3cJ+;|72DEu&?X*h5%CvXm=Y{jzHW5sCGPxzn6Xl!3U&$!q&&fO6z1;wj^
zOu*NH`hNr<`d*TT{~}QHT;wi6xPn(Tm4gY{Ml~8vq!q#v%=;b%!mJ56vZDo|b7zk(
zP=c?jPR|6hT_=}%6ZTZNf?`jyV=<Dg{9P(TY(b)0SNvO>pSoH^XCM!3IM3%ewV2v!
zhZw6q91zlvBNcmCYQ4N3O;~cg%5d4QV$(^-Xcni;ZN7CHwf!MfA3#Gob=Q&2UtLun
z2I`h8-t`@E&bmeOOc&YCx>ZUfYA?bUJ!-*g6Z#sA0)*cRk0X^{Z@MwFSUvefh@VyO
zon}W>gGN1sEBXwM*Hwc>&S_dsnfp(UyRQhA8?7bY7j))0B)pRVx|m=1uHR^kIY;x@
zA=zIxWBaw6`VC42WmGyO2wvMXDK8wp<+8f=O2<S@X}zSp+AGnD)4;7ZS@q5bO}MbS
zp+OegY}I)ltk4~oQO*Zi<7HJ?zh+PaDz?NSC0uL_r9vZ`onx*PEtQA$<EARe7{aQO
z!ZAwPNu@IM0!B#+vpX`PA<U2vq6+5G9b77_@g5)PHKL~u4O@E{q2$8ZjjZ2wXt1G{
z=U~>pejB&7gC4Myly(Dwb}obwPLq*c5j^21+4m=-<u;hV5k6Lfy%)E#Iqr-fnU1E@
zbq*29UN2J7Ie+JUo_%6bXUC<x3MpNt%)vw$vPQzERvjXz*^d_6xh~4wMU-g^BpT~f
z!fCqdx{8j7Z$eY2uoJ+#h|zYwyfT<N`<K{#`uH!Eb)UqzC`UkXtXI3wD>dVmT05d=
zwm13iwYT|NZGfOwFe@qyyeV)ZnDc3>p0}$>-^G~da<Ki@dZUJgb~nr=mrD}m#;_tU
ziPtSFG!Vy=C#MgNw=p<MYo5Kxe^~AtHDD-Gk~yrEVg6CN+7(W|T)JH94rT@W7M5!y
z`)=|BKSb!jg*n`c#y?iwiV*%Hp=<JI)gtXf^Lx?PlKfKtHq#P)rOrWHW2S=p<nk6V
zcfQ7YE29IZpmaXu2B(QkfZTA1e3n-fzO5wy)COxyN_1BS*)xttI{Ww~ZGkO5PwcRT
za`z!`vM1PI(E&@(qqUNs%AdrS76**&4a>U!joq^=iXFKQX@w>^h-L(!3C+9jlhTu4
z7SY8hcgTqa&i(RUj6EybXV3Q>Txnwt7HPL53!{Kf<c42-MAc$pFXr{RITVxwo=)Yu
z8*y=xw;s@r=I_GhB-*lXZ?xvX84{tOq7xy$$6G#<4bpf<t9<OoN<1@#B3%_2_3vcV
zyA<t3zXeSQrR|M}YL+s`1&XTFFQ6DK)x(m4#kAG_tI4YmMt>D1)h6Obc1w5W>s1;e
z1ClRG*TIj#>sdtpeJHC>_)#L}ABeOX0SN|T&|&kVe;`07c{6RmvC~EDt>I1oW_Q14
z3}drr@dIbYl!dzC4R!9BBA_Eemc0|%Cb=!e;b$0``)}0BwU$Bx?j~A#kW*@;@GRFI
z9A2rn(G7fU91YEXBCIg%Ad#@@m%Sb@Hm9}$FsQT@{KvL(?K5`ART_?~n$IjXSyz<g
zbLnoaV?BN<{6`A+@z2aFdQ*w<jro{tcXrFwRm6Y4WW6QAAFf<DhC=h+xi?iUbSwId
zsRWMLR^f7{>o|A#5}l$OF>jbESS(rwUoy(XspnQ$Uy!K%(B;o+c>@FueNsPk4Q^Dc
zDej!+>LN9osH0D`KVbPAMZk#9NSf~nLDS`y4*6uwxhiG;hBkZ%k_<9&H0y~)XH}|{
zhGAR5HYJbC5f-{6JlNij7V-3S!;{OHL{z#Xba{8R^!B$S3F-Uhgt-i7NeL}p;N8Kr
z@xS3!BJZ8$2#;SvlgX~Wk(Be=-u%cn!WTPRK5wXQSFrN=uIEZc$K0n;b%k-YdZmT)
zUrXg?73JSze~-%}gUb;8s+!4tp8f}<*C233do9nI#Vi{}WA)a;5qE3H7)BdyWsaC+
z4zyZPxN<GAsoG+;k}95bK|gTi45-H`j<x-vH|>tf_U~h^$y^78S@u6)*f>R#pHDCn
zwd)b9)^Qs}?R)RxaU3xjuMk6JnNJKcWsN{D<-)X#!L$mdMgttGi1C6nm6_#m=^wLG
z0&!@1Q&GHbHO6CS^FntCyxF*S7_k23?p!>+TCYFs-=q&b*NcX^90X%r*9qp2XDAC~
zuL$Kyi~neD@v>2bwI#l2ZxtqV#78!VfUAyZ>bgMr>>ww@zt<yA|5z$WP<UdjPoDPB
z6n+$YR~nZ}?{#Y3*Rfu3!<o-aZ-@=NG1xR4+ht;K^k&q|ChJp$Az{(+XO+5*Tmy8u
zN9nr?5!kljfAvlckb47f<hT{azhYcVb1f2VzW{pzqOs`c;eUfN@`jg-36~}8`gEfu
z8B1#!qBgnyoQkNRe{J;<+mZrQV8B3UPF!i2LYnXu4{6Mn;j&6QY(^My3lnX}hw&>~
zVPb@_o4cl7gwpl336^OFXiF}r|7!TEM~Jq7I8gT4@v%v<tL?~MoVw^(?Y>TFSk1An
z*Q^Q~GMSVcG9h$~9AFLgeOWlE+ZQ^YC()Ka>BB#}EA9!WbhiQ!vBYS5aHuHQ(;R4T
zOB*x&eae9+AVs;-<}=a;HJEhbg)&i(kF2CHy$KDbP`a40=GI=K8KV?|9KRvP&Y1C{
zx7G%ckXjSSPw24dbEq8^>^j@)Pw{h64eq%Rrs_)Ip#Wb_8-vHk<Dt4s;knEOdvAKA
zddoz3J@Iq6^sU4GZu8EgE4(^3*vc2a3=XL+l?g{{ESXhQ)tAXHb4FrTBi~S2EER}c
z<ckD*1?NVbj<VBgOCv-rTv9jhPwx<1@eR6uUwS{@+Rppw=hr=P806QbCtBy%#R5Qn
zFmIMZZsKfuBagsC`8UI>{a4ly1)Yrk)_K5ja{;?xbW*8<s20*qVWC%gd?#<}znHf1
zpu2%m;|Q?B>Z%&YaNm-QLsQpT`GErCi$F_*FXAJym?CRKBw7lsl?4@Ukjlr~+Xxw9
zyEzSV0r+7;kjyZ0-ki+<wL(|touRc43c_k7iirYL<@pG!xnfZLSP9L$#^FQ>8Yv5t
zLBB#$k>_}R#*bJ%vmdwl->E_#GYTrRexQpG-f051?t(S2j54l;jx#Hhoxgx06N0DB
z(T&LVu$lnDVtWW!%y#v&8~5P(ceiud$YwjiGh=zR^>I&Sjkb~vZh0d!R*_tF(Bb5S
zE!?cCRnJsRNFychKtEjGTy6u{XwAS1-dJD{+X<u-xRB{&+e05!SasJf<#YNMhUoGB
z$KNpLL*`-5x1z_0G@Uk2|G)f=B%y)ye$ISWkC~oakGZDNodGR;dI1N3Zp6m2ql_c#
z<31QW2@b?I+~peR1!{a$9+J*<67(jp(_l&CJtrB;=@Z!@I!ez<2=5K!HMm<SJo@xV
zdZt<WxdO|o1o)~qKekMVenWLZ$@t%s=)5?~&;*(d#<J>cT)enuYQ-vri`5(Ea`9Rl
zBkBC#eQ|;Ry<i)<*P3I9v`W6xP`cp}^=_xOo6dnnJu0jEu0~Ex#fFl^@E?KY-=E_$
z!>^*6Caq2_x0_0%bQX4us+;yZE2nma!#aAv`BHI(tgDUL61j%PD0*Op%<8}Lc`KrC
zKyoJtlv$bdeOK5LsNQ(7Pf@kLoS}`^y1v{2rtwh8-1|SpCk3ddsr|k$LzlPo&6(L@
zhEPH%Jsy%mGP;0L5%jepQL4sc<ZxM?!|=EcYibQC3qKQE;dh=J|9hqh10k1EmyT<#
zmQhOKx*-*-^4XM*TR9s#{itR-lagAXl6rP`U4W233<<qw+xt$yw{6=CYvcQYVvAL9
z3Htjrg^9mjtrA$ysS|imkUR1YfEyU_nCZnFK~Txo#gV@LE-1?`Y|qkV{<R=5C*MM)
z3!a1xIQA_CA<1(-^>G=w7v#xG_<I;I67onL_vr8|a-g_&h%3=OM=<fK>V%YiO>KqT
z?{GrZjvyPGW}Q~TosDl<(j$d53E~Gz>>sfL&GPag!v;ohIHSl<z5<Zd?OS+g``g!I
z4ys-w{1F0D0edQ}bO2<-9324jle=Z8${0lcr@jSiUNMm-??m(pNB`v|AgIsxaY{w#
z;UZEZP21=G_jh#DoW9>n$j29!U=?LY>)U-~3+5Vyq^=#eizca|o52_kUXYW1u{f8m
z(WHn%&QFrhPXS5C!xb@gE1nduf?|OSAY)k!I^HMn289a*3-~I{G@`j?W35J>zsey{
z`5Hs&n)coG4v$P|5tl|iP)>(N9r(N{S5@$b>b{Qxopn<OuU3smt3$(mT!oXyE9m%V
z#tuYXC8`RP%`=aF7ViTn>f8M%^;<kBOflVSJsr;V3z9^XsmCtFD2QX7gE>b=$!C{3
ztVqqH0>Kmj%ovjiqB4zlzx~F>*=QK8(N1Va#x#B`ld8bz`%jf=NN*}GMtbh|Zdr-u
z95M-1XMk=^zRBvAX_7id=f9B(C>p1JYUHAsRGGayH?}8(w$bu%DN;)(+4#5>cp98o
zR7>R60jX>#&U;38-{A%AVK!o~_fbsmKIt3SL#TCIN7Pu%r#$X<%JitrF#`_dvbLH<
zH=6STN!vnJ*({jx@{p{BWs4U-G|?5>zITwg_VITRwcbA$Xmdr*qyIhn)h^KTF>t@u
z`<wo;sO**>OqC-GR<?az>3iU1@(Nxf|I9Nnn%}9@fqIKks|}tSZ_$BTvDBaUzG7-d
z-p1fI&?npv4~|x=1<_vepx#>jy#O82{_h3oj>WMXHH+cm$3T!beM&l8(b4b+p#2SX
zry75V_zyv8e0A^N`|0#pSa@*1w8HU)%$*sW(>G)@G5x&G$kFl|5Q~aGW3Ry-Y~$M!
z@xIWP(j5JY|MF{oQLtQGv4VT-zoI@9;QB+2MyO&Wa$<y~>xlEO7W@cCOwl|?8GWT6
zs&sXgk77kw`a`vP6+-Bh3D@(B=dJRwo_?-IE)pa1eP<`BfAK(uEzUHmYnbJw)IA<m
z1tILv@H`gbBK&AqT)c2^^2?9O7y-dmG7@JC(SQDAYI~(5zD9yLIC!YTl#A(jX~gv;
z3!#F-rnrbWjN>q4?`tWUbEuJVmmA=Fym<`jEG1<s^noOP12=hrxSz!jz6`Zpgwx`f
z*1Q(rLi`i#NIc!zR<=>c<k(OTPoab39LJ3X(qpM5Fq5I6o%{AgB+1XCw`H5L%92MT
zf7@0<H1?7yN}X|MT9-v+gW;9GWNZOraLW3(Q5_$1i^$wyX%hd+pyRvh(>nvn>`&$d
zk@yMld~Pf(e4=Oz{>und6ja7ae?eWslqwt#0xNJSw>6jR^ziMjidU2mxiV&Ef8Tz(
zOfcG^XCgf}chQh+(51{spgcFSnDOC6-VU8tm4c%1N!o|&DWi10d3E9i|JOHU4nW$;
zDuKe=ZZc^<9)i+BAI(WbOtl^l%oZA6{^y*TuPr7?ITw506EN+l1d~kWFcS=9-Z3mH
zE=BuErZ6=Ee<tGO91ve3qndtu9z|INg^nhfk50CnHt208i-l4HIa4Wa``x-FX})^L
z_!Zd6oqa(#ng_DIjk2Pg5+-w~hAs?~p}w5oQH4}AWjx{w@=6M#TgQY*!}Zl&B%a+h
za#?a+(=PpvCncFu>u3`C7y!-IxFYw`drrxf@QX>Tm>!GD#`<r6MX{xXD>-WE6=Ux*
zbm3EH0H6q>?>L*Wh_Wj9nPrq9V{C-dm{zo`utx4bkZP>q-9{T^(J;2$zAZpXSLrw4
zn7!0_vM!Bc%i#+E3dSJYU<r*pEd8`1?4j6O!VJ2&Y?K|4AtXuM-$X)`(kPT|GyB9e
znL}a!1CdHEa4#z8Q$a>vD0&aa+tE5l?^uF;+Mrw-I|BGZ7BHNOiHCN`m{FeSgX`#$
z{s!Ubx0Gj5uZ{te-!QEy+5&V$uNu}MGnr7U*+C1mfAjvg(d15`W4H!}$yS!cxzZQ-
zz0R^;^39Z}i_EHxMCRS}Ug4}`&-kg(e`Zx%o@Dv4Q5&jCmwjR-N}KM9mNuD9K1xR&
z!AOu*c8H{sRqSFGsnyM%E<a!Wz9y|4GR5+r9$DH&vU)APxd8Q<trx}EYdyC*_=Oh^
zTbLZXDm3Rgk%fHI`rq&{-5}bNUh2%y(8MK(k2yA`HdiLwthR_3yxn`5IEr^hH0#dF
zY_z_|t*4KuCBYWxEI%{7Lve7eFY)Gc1Cibx-7NH9V}kcI(S44Cg`?HceWI<s&GcVU
zLw@?`KH2X>TD+GA)h=FQ0{1hG&V9L=(gwMYBX4P6Yw7^9;%hrS)H5R^ZwiKmHHS(9
zrqS~(iKe2!omjC(%Vy&?dPrK(_F*O3owotz3G4ByVUA;1(u6@%M$J&u9JR10GH}h2
z6FL`@yKwolS3u}R#OVg$qQhg&L_{PLX%k_zcs+mVAU<4Sn^F{CZZxsWH1f8*i%;ND
z6;=Wn6SHhmPzGn+ccI;OY+8!H@s5yX(sq>Gp~)z006gCRFRX?9Sf}lltqSI+W{}r|
zqZnuN(st%ByWW)2^0U*_;t|^Qrt!t|M2tRrYlySMU^L4mv>UqAo&f1&+rUxg&4~u@
zei5EgxSNkovaF4GV-o&~Ho$^Y62p=4BPYWPxkPIrBckFw!*O}u>p#RrR9nbHjh^My
ztkb|u<_ndGzxsbTB5?$&ta8RSv`lq+)%g`Vjm0cxw))LC*QfchLO{H+K(xn`Y_6w~
zY}Vx)lY~i^Jxqc;sz{FU#t99qvdxyFHCi^fta!p!(@`kIlSbKuTexGs5Mwn>eVcco
z_K)UWz%RtWtmgvhx2E784dYy#0>m^or()t)ib}JI2M?^GRzIJgn}NJ%@*1aEM}JcG
z|19Nrw^=&&d-Ii`z+1)ecmxQr!PJ2InxmC!>J=2q)|R#n*@D;8r&?%)n1}PLg_NrR
zrRcw7VvxMv;Ad>ngr9LNz!xr`E-$=OJVB$LB#*jh2aikboLK!NvVzDk#596F9qnn8
zGQiX9H?Y;o1ccu!F~VXA^%?Zjr|+u^)m(4{RkH?*i1Y;`5cYS?hrLB)nuTn87=)ED
z1PuYIExvH+pQ#VR;EA_%j@UU*`lbhegF#MR06sbKo<pXFv3<Py(V35C=1V`zVw3Qb
z{>qSGXHRGE%*la=^=)TZV0CIy!x!Rmc>K-=1Pm+;!KjEv1PrK%N-)TV|EH%*Fh`Bj
z5hx+mkYBRwgq6EDOPxRv2d3xFEwhW>klUCeVqNEbdF5{+DH=azO+RKa%hbWBm|mM%
z-Re6TLM8FkIqN@!q~(iKyjfcMrmTi%#3W2FVa3L7es}TZ6PHn!NQ1h&Kr-f?RXfq{
zS{hQ#Q`H1-*?rf{9y%uQ`SJ@Ge1a!@(IW39I0r!PQv-y$-Gl7g2^V1<ILf6`AGIWH
zDqKg-%C_S%hU-Xx*_7$3F6JwE+bn<GC13Qw+3Ify=&D1(4yF~<Z`VkCQ7=G(G@#fr
zq>JSE!k`WP0^<(8)B1`E@YJC&LOf0dk6d@GEAeDt4T4rvy#3pd(V^&~8;NDpBpJ78
zpBumTCq?O9%d${3vq7*130dX0INZsXa?f7F9kyll<Yt)G+^|2_5o<!eLGr_%1wg+5
z?sTaotvyf|yZ!D+%}w++fU7c9;m0h+>eP81p4SizUL8`KkRB9}AQ6xOf2&eWt=-gd
z^^8H~kX=Yo-l>4MQ2pHcrrN!Ns2naEb@MO`uF2KaeB{?t=Zlb#t}8q9VMX*!31{!z
zDBjY#3@OpfbK%)LjL5vQWFj;x`lwA_rORM_rOV^~vbP0jmW1qaLV4x6ezJ2<F;CVh
zk@uA{dMxgca{J%LyFZ_C%<#)AMVdhI%)e=%@{CB)|Mhrj?dRL_Nx*UYJyYfWg7T*H
zo_id9mc>+ec&n1yO)s$DI-3{Jn%*Ojc{XYCt})X3*Sd0}xZmWxBXvsc|7>aPPG=_{
zl|{+kxG+NG%+~Ql`K<hm;nRnexM1V-AVD*ga`V)Ryb1W+$|+zGE$syd_1CC+LLeX1
z*a@va$9S(kn9g3G*{4t%O4k`e+3pUARBf`Gt}V@>USrQYd{P0U@PCtn1Yj`!^09_9
zqv$9X@5IFO2_MW?d-&q@XlFab>{STCtn1`G``U=^7!W6pe?I5)Z9HxYG}6j%w%Ewj
z{VQqIMxcyvVe1AI;M)DSXwJkP2AC1d^4$JAw_Hi1`?4M4hefaPhB4y;VI^tneVTH!
z!WlltqT_lA_HoB8$Oaz#x%d+8P-CUBSEbmsqlf&fIETuXT~H1KixD2+iM&<v>M0`h
zd3^fA^CME$;71kZN2obyn_BL2@q>ux+<_DKK2W4qO(vx*|DEGpx>oE=%Be#YcX2-W
z633y!kiQ?dJMq1z`M%cJh;enfXB8w6xTI+^O45~mlu6=FO+N8;VGm9ulJX7FX0f%~
z10Jj5wP(dL)~l#60S!wGA-!QO?ii#3^h}~?AjU*QZj7Fv$N)*t5JQJ}cLE*rYn8~(
zWIc$b81q~)PYne;uAg(slnqExwIR0<1bf3h1SE4x+wy#dxhBq1;v@I5mn41q4^+P{
zhT5O+IC>tv_wd6GZQpwcBI>vvL*s9`uA5RcJ*3m-_qYCY9p+n7!v>;ZDx1S}wiAE$
zlmh#4LQ!VzVIG@$#I>10=xT_e)?Zl9P#kUn;LI(po0t0}`soRyQ>(m`aiRxpcpSpi
z#CLvUe5GD&2PW|YvoWS@mIoSc;?}aCoC#Q*Sl)ZJVb@T9k+Gm}B&5YiGzuw+fStfP
zS>kJhtL?_^{+Vl&x=rU!pE<`5Z@lK_tC|aIcOTZZ!<~{{&*M5%pWGK0u>P9Ov!+cO
zUnt0%SIx|8ySa4>FrCisZ486<nd6w<Yg^Bn-pw7CkIYQXYrRak{Nw8B>6ljLHEbKh
z_G+44>lc@g>y>M}#Vc3OIUCc~s}|1fnP->M-f>QADl{ioux)<N#clJK*1Qz|lWQy6
z>o%O7?ej~g(C@m{VTaA_?d)rooAyqh(wk@3(9LVTIgGYW&8uvEQ%6fW^h>?=?ds~Q
zXO}q_&+TgM*52)47qBj<z%%#k=ekDDH5fDOPVd;4FMrNcr~K{bybIWXY5&gUohxV$
z&a3S!YYNuG&hBSF+s;g{N~kB0Iipdmj!rdw-_?sNXpY&P+8@OZ=+(NIbmH4koZi+!
z*6kgYRv_u-kD68(>Km)y>*R<3Y@l^+$lC5UHmJ|;)zhBuS6<_p$9A^1*)NxFH1ud4
zM<JEVcJ0R5Q`2VC7EI2@@$~xgkt^+NdU{7@^<k3}hidh}pLJ{FoZlM<R<X1D>>5^I
zSZ~<X_0?|D)^-um%J%BoZF5uG)zj4T-!r%G=(e?M2pvlQN?!K?Oeg>~fD~(Jyq#-Z
zGsM+^RtKkd+V0-UoF!Q2rXbH+F)?~eYsZz(KbsdXblbU?d|&HRJUGzKtLo<!y1e4^
zYZuQtN_`rAraIvef2aYa)hl4SkDa>F4}ek^ch|Mu$GnPZYqM6U#+&BWmVBOG#>W;9
zpx$2b19ZE!T~6F3K;ic;D9v&_tM;9|&gI=Bx&&Bj=bpypGq*sT)tkP{=T^3;)>%%v
z9h=e<7>>bg8NAe{WeGIpT@Bj;gx%P9vcgM{i!NTM0is}R2oBOGH;kbhyfjyoYG>Dg
zCxh`-2^1n433o+MfX+R#5yCxC_t2B^vuV+w@qg5RjgFM~mAb;~55_=>S-q~aqch3!
zgb+#<kv-;UV9`E7wG@!)^NUtNi8PjI+6>nb8-gQ<*qtaQ(1EF_+5<^&E||{LP#g(1
z(s{}C<-U%)UQ9q*s{5D}t=8<IKL}@eXA%6S^ihNJgf&OJI4Q5Y(B19tN1z7Ovtkk3
z)f(88z5GuRRN{~i6De4<9S%T!bBwpJ9Fp7qQE}&28dD@Qx$Q>}j$08$OHdk8zW@!C
z#liJQyF&epo48FN4Rq{`%>lj=-lD%E-NN?`)u$Qg4r5(@W{hUJV|pFMn&4}=^ZQMa
z-DjJ4I~nTNq{Ac8fJISd%8l<KldZUcTZy?AUct|f{ha3yZ}wN@5iJ4BdI!Y~ur|sV
z(RBYK5lWj?0+v7pRc!q68se>B)yKzz{+JGuFzEAlHc?IRBA}frP-j4>`x6z(*Ii;g
zdDt_|h(<|*0+zuII|6=Z#MV~pzaD(8;|T#PrXqJ3&6<OZM=6HTLx?VVw>@9fLely1
zFN<oY(JsCRchr-WE?3dNpH<9Ix;ri-gGqsUDI8CVhPr!>cpTLNl`X6Q>PXqN-1>R>
z6L;LDEX%GS6B14*c9xLdU3fx0_L#h$?rNMX;|0<b?Jy|ul(4oSK5~3jJA8{ez6~H0
zV0T|%c)+iv>k#u47~7gF!0VGfOGIdlb?y7i-Bs1BT4vUB8=Jr5IqVPcCDWU~H`EWW
zY4|y=d{I0$GxI(_mK;J0{V{~bHcQ4_4q&lAq6SN<l6y7W*4IN0Ut?t9-J$qoVIhVw
z*!%6$95E~VG;1G|!5R^Rt@oh@`BS^h(_XpFsX4a!aBJV4p86LSP9OM_URhv4nh4`5
zeNs`OZ?qY9mQU5EAfohKK3({y+0cp}=F0HiBSR994rV1`89NSb$%IG~AdM5e>^Z2X
z`==r4Y`<B6|3g(+ED>Ve%RjVnY4R!m!+Hj$GZ`izG0<pssTb^LY!7NP(NgK5!NkKs
zg;=mWTss&0*oh1*gt$-w9OHe>d5vVTN)?+J7CRczkFj)G@f5R=xmMMct}v!-ik3{A
z;W?+|sYku{53c$EM%W;vS(GvQQ+*IGQ>oCDd{cUp6_gB{v?(<<L~?P_gj%4l9HTy|
z8K9l}ZgGZ8lZ%rbCuD)*fR-R5kYB%b+9*RO+JQhSi-avX>^C)Dyum}qdk54!((CB*
zMpcHTt$I71WSqYx<*StiUU=p)&1)gSMGut*263AU4oC+c09f)pQP^q|oXYZjHN<{!
z(ti*%fj{XoD#Ztt6;CO|M7R)2O$aVDLoicLlj|_`KW0=^O+skor!%ZmDYVg^v47Nq
zhug!iRVuN@2R8Xm+As-k2V5kg2B3D;Su@nN+Kdz+OXJlwy{mCmq))pfb>%^RtsXOS
z9gpyKrT$r}mqU72bg{^TzLGV9Y|k3YqD?!oh^LtjA@@g0(0w@ViAVdToRUZRvh~1%
z{r#Ju*j(AeVJa>LKv+kll`IFVthQgXDOQYMeh1DLr`44rf>07nC~Z`60kig-i{p5#
zOSr>E*AChNBX9OPCduJ1FPqnK_A;NW>Tm$ZHYOQA#ffi`8kkQkw<NRmMu@-*LSj;8
zxHQqv)b<Lc>isJpy-)Q>?s%f#c|9(&C=G~8M$CqsSSs3m5OWR>$~0yVY;>pVe%tEv
z7t@>u3Od32SCYMB(r0D4d^72q&p0wk0Wo^_nibnkg<dC@>_rMPYTTg+e8T)^ygH}7
zPW5oxqiqUh9eE}td1*pIGyL^Ve5m=Rw+$SLDsUD-VTLgA5=9iJTxc#o7RkvXN}bp4
z21<c20**~-P#B*HWL1!t5@02;mFI5$)LgqD@_KwUrhCzd@AZ+Xi-3|kWq3c`JUeuw
z%=e2f#hU@Hp?m%MS0v&6M7*VHP`c7t3HjJ{8N9XpV88(cacay&ExeMnrK~aXiE9JV
zB_g4d>FbVw>MkV)hrgA^2P@(x{5TIkF(nDM8+VLD{%5~APQ&e#r)%IF9T0Is3u13l
zqPUKb>6{3Pn9g3&;}$sNQWU%tBba_0C%pueDONB`)ZVy=dbuk?K|YG)6eA(bbgBp^
z$WOkdDSr+9e#HZ}DV9dKN<RvVTq2m&bKEOM(!}>iuEC!KK6)CYFvWs%R|c@SWUSVx
zA~z_0f=_Y)tMn3a5^epp&za<OphKCpSq;TPzbd#z^^ak*hp`Ia#Ppr8WT6A4Z2Fsq
z^~m*IzdiM4ixJ$gy2V&4dG;G1bb~NEuSSw1P)jxF*jqZkPEI|u!F<q_-xNq<dzq=R
z5qz^xdBtm~pBIh(HLTreurxA+ux%W}N=-~d_aSV#QuGCyu=<w;b$5pwsd8m0jH%MO
zdmf_B3MJi3sw~2HBV@A((#XpF@8E6#YRuTSNmWZE8!6v%+0Y6-fyiB@k;?HIUZAt&
zpL|E6M5!8`)Fn5NEEm_nUQ1;nKeQd&XIvqH!Fg^^&Re)JY<OqI2K@z}EYSyli=ch?
zm=HJ;aFJ9WN9K=#NtDOaM&H#>7FDYrg&O|{V6GhYS2naS07r1j5EfmB_ssz1e<{86
zNCIh7<%t;`6aWDLktpv3r7T=RQ-x3(P>bS*^vN%UJ7XQ+jn9weD*^n3gfhp+W3P`V
z@Gao*cRbNl2$%3fU&aDRs_%+jxM0_?k-mm{d>TRjotd0%68PDE0Zg6L;(>ppaKh_1
zXA8a8q%LCQMjgKO4nNj_4mbH?Ndk&&!i0-yif2SBTNG)7mDWbMKMwxr_|up~7YwC4
zWXCp6sK0hDoVW*c!{4TQe;Vj=2-jJd=qa<)k<w;*wGQBQS{=Pg6*Yd)o4YU2C2JYK
z{2<i&k{AIVjAuC&c?Y+Y*TiS$0pvr+j~5TjGo6Lj(Rx4y?m^gTHhU^4>B{iI-3O~Q
z(vb_boY~I)9)c@_I*zokzX#C&N~q%Fma5#Zu3`m`oI^LB6pe&+IO}_icQ2PoBH>u$
zj%-T4Pyx2~ATMe<DOSoxBDqE`gnl7pdMG$!HQX4n<S0kkey#(mJS4mZ>+QpVF{cx>
zCy<(i<n2jrY_zRyB);5=A$yoefu1YoHw6QG2N9>*gJ|r#8eHW&=jzM1Nls_NF{w&8
zr&{@hSdkR9fFqvt<L;AAAZE~uQd0vJ-gb_jOR(plHre(R@f^jQfl_y#I7&6Bi1mk9
zS)@B<Q$qh~@>Z(b2|E(u8_G(KW(WNbX(Dwlb&<{&z<G@oAYMcOF(pVM(VLw{qpw)A
z_E3LOqZJoG4Ndxhc4Nx@Y68aU@G6cr$6`gBf}~AsLX9ygg2@}xCpvLMt3K5fn8$FQ
z@PjM=w=meSX`zw6`-BCmt#UK51&eR~J-hhH<7i<oU?k>AMab?R$i&URxX)Z)1WQ_P
z#T|M_onV`!9`X>z6XAb=61q&IW<5Jm8RZ}RTetpss_T-2`rcY3L|P{0c4en+h8xj`
zwiox*iN1b2Rq4D{gn6f^;N}4u1B}492(835xS~V)sHy5bqURr*XJh)cyZ|VuMW()&
zx}uBRWvCrsyEu;3FNdEC3?>p0+J-eXG*F9K<Q1jc^r|9gp+{55q$T}op4#xDH7;%7
z+ca<s+ADCTY!8wydu9NStC*9D42AogH0?Z$`=!p<*w#Z87&E;Y-zn~`Mk5cl=eZ2D
zDO29x!e5HV!dg(THwxE6pJ~@3?<v1MV>kNPwvN!8{jB*GN@HQRm8!j%oJMvWQJGqC
zU7`4+PHG39D>8}kv}cEr)zQRys(73x7%`qPYAT05^id58bHAQmu>%c6Yw&}+TSsAq
zES_-)Xz@OCS>RhxWc)?u7W_f??S$7%MF2%vQH20$C5uEk5w+Bbolx@ASFiAvL`u!I
zk=lpvOQSFgc&(p3{ZdH8prSb~_g~iWV5Y%838%I6=me??NfHYKb0^c5l(~_m`e*qc
zmbr*L=Xf7I=JaQ=6A+k6<Y6^r<+j0F3z8~?+i%FkyLl?&d}$9l+B5#Ue+G^3&5^U%
z0$Rm2|CkFyO<^7N$xsN>m5lLde#01ECY55%73|@Zm#h~ui7k4M&<$I;{%}~|dht0H
zaDtgk-Fu}5?JS6irmkbEQJ&KutH|?UPk^-PaRtW9P^qO403?zujqS;$*ZlPs5yT1U
z34LaKYkPqbj#(WEX$RsS1%3?nzox-0ort`POq?9%QiAxh=@O@*7Cpp^4VCBUU)*H<
zq)0ju=HZT0N68_K+DRpa!W;ZgJ~uM!fa$E>|KDn>YdPxwZ?(l&iUmNAe(*1dba9UM
z441pw2kU_cS1%#%GAXLiZ*i7ZkOwkiSwScMTmwlsPjR3blOv?_buQCK4ugsU3E?%C
z=GVN*NF*pmZ4qoDOs>Y2We$Mn4m0FA!l6prK%^6yTJN8ozwCzCkmkk3h5B>++DjF&
zIuSNWG^!mHF-Q@OlMF;G*;^K1gl@W`(NH(JhjqG_)wGeNaffqq_)Hvq6tYvAAaS`A
zziT-(EcO40CCAVbwF!uU0Y)G7;gki>L%IAG^||xuC(+pU_}MxUggcIeb%b+=9%SAg
z4w!zD9}7*bUtPD?03*^_KQ5BgKJN{N{)5Dc3b;LcNsIfs^im}PF}mUNgPOLP3PmTR
zOev(vGCbrJW9HhYoARErl#kkfk9>b9R{otq@w@+Y2oNQx-e2TZJq#Vt-z}#w$MNl^
zHuYxaGMB*dvE9vP-$q#3S>2|27|#yg({nw5_lz^@RAP87ukb1&pZ!TQE~xx}35pXc
z|CgY6&a7z>7=ohmaXmiy7;hHWdD$2F#sD$-7@X3gl-*8+EY+O{@F;2C(Le=KE2El1
znVLB|%}G*weumsN-6rnNUKL`S<++$t7mtxI3d?Rxc*AS`3Dgv4i!a?fwUaGUIM-_|
zI#&0J+?dpF6LjQJ`=p=C<Gpb^xVG6A!P7$0*e_O+Y7PMO?|Fj;FmtO?9bM1s4{O*b
zhDu@8qg?>et+i7myR8VaF`Eh(U>!3=Y7S7@Ze)UGltf@RBmyIH3=r%|9Bir7Ng%v2
ze1CE1H;m}57y548Y#*tugbo-IZM#blk~v+tKm-gjQb4p);p2~O&l`z!FNKy}vBc}o
z=jzWV?|SDwbomY11;p9UwKNl~KXyxr7x)y9lysyDxlMV!EaOv6qg5rXU)P`b{kwBa
z>@kYf_1>S<pS#|lRbQi<<Kjf=&Ej)Mm{Ed%LK^Ln>xr*T%{eCbD~q3-wd=rFy<Zi_
zZ@gcvyFT78jDRry)r1`5LouI*(fYc3{kR7;mh&O))_ZVx^r?0m5bGmYF};nN_(f;O
zlQn$V=_=}F+G!-Ia%FVeYK@gAe^t$EC@;5pasb#>wvn2d7LG=GYufLLzw#MVTtsO(
zo&%3wd^-SS{2QM{&H!FnPs{6Z&2>qX>;$bKFU5sn?eBCXKiT&V(#3GUHK-9jPSDPV
z^c<g947ZP+AswIoUI}zs#Wvu@&d#j&Q;*4bDC_KN3)7Fu=&6X~jx5~B>{?;xutR@i
z=Pu+Xeo?gxi4qZ{@~p5bEmxgv3Oxfl&fi=x73{NEy7}|?ae%htyASi8KDBYy`tyDn
z7pa#<3796BmI>r1ZC=_~UqQFBZ1eZtw0r-5%*kkv3uGug92%CU=hR}ELd`$PL|2mW
zA}_;CaukWFbk@m;6t!=LKm{T%cjephQDJ$w(A<W}^gBcWU5Nk46tG54k{jZnBx8QI
zQ?Hm)tD49se~bmiAYA2UZ%w?Pbk~*DFUGUt&YpGNdC4o+f*}7)#R7xYH}!bs>k4Jx
z3_qt;wydq6LskC85p1q*bp_?r+-9*e4AgGrUAyYo>DzU1b!~NZbp`#FF?GC{*~DzY
zo3*z1O6)f;Q7XDK%Xoq<m+Z<|!QoEa49vrMba}U#d+@Z`-5ufb#<gqS%=9YVJm{ap
zD@Zy>8_5x8OE~LQErXbl(-r1sXj&~dy0~K*T-QJ2esO)@OLeH&kq^l9!QV2~URfsC
z2E>rtHZo=1VY>5&nsspzcjf{df-5`9jq{YW-&4=YqF#}KI&yku?&4P*wzx}A{D5IB
zWh|bgaZjpfLaQS(HlNi@SK9x->a;|;lzVZrvQjiE(F{0@de3!87}*|y?VoSkAMIC-
zzEJMh+0=idRxoYW^{2R~`~oj7Uen$34$|RFD>$zx-l7>R_kuMs58!MACdx(}0S*S@
z?$&g4zd|&j|Ac7zL30NQr351->lv@r$wK_V3QW3%KDD*JtLClCz>)C!XDPa(T|UNv
zjxRLJ*L7B+ORl0L*%X`mGA<Y8Ek)Cimd3t%9itnn<5o4;sZL;u0@p)y{9ceQfj~iz
zQnqVc^84)e+k0*#jbwEB%V_q%e2~jRX}{KDmh=&ofFQ`=Sqm=#kw~{%X?|>bNZAdC
z8L=eLYg)%JbS88wl5gRIOHxV)9Svdm34wlBJW<EK{t_Ra*V4k$&dM8329Q9fE|Xw>
z1)9i#L5~BI{%~P<oT}9k$$2GF24_|l_3~Lt%381r{rp)5?)-EPN77RY$qVd~{*XW;
z-m1~{_7?nBCiJ9#k%XPP+bQi?QNE}Y1_X3(Y|Pz&pq=6OuNL~2<VI-cCZDQd%{7-t
zLa5eB7wY@2<2(x;ppY$RHgG0(+|Ray3PYK$mivGyz}`guf3{x+|7-gd3c(VX5r9Wf
zghIqG{kv9-WA!r~!(nr+=e~;gdgr72n<NR$EyThR{&KJJ5i<2!JRXd-bF01+saD*3
z#|m7lvQ<triDt})(-?`*we5z-HqxTS8Rx!RW?jfWNUaKgHOs@{E}k4Sb7>Gbzx|-+
z#9W?Jrlg=zmsT>US^k?H&@uHgc~}TC%?MJRyZE23Cudnoj8CPRXy{kh1Lgmkl^Qbk
z;m(E?O;**P(OxRfLGeExS*=Rlr9<UXToD-#Nxvpp?Cx*`<l-MGsA)}aa&eOZMNPaW
zqNm2d+k8J^i{?RlbOz5J0Reyxx@+=D(IRB!U0KrObde+))u=|iZi{||GIoOM3<e1`
zVxXQV?_-%!wb(7TMD7T83&B#+5_7EOsv{SBafChz3T1NpNQEr$OTeh;!nLah{6W@W
z6z^C(GTQu2W%d2H(7dJ}{kf*-7l#>(a8eI^M3L^7C=9lWA&G|rPxXHfB`IT=5k{q)
z=L_{6s+68FiW^D*(=MZgV0kmRn|Lv^#hV2GAEw?ZNVKL47Cdd^v~AnAdD^yZ+qP}n
zwr$(C-F^G}@5Ic!WK^x^iXE|YB^s&}^A$XM<-P=&<>e@tDE|xFGE#`mk?NYWoK8li
zDIA#|Cyv;TFJ%GnRE>J-LMS4(Mv5^1@IYB|2F?t8e2gT&>0N7L9nyWj$Etzc1f^Oe
zL-1vp^Ys^ImoMd~gI#3f^X(3OJddKE$Gk1Zr_*GNJHRkyV*-*ogn8LtQ><kMy@wh1
z9NhgWWr?SbeWAb!t(yUnM8^LW@8GnBRSMFO=GD^DKhP1%M3N)J8-z&M;?2w<wR45~
z5(`#)L26`<0kgcO%s=hf#Ba!ZrGi)6nd>>h0aX~Jxh<v{DAOU8TL3#H!R&)q8^vJb
zE?>5be$2oKs6v=tIirj1zHrSIBQaD!Qms=Onpf-1+_!t>*~L6sR1q-9qHXAg(ODhf
zy;D*vak!ed4ntRfSiqRnKACD3v>r{2Z^e~vR*8@yKq7FT#w<c`4L8W3RadHXsK;=i
zjrHr7K3oO2KPR`Qwni{s!M1yo^HhT>)>^uq?>{Xve9~by&bx~(bxlu>^&h8Kscq4W
zj;r6_K;X_uweIIaR;zO1GOKU$c5-d=nuVd+hnTzl8@G*j0iwjgwZ6<@o9&9a@yX}4
z8Ek0)@~64Z;k=w$8}7SUB0!_It%VI90|Y~DG4=~s3Zk-|1q7r14^#lLkPs}2<XJKC
z|0LYW<xUg0R^Mae6CRLSA(WXoAWjAiQ6&Fs8KS5LtPpc=1bt?SkZLTZ`vsO-M+_>4
zIRZr9nP0`(n2T;)*wN_VQB@FJjNl*<Du>W~cAPBF%nD&7RE^9b^2S;STDStY!1kTT
z&=#xVVgx?7!=z50Z^4GMDbecJ!JT%oGjSJ^$nex)$zLjrW4qYB@4A<%r8?E5$t=%&
zrMmj-<w$>|mO$s@DsV;}i};1L0_=8W9+hZz_$9vNHI|k1)vFHa*3?U&@Nnwsf7Nhj
z;fEgu11UvHl}u=LgAH>citGcxZgr|G5k?x^KssDvG3OkL`l?$Qv%g+c%@9aQ1?47w
zylX!w5CJNGFG~MyUvz51?T9ov{<jO;Jpb<%eO}_a%45!*Vkc^2wv-bKA=Tp*r1v+N
zaWUk(v=h)buOs3bf<&Fn2$4Onr4-4xV)PXipN>TpL6ZC$xI<<yCelpW>&$Rgs66il
zQG>KZ39dm@PGCe0t<N2_CHs8(9^=Oyi)-Rq_{V}zPxa{nmP0X>K{KAtk%%;eMuDVA
z$hmQS6*rz|3)@1sQE?CVZ}t}^(d8>r(nPhEoN<_xDarsfe@QBXr>vkyYPUJ5=K5{{
z<!*PnxAAvKHO{diEKYHSgwV^#CuH@p(r#m&yd$SC?kGF+WAwr<1?2;*#?dw5O`>Jd
z(;GG1JcHM-a3L_mX&$1vK|RtrJS=gabk<MMcD(+b;0gzH{{VObOd@?vAXE^IAN5yI
zfC+p-L&A#vI!e_AdLSCh%N+(9gq<jQE;?&R(8su_!t0_mpy`xLwtRhY+(J==DKI{b
z<ojg0f6W(i%ntfe7I3h-g}TG5GuzZd4#Ng&moa=_eKeU-Z=c;;w;9S}N9yxs6@@z0
zWP9(6%^wi!&L(x>AC<>sTeuEc>^S2MdfB2uq3hHCI_p9<pS^8?>bC$yb;t~=*{m}$
zDFQGFSZylov-oHs_NeT7<Z_sWTX+zg`i_=O@++Ay80EA^-=$P@AbwBDAGMG=4q_{p
z7mSQod9Tu{8cUDSHPhAxrJPfCD#0FdO-D}!^-=NA>k_CGhune?6hs-I=`!e|dOEI0
z2f@AWIu+N9b3XKI$}r|jxs)ma82Y}kfP>M6!?+?#4SatC{*nrqUHI?`PwFS7E+Olv
zYSpForVTA>NPThR-WJiH+Mn=_-EB%^cSHSP3nh%FD!%yp)<C(G@G$Qp)oH)DVl|+)
zPzBgFc;+2Jq231J4!D9keNl6JK`ybP8jFYao?T&j7d@{7)*1mYskyELv!)H%9p@zw
z%c%IpPbzj0WD?miBV2NXc)v|WI>W^p%+ykPD?_?J%pLh;;aQQRs_6Ez!|(^G8c;w}
zRIG!`(~Wvg@h9CfiAv8VUg9E6F}aT>ziXW91iWih`7S{&W)oH**Qx_lAh*`4`-yU8
zbDDz;l9Ufk(f}1p>S<Q!^<(z;my4(XR%;kL!r?hhS`nClTyZ!EMJnOR9<QqT{N^M}
zss>Tu;Y32S*zbm`E^*oArPoFJP!B<_I1PbSj{L?;^OHz8vptJ49y;jeCCmmz93`*@
z8OabDec<)glVAGAoF?LPj`R86`8Ir`Wbe)eX3GZY_W*PG4GrH+_B`K)M<A=;xEP(3
z_9Qw=FgB!r@hQ<eAkqb`mRlgw;;t>9;G{A1wzMeg)1rnVsXYSv`2X<Jlezi{)6T0e
zEx6qBYI^twXlWAph-$EY7tnw|J+*n)#%SCLSqeX86y)^lQFO;sPQi;TG_C=)wZJWH
zdnc@Il&|_{W1ZeDtQ5K1r{d%S+4(LefJBwhmg^*2;2NsIN5~=49pUORJ%z~NF}$UH
z`TGbh+}wregrk9OhGr72BepgUjD;e?<C+y7nhYu6AfdJ5moGln^=<2R4FNf2`w)mb
zgjBmJSc_yELZ~S-XBk~@r`$t-L1ycf^i`Q>9xU~vc3FE&{3_Wxx~{K#uUa;^T}(<=
zoW7=&cip;gtllPeJNs2}WD<(ek(eWWzyo|^e7cVfpoOCMlhwU&t4(-dxFP-(o~7^_
z5rzE4B>^@^2TK#4sSRdRI1Ln&5%Uh1DyB7e)Dc~(xr_8xX$-=NjVd~)e!A_?9rkCX
zxv*zmNxwm_QdxM0*l@$=<}n9cO7<NKsw;Graj-*fvu10Pv9rVWn&upseqPSycH|tm
zhSwYa%}s_~x3*a|`{3;2!FB$K*D-BJpT|5ky9PS|wfbLTIW)({z_oS9g*E8buOxu|
zw4HOKmKJni?^u@;oZ~C&%BTgn@)&UodeO1L$aQ@~*Q13M3)XYy>JhYi1J}K~qhoEu
zapMcy2mbOtuO}=K;KKWlr+v2D`QdZ&Dp#2>iLuF{I=nQlc6iSZ$~{bKwpa0JBSlM>
zmmp!R9EPuFOda7Y0m-5T&ztVCBWNjv?^i%Q&AHc{3tZtc`8oP9R)MuxkpQD8PgyNH
z&PU>8NpyflSE6!WW!+@iO{7AJs8iN^>5ytSkypLy8eKic^%9J6df7`}gX0*&2O*Ev
z9-y1*7I$UzV~g4zQWy&0Tf4a)KhXFOt%tkAFOl@WXrTogySH*{`N}bWP#w6C)LB?_
z_586=?ctqy5maU}2ahe9xlE}|CygF@b=pVw&<j>kOm_wtgUu)b@so3!SJk`=X_EJn
z&IE&PX_YJp`$XxEFheD|B|@Xoe4Zby=zvoNY}BKeJ*G4_!rbX^W|2BGvk28qNN!r^
zuExJF38l@aof_Mumtmt;B*(IEi-`O`;!KnO3<sFs)w7AGPj@?`l`791NNzaD@M?<M
zxXEd79P#|0?L@~QHShoRe2GZ^GGHA(Lxh_1$ZZ&Bjk&@TlADkI%+5vY*VQRf5<ajz
z`%BoZK@#aF4H=@c6`Hv|sWAFoAsV#Bbad6d1k?#{lAJwp+O7T<55+3K<|oBRSMB*W
zH{iD51ZS3-$oE(dvlfdMtwO`{H$#0#J#8;O8^<g&W^?OfS0~!+M69I*tpdV7q<pM#
zHEdfXFq=aPV0Q}+|H)plGG}uJ6eQ|g>@By3urFw=w}z@ZTAfg9w%QZQ4Jtd>xLt{^
z_gRLrKfQIxpA(5JN;7Ux^g&z4F|3*3cU{WCB9{A&Hz!;Q*>+eCvH=b!FD*0dZg?23
zy||;{Q8sP*zWxU}N4_h713qTE-}QG?H?2paG7M4L+p+0J<`fBhXqU_kVJD;ImEiy?
zT5$l?$fBbAQSQ&q91MpTT>j!knhtK2*N*=q^YB>fA^Hjcae)*<I-~zzU-8t7fR#Yl
zyo0KmA0l2r1EyS|hW4S-qd3=1A}{YhHv$_XiRQf>r&rP$-SjVz>*dUOsb%0H#2$}g
zk(t;=9*-W;iIYQ;?cYe><3^wWtlywFfy{nJ%W3kQ>7xcFQ*V`}3=H?dG;-TcUJ*03
zVg-Tj!K$#yOZJzV5&TQ{XGTj5UD25uKmFbx<gCAn`xb|sj2?S;vbKOQOa)u!9Xz{u
z&*cFlgi)nvn2wEF^h_n*Q1PRREpu%im|{icn5WBDx_#<`N?pd1R<i~D<~vz2OQQJz
zm>#=Bp6J_3I{$t>$5NJLLW#ne7ReYY4%Kb;ZEl;Lgt!YDVdcy~1mg^(j|yeSHJN90
z{brf}3UrT2(P6g739O9qA#7oaV3aqtSz<*B_%L*4jx4ViLOPaEVlC#00bd*+=MceG
z&G_0<P-~@}q!{N9eOOv1jQTOC4=A<vRhm3Y7_C!~zp`(loPS;;z)bOXd?6Zm;Ni+O
zg;at%m8ZmLEee;^crB81brGZTD>TA}qoHgs*H$xpPeblwNAL2oS{g<#Q*+mJ=+Qn-
zL1~7+i0(cuG=UR)Z+H-*lib_onVhHwE32{MGBhSZ+zfXMXGkt5F##irII}^41TFpr
zM5hotsjWJEX-p!zu-J7O?hnu6vu2H{?lR>G3Tqy-=i!0KI<W|7h2rHhl#Ea1bGLJ`
zI6%MTdJK&~hC*oB@(Q4CW>gfScrQlIe1Ac&QWVEuZ;Hk&4Euuf8&qNXMHkUpJGJKk
zRc21$!SyC?_lx#r2ZvoY^UY1~fc4&ejLK_oX-YeJ<I3Ta+?u^DMpF9h<$JHO%l&BW
zR#66M<NPZ93;1B#(tFyXt?O4$L<9S~IH{Ooz?%4EM*#V$;h7$O)AXs}8;6^D8u?_Q
zfW36_PUDvq#>RF>ATP?~@=He>mlZ6ytxUO-I@@vqUu<}&@r_v)>zW$3_28H1)hhrj
z%$kyyiQUo=o=mRIS9q2!V}`~SU*eg+79eD*3-GjO?D+)#hCH&-Ojw)dJ`RY3M}_kM
z16*#P)r|k8?l4#`=-vf-&F75m=y+K1d>YEuZWK6~eQlp2m&n1?SrtzWq$mh6knV9|
z`O;P$&KJ{?h?xP}o?`B8m7W?L_VeKaDr*m-9KI!sdV$NF?#H;Q=<vk5K3#Hr*X<T=
zHz(6+!|p-TbyF(#C@@C;*o^cKX3d4AQb1sW`Spx+v=`eqq+Y(x^8_1vwzlfUM205q
z`G9;Uo9`X`er_?KET}g}aJC105UpVDTs@maz6c|=v`9tdunl-X`lDCY0yOR<E$t$x
z-WmYzo5e88BttS~fIUz`esk5tJ?t6yISJ`F{31A~i&U-dSm~bvyu-Cl!8`j%t4TTK
znP_{2os*ugBG5Nct=Wuib~^Qk)5dk-!!tnj=v$k@e5PTj*CuT;&{<9d9IjJ+?7`~A
zU0AT&%pie2iC?yR9Z0LTwyLaMTG&7lpl0W;^#Bkt$o>4C#}-j^v2%(XKqCk833yN`
z2#OL=Q0{7LLj^o5zi_QmsUo6lPr?6#(BUdh6zn_UJVN<w%pRpbMBzac7ZLP?d`{Bm
zb>~?_YO0yS+ygQY(*!9jg9Ow(5&XY+O$Q#)Si0mZtgc!(6z>_AmoVKRq{amDal#8e
zUC3g%9~(ngbamA|C{%h=Ly$LXkCwy>T>{CBzr8Zlfc<Kj3wfSom%&5o!z5qA@i-@|
z7mhpn$5qbzOg%OTL~S#v<Q0$~MNR+Cb$H%}C6Y?mqgPMy0j<Vl3@<$@p!~0dn9vzn
zhCN2=i**=;$9_b1PZ`b(UpbptgroZ^y=oyMk0+8?$-QCi#7hSet^3fQZf8#galn@(
z{LI?xzsuZnP9=9@bh3eya1c}){>+1;0E8;zKj9_@6d(vV2n|_)xv}C;K}aEf3wy-7
z2P5CqP`N`~!DlTxCw{5WUx#JQZw7f20V>S9d?LE`h>W{ay3(3xhM5AXLd8r4+{rAe
zh?9zQ>dT<tM|cg3blGC=qa?Pp%?O<<`6w}t>21eXcLL?3_0YOdyGFc1IkH5=WlxYT
zyyMA0@U?X=HeynY1l5T+p~a#zDpul!l5WMEOT4WUWwiby;X%~K+tH~BowC;f7wF!t
z6fDo-9t-rwEUCmIh~UL@Y^iUHuK10RHxqK9iHoY;bA#A=6Esbl{^Am-A@eNvG6dH8
zRDb+x{t0X5fS_Yha{6DDSoqhHg}qTmOc%T?eS%XziJ2j<lh!0sbpfikB7qUoMxUK?
z1G@i%99Y&d&ilb1{>|R=!s$F~0E%UJtxEhn)x^HkaL!dJ|I;A>Hyw<}1Hz@!t_hPX
zod`agpNbWsUr$Ez9~7_uzO$jnMp-F@5Qk`f=C9N%07@)U(>XOl_*vqAL+RgEyt0sp
zM0uEDt`oguRDi<xdtIf$g6J`n7kqkN|FDk_*z+v-oO2Y!pW8As?h(unQEZI>RGK3D
zi+m}G6(Hnw@04=}Sj_K~UC;uDG?vVJ_p7M3&BbA@vyt(9pt^%F_t{z_vGc|U+eT<>
zkduaJ&*KMXMoMr$URkSNpGaGc%2dxqOUwP_`CJXYoDPXsnLj=8hC!@!yjT{O(r%(O
zNCgIH7P|YV30e`h8V1#;6lSy%b^1|!jP6uij_4QrJbN?VaPU+(Oy&;IMFuP!gt6jd
z%$zTxb=gtOC>Y<Db!n21V)M&*%v{WkU}GF7L<!#-MG&Eu-T7cx)UHJ#uKX~8t|Q?~
z=XNMoT(<!_1-}i3sEymYZU{RuORb+nB6gBkzn&jQMi_&XJYTx#Cmu*>jFOA2YblIa
zwiV*m#KgxhAw`-1*OcggNa`iA(!<r`U^)-VSqOqCd3WhMr*JpmVSh7b&-IXuAgR!g
z>vRTJa8maL_GqALeB;rK>n5RftH7(XG=>1IEA~6K);G+zoo_5xR&S;=EpN{lG0x!!
z<LvTrU%c`4sD{P#{8+oPIA<ToQ(TQ5{_`ffF&}wKosfc!ECdf>+Qe(M$sH=Z%5ncc
zOWet1Pj|eb<r7!0cl)1RgV)qaK=L_wOn1+8>c3GnC`kNeW2Xw$5T5NmAV3`wEmrM+
zMLr>m&;NgG+^ZQd*UWkahG@WlygkrwWMs;cq_yqKLiA5(cbZRT$Q1tX^<FQ1h8|_T
zq7eIz;b^R@*`u?y+|<`P$6R&Ldp%UPS2+c?lgq$wuEK15@BvUyC+oa;+}`FS@)s_n
zh_R{%FrAXi4mWsK`w!X#_gOxY*=dq?rpL|X65ZM1`4_@N{4-?*Y@_E8&t8l6xz+m~
zupjfQ#mcO@PC!tOK)?U}!I@qX2D{$5?#YW7hBJp-Xj#biyE&a_t#v;A8}$BJ1$DRE
zZxA^sA&ZL|dUk>nOmW*E#7hZv@GXQiv-eh$22)OmAy|LAZ0S-g1R-`GKnm=6YJ(l?
zY>CCnHQU{b@=8lRumIrPIvlUgHalCmT95h^NLCK}{zq+%d0yD0q@Sp!Ux_4B|5k-$
z`Y2Jg@gzQ=+xMiwt#G$yIklrgt}Rv4j^b1mQ)2Mw^W6_=R~$(;OP#2&#VI1=XEf9=
zehKEE{Q3E<Oaj)bzGV#18-#${gx@<g$j<%fRSmToZ<ut_y7N1?1Jj27bP87)Np1Qz
z4W7>G?I+FSY=b?p*uOcWq)TAEwF8x6@q8MS;5g!e`}=mF<FU7juTtOnkUjt_^Spxv
zPl`kE0i@KNuV#;|C%K9oA_r_bJo5eMOt8(5Pw=EQKsO{Jlhm?)Gd`{7Q|2J%P@jH9
z=x>STiirO=Z(<wHGjT^UiBgNFylRG<B8b$=rbeg_@6U4mDabeQPk_GcEntLpVN-d@
z&8|=D_2HJSUEC-36WD8vKxui+%u|5ZW^0K(E+*)cDzdGk99zoJ%TmQTX8?JdYB{2b
zt$Xt6pYCEF+7;L1&ThGrr#~|l6b-p>X%vewl1{~s>ajB@j{CBBc4rUvRu%+~RAI59
za|PM7raE1P-3>aoF{k|=pTFxhY&cTsUWi-dJ;T8<CbLra!C%I}R#@=R>ydvLN3Uy$
z(EFD$s7Z%4dyw`53dfcddoMRjVB996Z;!u6L5t4<Rq5eZQ@+4GblT9^Hul-La&iH)
z?%BF-<K*nBzHn&<oO$rFna~-IBZx$fq8qE^KOA@sq5C8EY{DkkJL1hZQLgUo1Ig9P
z^avaD0XNn2NnVg5AQzP@e}LC;j{dxqVruIykWYKbGUb*lfSBfZfc{lYj>Wx4Z@E~$
zvN!;B5DdR>qn1;lcHy~VI+WflgRmSF2_d(D8pyHX=oSaaJ5^NFQLxv@Gi2l>Z$iGk
zb`IOjd2LLG)&Aw(b9D{vuhp_}_KJON<Md{W*OpSef#(3hGxZhQHG)Yqxv-7ab#?9B
z($jJAKA^pG1qX!pJ#d}e(YCR5wC$W@bMu(IiRPB~c6JFi_kT%)+>Kyd7iTV)3T)e!
zod*`JniceRtC*Iyn=AJK-8HM+*MX8YWG0slTlVZ{=iM&pZcJ!Tmk<}gUyH(ylS@eF
ziS^yI?#9n=H{VN<NIa3wtCD`POK~nWq9cgnPQ5{*kds|=slIP{^Hwp8q){;*oIshf
zgfOGQ*BZ~jo6XO~1Mm*#W5H#D=e6C$XvRGOK2d1BHIdQq5Me)I|G*dOwR0Dv>8c84
z$6t(;;tP5l18Agl79e|mS_g%|+2PF50fSYOJU|KuXvDO^8wt@qgEA9+Se?@DV}xTR
z+Zz!6J4Q3rXjl2L%!SbOiq2@hV^lZ_IX@?tyj;$Qc(5^rYusBV_CP$8IG?4F1B4NS
z*Pe?Q^v91hnX#zl@9qsd4db0=UGYmckK(2Co3v?N8=IcJ)~|0K3)?*P#4kCi&8bb?
zqk08<pY_47y7*T_nxG8!-f?;D`UqCLP#E@|3!sZ$j9x{T&93w{`wv_F=G|4xrgX0n
zE0$fGCB%l!WR?WNeyyfMUrRPYrgg6lBd1*{M_b+I_v>D+(lzXcI-Lz%Rpu7%RU0Kk
zaCkVD1mr>N2!w#zHL2Ze=1k)bgEX)#_Z`ctE9NO!_vy2n0icuKIt`DfC^j_lG4mng
z&ypH^ZNKwumWA^+D%>Vf3NAcAe6a^<O2mBWoC83*cb4Gm?AMpmq-7W((|r%UjS?Rn
zYo;q#$^zK7P}9Sox1O~D^eFnyN!R}KTjLHu;&9YSw5Uz-BZ&gMjd>lCVZrF8y!w^N
z(iyqAz|KG25hC^6oIC98OyHiGTJyfmTMAd7bE7=X<|i=&fM<;lqF0~vW6RuEpK_c&
zo@3Lv3!CKj34+NT!W3+~sB-bn#id!~C=XAG`%?7&b@Sawh>`@=_(j(Y%5;mSI^j@E
z`RN6CSCVoc@}Ah;NEMqZ5&<wOJy~&HbAHc;Y6bTTIX^10f}Q?>;g9>5r;lTc1&y~z
zOJo%MdWxhdN?;<)MX4o;-wF_Jovr5ykVA@`n3f5hWa4J;9sPRo^Zg7(!{YHt23!pP
ztf|!HT|11i<|6%D?IY}=-?%XJMNy#>5@qZZrNdkHk3}TI&&1Za@q~HbA030k=R{TI
z(1$F$HiWuLl|#*gOtbS9D218?8aXs9f_^8}>iFg0_I61)kkDu0vJ~oUWQbnCbylri
z0cHl{GU-_z>K&~Q!v-uJ4TyXC=(QRn4)SF-LH5`F9N>TKmM}eL;Zb0>?0lI4SL?U(
zz_jj0GZD~<FtoPu>Y8;yX+X2;#SUjqy09~*==Md&(<C}H7id<JYl;(HSX2sDC+1YM
z@{<CS6%`GVI6hWN_)V<ccJ50}TZ%_%Ef!;`vJOewFmVT-Nh%3~H1tb8GH7;fY4-nC
zCr;NC8ry{ZQ$Zpwh$|oNXz`AU*O+pX|BUx=3Rgh3P+RPACO*X4p^{t>o-PYeJ)MgT
zs%(}u1C_Faqpl~xlZWo&jO2>$jHEcq1Iyrs(s}r!56H9sM-&JIbd@I0*NpEoB<`FL
z@>D1cxCj`RBnRwsG?N>>(w=I>j|*?J9nV;g=9~^9TuAja6#|XI=;uM_2Yb+huZZ|g
zm3cC0F#s99Sj9ntTrsH2fBgtWr3^9%WvTpFBwNS3^25CEq@cZvRsjx30N9X*(h57v
zr6r}PE)%48)V8~Rs?4U}9;lPsNt&a6r!QVlB%Hw{laFyfV-l%*OzJ#iGH`zJcDq8}
zp%~fWa8oeGNlv&B$!KpuHHVte`c+QFLIS3Wd?{W2KbY@t!c<pi&rY8Y4Mb6rwU5H&
zUInMyKPi}C{ERH-La{Hd%IDe9m;+xIs3R|!Ko=Tr%jYK@N?VTw;mJt8-~2jmgA?k9
zBhQm+ETLhAwzqrU#_RIoWhd526C#!|R!=HZN}EtIs@9VlR;ggt;CJoz=@<tO&Q)5M
zS<hW5pZBH^uJ!9(7<=3zv;oB7``I$8AL-d_Ex4%7Td@!8I7S7*J20u9u4KeFOEc<H
ze{w8-m^v?<d5XxIOIN9`zAkdT(N0cpPeEYwmAX5Q;C-}_m6v&-;(O}q*?%;ekLK5m
zfy~!C{DZV>8T`{63~CIB?qbM0FAI{SIDmO$frqV(SxDxu=W-+QT0WHjBA51>8J>8!
zh{10ouh)ZTne-Hax(%;T+W;w>v@eefwQqhmc#90jd!BZ3fG)V!{@^z!SHwg^DhRh`
zv4S2w6^p~Ak%mIe1H)M1h^{OZWO6^9#nXBn%239Y{FUTrgsllAb(TV=tHi1q=eQV4
z_@=na`Vk48P@W>4ft*>G1)zCKk0Rs6Y8}>oa(;h<onv+_oq}Q=op*chYT%v~NTvd%
zz-}$YcwI~GALuPwlTLK4QXJf}IV4=l*$9a8afG%k;cjI3l9Fb!(^t=^*Q3PPA72Tq
z<n+-6Rkgv|XsvVc-1Hwntyr6GeY;;gs~n*Crx;g|{Bck3rLAjR4+?a~zssZ{N_C}?
z*|lUamqD1(Tba!!LNN_|CXy=!yb>4ih`$XtAMsdD54_SUE7k>J9;6H<8({1gr;*10
zH=*(+T6(ICE|xNoMU5#@kZT$3s=M|!L8gi^@#xpU&w=4;J1I;Gd~(xa*yA)?RtWFY
zq<Ti{cWQd-1Y2%*U|E~`><Ej%q4k5MB<x))0{cjPYr2z@myXT|+Ka!O*ja)=9Nz<|
zub{ip63Mb)&}c_YA8!mBE1|sj+|%t5lzPQ@{P}VyRpA0twY_w%^&f2g_sF|Cw$Han
z1Fabi+|3baOiGEZ5qdR3ZKZYxpZ%GpUKI~on7uvT-2X-Gc*nDtem)CqmE3LEFneoo
z-j5QfkrAc{Iwi+5R{T{b&BWMvKXdE{nh*)@bzqR-6(7Ou#tSU-=NAx`!N!Sb8pZ)t
zGz8MKX3?9eA|C>jnpFX#gH0;DsS+h%au3gdp@N=fs71QWrEiN}UxU(5H>q;{XU^7i
z?4~wIQ|z`J{(JxbV7h8+_P@zL5&(410_K?<_Am9PN~M`bf-3jvC2O;#24!xGrH671
zd3$^Fr3Z!5?4W4}c14pj`38);aiy6NLXUf~w&Z8@4jM=HI+4CER6O*FdH#m@pdJW)
z>C-0GV-i0|>4sinngURq-j2U2%9v!LF{5aPV25x42;maiu@LAW0DIGrq1=N?31-D!
z6u9m6+NaAB>-uTI%SwD!RF6iRW`OM_e}XgK8hRbeQlD7SYIbAIQqoTRZg6D7PIDVW
z3Q$s;nHfH4WNtXx){m}dbJ#(=yavxIe05Q@ae*HaXGhla1|WWZ7ab5I1{+=wzD6{>
z+ITs$dV3reNW&l*iiCYf%xOGTW56`flV@~%UUXNa)i5l`!BX>^1<nxunA~o>fuNZ)
z!IS9hHw6D^cyAO7lhk;nB&PqE)03(~$&a5%CnsYobFoSL*y92NjE}}uGaG~9*HCEr
zaWb12I2`h%zEpbh!zaRJVkP(3agSgvku_%|;#7*vb5pM=Mk0)LQ{G$^)<gKN$D=fh
zz^e=OF_)LlAlJd(gwvK>n~K=TUo9u^LI!EjG>Rgr$2Mys)e@Ud1dUcuqk^oe|4xte
zmy#p$IEl5?8J}!j$hgOZWf+Ney1*Z35T=4lUS?6^JWU3(^Dtt;O^C>A1agSj3HX?7
zdJF$ZT6g_i^IUi1$L+|TV%~rK3=A`LAqI8@q*>(OxNFnlsK+dh8&nLV(-iHgn8}eJ
zmj;PLRuew%kpAoJNR&V{`kC?h@-Y>&!+x~~|53<FWL*tU_O*-=hogs>e>HNHgu#k=
zHQ4YiF<F%+mVAS!JeUWAsMh@ZS77$H6T|(CUZjjB3&QP%Z*B3fFX6_JiIT5U0`;?{
z%Q@#av`{g%#LM&Z%agja<L%EgJ(?VwQ8UD3^d#iTJr6Z@;5az`ehdHVZISd}!tr*w
z?!uyYAHsNjvtES?15mE=3ktn5#0LTqh2F}4;u=~h8@<O6?~C%oPdJMh!%|X{JjWnH
zG;2(f?~~B8jmOcllTOZfQIg)e47hE4HQ}?Hy64eAgFyMjSIgMZ5a2_D=N~(&Z7-&j
zikrdLNUK|o*wjHcb=ys|Yd^c{h|2PEP25>{VW3PHXE42t?YO;u=UL2Q&X~wMG{RMu
zM5am-^|h=;!5Pw0aha_5#{2Dr-3uf04Nv&V+RS){Zs=h&Y+;~;J5i-E<u8xq7DyP&
zHK|gE6<hF-X3-WNFP%Upev&hVix_07n9dwG-p+6)mKj&ttT^s!ZX2VyjBU5Xrqsp+
znJ4PUn?-g%x{Ty|8YI%4xoKPd*2ewq)BB=k<oCiVZtaeTZ0Wx;9Ya6EG4q;cg@?|T
z>#jWtFLvZw8u!}j7|WJTu9M6k{dI+{O>km%+)pzz1B3qO6}`<j!{#2@h<2<CooaT<
z3htUsXjh7_Z6EfZQjuM)<TqM%KX>GykCPr1MA@)^ZHE0`9|cji2(bX8dQ9UM@V8Lp
zFGbKEiImZGy>G{X0x5iCNr~;c8HZ|Ti=23p9e@ZH?$Jlr{TQvlFPiHk#HW+Y){|YP
zdeS4tf0Qy>CBY&vSR~Mi=Oe_2MMvvJJyV|o4C;Pvx-(wk{3s2twUlDvJ`6--35i@|
z)xPIlY5OUuF8YOUTuVI4r%-}fG)x<Wi3GKc)-C0Ht31{%^QKTJSv1J<)f7M09NKza
z&;QwYkvc2rv*aaEmroQKd8I+mk+Llvd)t?+?rFyTF3beT+Bb>LQJmFWP63``L>s*W
zWNo%@OHKqCUZoXYI>RP*6pl&*81_YDp+ZFbpNq6cb$!mliX-b$2kA)u)E~qVTs7b?
zt1vz;MV82t_b`chIO?h9G&hbj6HYa~G|XuaVSWYcJi9`$5^7I36`f0{c#RNd7?yo&
zz^<j8k5?LZ+CR}e%cHhmP6rMR=WJ~jgYs)i4MaGtHb#@z2rk{rv+~n890=4ns5+je
zQlwnC%c&L+<8c5E)r3KPqURn4b^DYCP8G6Al4m4AY@NZ}f-)Z`yffmQBU=EvA;0=H
zhdgcpjF;6W`f^F{0ZV0QN<>gWduJdoHwF5?uVo@xb%wvIIZZrt0V>UATEI9t7A;|z
zSLH4LUpQYW&5Mrk5@5aH5igxHbd{|>p9aUlPzXd7D!iD@Q&Hh?B)ftpb|h1rN`}X#
zeN<yQ=FmO`jGDa@fKrNOT;|X&jYh?wu+x)DDd^5Bi8lOF6${WPf{|RzV!U8qBC1pe
zp;uY^DA<^pJrf`VjFpqJ2?SGc!LT#$4+LLeT0<opy3}wjkWxBuC-h(wEPy<d(Y&xm
zWf5f>#T?XEcKe3}z&_ZKcM-~Oxk}p!0L2TrFxrjjUK-xT-@^uQ9t0$KY#=3V_s4uy
zUShBY4}~4g)H&48c!XiLlHWatMhf?R_0!hP%{dRn|4!WM%rT&q>|pKj4}_82CurZj
zjb|#F1j{$1@*uhf%u<S%#Ua-&QGwzB#DHw?gc%F~M9Nu;a4`0;_}$xjxgm_dpE@kB
zApc(zy2Fq(QI#?Q(#}VcD{h;FLA`qC+QbIjh3eZvl~?d@J_a$@An}@h`Js)RUASq|
z^7YR4^l!u&j8_>fnW34M`ytLuHE6B@;}loDQKDKl!$U+~aPy$?WzRtpyOf99vdlpO
zepnEyo>!%?!0LL{$IUrH9m>HAEWpIgeK}?dSGZ2p2G!2d3Y}=4FSWAkg3)%D;EQb6
zq?Ir8e|NPAFkOwV+n-vne-()*dsHeo+f!4p0Y_=N<9BWYmcAKzb|s`q^lKOBtAQuS
z*2zcvwp~x<(KXnKpinI#_H1_B1VyXW#h{ZjG-qfIY+hM(O7t_`$%YnWg97qPIY<bL
z#{;XN({6JEH;bqWCz^s(r_vQFIGKO#u%#K)6$-4J&$=^>S>9i{*Oyl}PaBqVwDOW<
znP84)iY-V+oDcqR*+BizF?23G@1~xxBiq3Nf9P_CuCN*(-U_PS_tDyc*cN)*%nyZv
zx$Kwg+w!Bk^Z5SiGLzqfkeRN=xjeFKES(v!{y~`<C)Cy^*TCo0DEyo01s=H|JW_7?
zwJ7E|q(=wByp8;LrQPeCIfbRxt&x1WE{&xwIDP9~pmX7pS*&J*^*EJmag(9E#Z89^
z_A$Mi+q7cIfr7d;UhiN3Vnf1P+AlfAzh+r%x&o{IK|LbCHr#8;oW(=+Q3dL00cdmC
z1bbektW>P)u@KA<xT-n<Gi=NV<c|-k++*epN{y)ue$m@_`QEJt#8c`7>hV#Pt`Ub$
zaDQi9FQhm~%TAXug{IuGX6AUFytZo7G`ZZ(NymBh?8jc(!U^V4&22iN;H@^?3$P{S
zt*exR89Zei(7jN*HQme1NmI|i1ImK7XnxGUP~K#z8;AlZNg#{Vp|jIs4rbiI!<RPT
zBpu75t9I5A;I(r7@}gx-OFqStL&K72u^XvrKg$wl_S?)EmQ!~@|4*+Iewz@AMGQR*
z^3l4Kj~5pClt4I|2NV)sr=lz%m7<%n@zLmspP=Bi3;gd%9=C5C{`Sd}-y~_aV*Y*>
z6W3t;A$hPc&t0zk)m|19O-eEjq?*60Y*;j*u>|=F2vx#s5puwoFr~t8nT^XAy^F$g
z=X;-e*EWV~0C&T(dH-7OR_)Zkf+hNls(^nZ?5CGaRqjPuSSV#vn`3rP)NKjYhyS#N
z%TXzRjH4?zTO^!sNMLL5O<WteO_?}dk8Rjp-*<3R!M?uI&)D!bZf=$~oJw@=Vo|O8
zGsfV<;pObbSTcy$Kce3GOSV}oJg`wwzMMxc8$p2@=E_>sVOD|Cv%bQq@IeZu4u4Ht
zl<asJQ}EN@-?>2+LQ___sa4z^X8j0rEE~((UOjCqHcMOOEP;y_;~4|+dA?fqd@LFG
zmF`_TxNOu7MlI`PDAyTZ?F)1-mK8hIH!YmZ8kQIgqC00TpwtdNvv!lqeY?F}wwv8&
z&d;37-5aIMRTM1=vp8WVkyD2_-Xaw2jv1pI78PjmCRNA-;yK;Ht{@b;Pg+>F%~UDC
zjk<`CEN*>7uF$b;Ks7Q!cFSb#i6Rm?`I3L!jToVY*|St#H8$}Ck4+#S`gafVFnprC
z@XqCek`XRIO>iCXnQ_!{jKn~JvjXq7QZLqPU2XU(@6a?>M>_a7#rqQ3X^pKRTY)M7
zV%ZeAF$S?wKkq#L&VUpFX`npn(1j&tTsY|N%_a$1ZML<BD&%srhB9K#*?Q_1XRsn#
zcy?f_y3Qe;7wD0Y=wY5>19Zk7@u&(q1|4sEG<^6kHhg2=PKL9BUZ+KWhL&fDRd%}#
zMXAy}_#Kraj4*bwA9h(t?+M58Bvzp}bRPSjC}nNluMbjn8dA+%BZ`QV$sV}wdj+6N
zY%ziVX&*C*3lmPC^Zti_Xb%c~sW#Bk8+MTQBUWOp5?BxwC)5qjy6_3|@FnXjzs9Pd
zol`jGXxhc~ZUGsj^$2m4Z-Jz25-A8?O*`5OQX1MIe%WHSP(JU4FyrL<w;qPZFYY!^
z=~HWVf<~?cwf-G@`@4r}JAwu&$vQ#o24632q0DqtT)UU%=kO?VyfvZK+OvS)zmfE0
zlG~@PUFV9_Kou|RIU(=MkZ7&F<jc^M7oGC=3M6~KBZKT4uQL(&fIXZTDOUN)fv!&9
zKtuzcJjr~_n($3kI)f>S{mt+%6xIhlEr{duC?TYWs<z2|gp%Ac=BawvPCQx^7W+$H
zw1;Y!OjxvMagLU?lY0rfj#u(=Vn{{`u`NLu7?+BP!cF0+NHzdeAXcgvQG8faAw4U;
zBJho0_g_C)%Z!!c>I=|O=id})?vdWh;aL+im^rRvx{#9MUb)15AqIGWi3yuY-&Ykq
zo<dRR>lU*E|Fzm-)P$n*VNErOPJNQ9*sjy<_ELByH+k`>AgyWg$&OcS?~Zzn)WAM=
zi|n5JT7a}~-DIO&-tl{kBozE)^@X!%zz~vD-iE(a!gL;5q}N`MqRzT&qq1axeq16X
z*IjU2c`!#RGL~c}K?-HHCu*#OyuC^teAw(>B08LUVRi{z?ll~cEyYLy_nY7TQB#V}
zEJI>7_L2RpYsODG-h;kKw)QzPXcVfdkWW`|y|r-52Ro3Csw88}FrOw8m`01unG0I@
zO19e}Ws47AV*-uPnZDm+g(VZ7v-B(0OgLhr-{ymWi<yBo@%ShVW(jk&mdXj_h{6O)
zpD<|DY+P5^DKVe1YiUC;2Wlv%G2KU<4Z(Czx+?E<7daA`kFwo<)c8Z-+1nAs`#ggY
z;tO^|(UC_R<j5EMlB>PV(fo03Ru&uW%~ci~?xl^(%})GT|DAsaw5A#%zy>=&cdT5&
z`v(ZicT{okI}q{rprV+Q2Z5#mZieP&0c|X)CswJ$2##Iry45hpnGa2UnwXP1p?+-@
zFvm56y4~5z7g87L%{nz5U+#9>Lxi6m7t=#?K|r4<miQ=3ukqA8t2Pi3$Y!x)mSQiN
z7kHk=aNMPLhMD)5QeMN)s!tGIvXeMDY;~y5*q)rI#Vxl-EN@{`$&}S?70*{ER^E!J
z)ToG%t;(xeNCkS1>NZ)FnFRklMNLd_W!gnkNOO3<Y#rS`59WL{15XAG?_W-Gc(tB+
ze0Xv)$~Qh95AHaNPG3k*WFJRjOmg<d#_m8kb@we-^M#16TpC^Z4Zuffmq4j}wD01G
z|EcYaN~fA~HY}^EBvwRXfP*daoxavqO;wf2x+D|!I+yYoYoG^4%xFC<1i3v1ydBJa
z)WBqxK8chpl^a0^<s!}aYuM<w?F<6dNxUTFztmo>KH_e53)Ict_ueTjKB#5Rltzoq
z{x#mSiqzQ(RY_HY1F?Y6Pm>S8np=aJ2tR>o9)!e`aA!5F7Ol259#6c7@t|R_nxRzt
z)NS*)R!kSw2YI-Lmof1AIR0Q&1)Tw~I)S5`cxmL7Uy#vMl@2&d2?Mi|978Vn#6pq7
z16yW1?XR*GX9m}?X@Q9p7e$?=(`ub8pRnjuskK}tZcGNR$X0jd>Wv%Z(CcUtA@q@W
zr?KnwC8to`sl}+N8XI)qgw!o9X=ExeB|kJ=1cQj3A_!P)8E``F)|cBbbU}Un-u^kx
zhXg)^u@JMY3t@N?EyRi64mpD{dMDu@1OfDs#}N6^78JSMa;4Op*Z%xE7{i}X0jeL-
zyF6rdgjy#d@&5b-)gErJ=|PsBG4uFyvVh+uMEk^b>LqyYEgNA-KV~wzD6l*l!WBcL
zJC#28*rNEjt<ND^Dn*p~ZZKcHr$CaSqR?#DJ3QxMADNfRqDb@0c$bhBy|Etp)AsQZ
z-@+_kf#Z_Csyjo)0dB$a6R&I7AAa7TztsA}3E*;AwvLK&J<EVQ$3w*9rbsps(2B;f
zVphkUU-zX)mL89)j*+|Wb8uVOtGpvwrVP~4P`BnGOfQkSpH>5QN)M}+|8sB-?2BaS
zv<J2pVH-5svsv2Ds(l52PX<#L=HJ6{{!5dtP(Z_F94Al`>Y52cL)Gag$&cki_@gKE
zo?H;@1G9|jjal`S^(%r$K<ytvsjQue&_thCIXh+h3~^$7U@nY=e?utTB9q~0A9ryl
z!V)Nhh6nPg&Z8^__VdYcd&Ul84Y=&@V)#3V<2lp?)!I!U>~dZ31{1N`m51`PcTKB`
z=rWQ>BpQ9>Np<eN%e*qqub4^2?g}-ZAPku(69J}v`UmW+yNM|tS;3U3LZsfD$ifwT
zNlckPOQhZy2bw8fiBK(KPZoI((}zSU1;brE5*~&-Y7zv7dueu|6MI@UXjolPhWSzP
zKX_y(aWyI>Ir&6g$UYZofeFfHc*UvqhOTf!Yr#lFYOGO$=m4{y8!X^PNvcRh6(`Su
zESq~&jC}_?r<7Bm&Xu&B>z3ezE|vBlSnYB;$rm?;a=BeY+Vc2Q1&RFG>EG3t{Md9J
z1(?<6(z!S-tD%_BxLk2nzbspk<W4f7mt-YOne2`+ai+!Wvo20m;?CuHv;?mVkBu^i
zh&7PtbxhDf<bCcx;QhJjbP|<0&}RvL0=nx*?KC{=peiwC_NI6|K28d2JzmjI%F^UX
z$WQ~7Ip!Lk=W-)09#GS21Z#Fe<L(|uN=#r?W_h)|N*tx-zMqg=o}!NVCV>l{bH}Ip
zd^r;KCRCw?i^G8dOUw3HfJIqEMys+~&WkOA=$!;6lE*$}YQtENBr@g=Wvu5q(eI`F
zrMZAxUz-|%ZJs{Qp#WQ7g6Ezburbk_S4S;W@cfM~cvXjb$c_DKwEyJV2P9`J&YPCG
z&koBVH!ngC*#i?Qd?LlZsQrne0zjq+>lxjheehmaSRtyc(H=0uRjLUc9jvYWDvezO
zFDtto4vT1&<^ZH;*Lb$(nJr)N8Dx!0Y-y+Rs>7sp?HKX|L%E)qsf`0c>TbfHsKUR9
zPOYHaMlRc03pBwNwy8yt8|D2t%~U-#+sYDU5n(u5A$710S?eTou+CI{g>GwQ%jGCn
zc>nE(Ix#yX$Oe?;qOrHodWzLO)*j+rD1ki=V&@E{lnS5<A&}*XySeLRj4y#kq#puL
zgHb9OO!uKoan-0LPGJUfxD2U<57~YOqeU?xvTzwoo1o{f8$MtFLH>9R4a>=sIcJ7q
z2ax#&T_Tez@q8Hh?Owqpa289P_I~;Bwd0YKXvmE^)6jTfs4ju%0i*Lu=q#C46}&&r
z;UQ=v<npx_i#?($;)%wiARk=wHeg8Ghj@o~iM$jmuP61L$WEpQ`>A3YSdZX+zjk%!
zf$?uR%y_*~PudLn?HhgMK!(<qFT3I;qEhzZ-J`1GI;dK7=uM|M@<}L<tCm~c?{pOg
z{qFK_vW@n4ua<Ww9s-ak&hA+kDzM@MJoac~5MSgwB&gT*qLQmjT7q0Ti{2k7SP_xy
zsjcRHi<`_canzj^CVobh<wgkf3SV2+NX!9n#k=trnP=`SLDhlzXVZ86G|Qpxa@R&0
zb@s8mTYbaWJY=bwU-v(kgRg@uy4{s)0Dw~?N~>w)pbaSc8(b<6fbm9hb*w;tDlQ2j
zfr#t_{s3~GG9Ic560=8V5@@JFC$nCM)R%>6;G6<pq&97R=ro*q5+vZLuS6-HZ-~a=
zJ~Z`5bVUsVK9y@k?w?>{_cA|<HJC8Vwp(kFMG@X~30p}@piKf}*Cb`R&zZK1!^X0?
z^3CEMd0WI$xn9W|oHx9@v7l`%-~I2SVQj6P_T|TI44sH#trj#)f#MmgFj*6dKBJ_D
z>hIj=@_dn1^L8wAgl4_v2n@>m88YQVQ_zY>Q;9rg*lWoi9vUcW1ZsC^;er|xq!3*o
zrA*ehL3w$Gzu|sjzG(9<V6BAP8mE}49B%$vlNlJ7^@Khw^x#*B%^MIctHn>c{K{r9
z&2PnOu(ARxO@Dc)|Co;Y#RE4|r7rQO!xbCg%@B}w<?|u5M`gf17Dw?gx-8H^J`e<b
z-+joK<^}K|#_@T?<?<(Dvi$*uBAfqalYUtSH^hUUh5)Ag%W<}A9}AXj73~*KG+982
zPm0$JCru$;N`xa92+wYW9lgo7X0mOiF^Mb7leY3OVV(!}a19zHj|icl@3Sr@Nn~2K
zyI@G0NuP*Z(5Va5vA0j@4v`JjXJ;))Y!+XrwU!!Yqn@mQ1H)KT(*RF4KGj#S{WLar
zM)R<<g6QQ#k;UuvJzUT+9VVDQrvSlW`e4Tf@@l9Sn@~^<nudm9n9oo0KM1m5Wg0c)
z<|oP1rE+wC*^zo#p$~zCItzfn1q7sszrTn*JHr{n$AVJ5jH#N;ch0<xR|;33gU!k}
zStNM4tq6Sv)Sg!uq+T=RKv5@dbxg|bc1#^wRedw3Q9jc2z!)Gx9Zx~l_89N+Ew(YP
zXMHy=c3vV(FjwK0VeX^sXx_{0iMtX<latWmp+1l+32(#C&(@Bf!xv7=UJ6yQcFy&E
zjNy?Oqv{SQ5m8p1yylz0(O)xAV@Yd&z5;j7#$;l@%_zrfmaYr@Q>2?HwWSlMm8NI{
zzfu6mYKe$9Two!Bq-cd1`1sdJ%^y|KMi-QeK%y@k6M0lK15ig*Mx?Tp!2JYk0+4p@
zfVg-Km8O<<w^DAgo6iE;wb&8HG};Yc<?S5>#?gAbYEa+Y?9!F7Gr%%>fd&Io5U>d>
zJ91SIOcjuPFWm`^ps>L4E3-#hCON(GE#Sx3q_Dcta90n^*-`z6otrgQ!CWwxw4HG+
z9Z)K-^+K^7U`*es4%SU^n>xQu=3XYLqhQXWK(9go);NS5KI}gddbK7~pEswUN{*Dc
zR;bE$i<Ir*c5}L&UVO;0QkJ1+b$mtd;iEWzE&%z{jn22pFP^lE@+)cgugmG4yhQsf
z5XBh&$<-^9jY!|*AGds=LCFkoVNnHgQYvFq*5GUSLGkt~?1Aqg&{tG+{h;q{lDjv#
z>B)tTSz{c*47bKK(f^>t_9~d=p|UKE)LHqjGNN@~n-EAEb}34R9U8L=52yX$8dl0|
z7WqUIHk>21gdj(ef}A_m04;$PzfQ5g{<UC~iLtHM9qf&6upP7P64O*741eXW6oGwD
z+!0-qdZPu+?qk^7bk*Dz{{G4k5PB1UgaMS|0-hPfKRt`=tp=i~M<U!Wu;=dVZ|%Q9
zmH3is1G~c#D^MRP5;m9W&V%$Ntz%ycm~-y_?n$h?xZ3&Llc7$X_)sj1)~xVixKiYW
zVB305BJM8AF2EE<igGkqY-R4ds_bVC;)PcZ>pU%vADV{VvlJ@=9v)0WtW%Ap`R=Cl
zK`N`E1C}{at=7hkFyK|cv2=S4^uK{xx5g`SI-RhZZ4H#BNL6?ym3gJcZF$Per-P=n
z)&ubh`GF7>79iHh9Z8$D1L^fJs-uA--Afehf<_uu`e*uItJ<?{{lSlCk%X<&v?C<(
z#b-U=^bwyc)+ld|dhfCYZ+rLmm-=t8Tn0xK-dty^z<W*5?pn-|G*}bt$10jI48eII
zEN(>CzXo6&CSs9vXT_7;q)I}$2`2z2SANVfBKhkF(E%D`CO>cLS&;cGVnaO_==_*W
zxnAARX{rJ3zg>snOZu`-9HLN*wA}9c!UQ`En=U-Agd;xS9<Hb^iWcSR+=ieEENkh}
zDMvF7I4+$<fKRh6Si)9Xy(7jDltKoyd)$m1@^4MleFdb{jE;=$Tu>sOWaDL<PLAeP
zZZiv|7E>L|ohl|4Rc<TkFG?2Mzw_^pvV4Vr$Z%YFIPJ;G-a=sPBn)qO>?HLpAP$Nr
zgUmnJN$=>Bu<zv&-RJo=?WYwqGYoxDS}<;ADq8dF3SSrnUs!Twlxbl+T2x~aiF&W2
z`9Db;VbeP<O0!M-KK5$K1eJZq%u@V;3CKb=^S$Na9H(bhAhaYX1f6ayDIOFE$prA0
zVB4Yh%Hm*}j(*x^LadGdO0|mxkU7Z>K?EWK&ezDHpOeu!s#W_cwIuAqq9ZGQR9U}s
zem)jr*o5$+W^C|r(*O5gUkk_kfB1UGAj!I@Teoc6wr$(Cx@_BKmTh<0?6U3ZvTd`=
zeX8H@#)*p)_s`7SEAnsdm}9PIjHwkLKs)!4DgVoUSCD74BEPg;Tq=rlMZ79b)-Q>i
z+K|r7ESV68PMdZgleu!fhOgHsG(-C=8Tdkkbx`j?#XK1xX&XJswrSh+KL0DnV;Sj~
z+jS;F`>z^KYWO{TwZT-Ds9F&XQUe(2LQcJtkwqFilGS8FA-(823)*;sW@alKy5U7$
zE1cEj9DrWbDKSG#eR`n38*Tw(0$ncw1($bhJ%cD~%c(4l6Rvh|^UPrM+SpJm#_-R_
z%gv8CMuusGshXyT+4TI*e8H^I{OtgN8-jd-fDW)ALpCK?1-Ho(9Hmfqo>JUj=;?a4
zHl>gQD3wkrRi;7^M+IV3P+1LS5PxlM|K7LUE<FiWwzlO!l>huPf1TM`!xG3GIQ#JP
z;0Cj>QEJq=olsZc|4YCT<Y=QUz>%qL7!4!h=qz>smYw!jXocKIYU!v=hKJ2TsC5%x
z%l3WwG>)O#Qlx&5DQ<Fis6}5-oIbeFREdyHT#xoR4RVY-@W@S7nZM<jDqK2F<4ps8
zHvObEj9qh?FR$&-_GMnD|KGS^7c=4G6bP=4s0tD)=pP{IVWLSn5#}bf>;?UPGV{zY
z!`NYthAu-B%oV=L8h*`?w=AF>AzdEAAh{`3I<EbJC$VapO8R8XZM5@ab1b5(4y}2S
z+>M!ssOT%|ex8?u2$MFUz-#E@_b8&dOGIxZ8xQYURCTqrrO_94aUBpr@yV<;BP`80
zvQ-WL6_{_9g?-t(vH@uq?!-_No=OH`5WBofRU}~~?CMs&^h*}~2bvictUPw~@pw=n
zTV5Hln;LTf)&^b-AFkKH1YnI8Ooko>%(vSlFdbm=S7b04Gfp3uLhsM*KuI`z3G?B*
z1z!Aqe<-KL|F;$WYZYu&cNb|9U+?>H4|#om0G?Q2c@Ly`(@j)B6LBh3N)KkdsL6Ed
zQdT?QGm#Uc(gF>t<;cY1>~P)MlHz%f%haPzVR<}}#X)R>j#QbrK_p?Q9Ia(Q07RGi
ze{Vnm*T;+Z2d1<5{NdfSzq?+);3*Qij}?bV<=**gLL=!aJfSYdGYzePpzJl@Z2)I+
zxp(X@!Xbod2>u0KG3+(N_yp>@Vz9n%ynHx=iQ@HI5ow}s6b!^w=s2T6pKjN27Pi5+
z1iCCSCMaoj-kHfSFvjvo(Lu>nV2*tpoZfiez}>_%zGK4v(Y>Gff8TC|s4*Egnq<Wj
z;M`>hY9Uvg2+|<aZ;(@~DY4QPN*cJ?>P4Fw;g=nyb1M^34fFQq2JKy^JzR+ZURKe>
z_-*kVh|#nG<j2~~2y2ePPkmgWep(391r7sq!G|M1iNSD05`JWcBcU1Ez!T3Q1-k_!
zk?nz=%>{|n1NYcT5`&VQSTL)3PDxMCfYH)umTb2hdAA3Aa+bybs1B6kk*#OlBUMr=
z3Fu(-nFee)$>fI6EFs!~geUSmAJu%4AY4{u9&3sW<uw&09)H>tM2byv$Qlea=bqX>
zja&7J(-uZB%<~86tbA#=F^b8G&{KABNB?Alf&~VB#Ogv2<ycIRXGuxJa&m@8IkMHJ
zU&)m)kRVxAi>E?`94N!f7)yVMKir!8b+ejOhhDAI-{A{xqvIMky-?Sf*((5VWtN;j
zw@1PYOxo>p__Vv0(sAWoRo=@yY*A}l%_>}>QmR==i?Eb3S;#B<p1BmGSxe^+xiJii
zP`qlKRzi*d+xpr-bdW^2Rl$F~FxnyM0%x!1ml=S;^yJ`K#puPzRQr&N>vy=At59j_
zJx_US3B&TEZ!ih5hMK|Xn4gwOcV1U|7S~3FnEi&DH1(DOrBGAPUl$cvP;80WkJViu
zRT}We+cP9SfSGjN6@~CZUX5AsCbq?GnT1k=tj2z3Y0}EgMaNEOD<@Z~D!Zk_YjAP8
z#`*l1objLqRIl^mIB#p4Rd?pA?~)fXP5T1wc}sW{XYpM<&8Z=Aw2hBOR9vgpu3mM4
zk<~N08JcjX-q#1y6}wx7jX(gBw!6@biy^hOeSZiFJMzoCQnoq*@2mGvUL<KXR)*8z
zCr`3X3I8ZjwV8zWla#Y&qbZkDBBvVE$B@O=#xEgAv|C+Ug2j_r(7SVU<5-81$02X+
zsbev8+N=PlQimZdibF+#sKqnw=%y||Sk;42C#L1lqWLcZI+5B14*c&04!ZDV<~sIG
zb_iJty{xBgkRjf@{o{I`WpbOV(p2hJ{ON@W%w?z&G>q^hcr$Srw$T80bG1FpOg577
zC{j<^E{tk*Jr6Ar((!m<&49GHgEOi$JKMs?QZFyq=!5Ai&yhu)<>~36Ze*UCG~#A^
zl^SO-N;vepLDpnaEY-@Quh^%UMX#n4YZWAn0hEj#3mp%YL}<#S__j(V1XEs{<9&S<
z?q)VSj0?L>{dH#_YDoZJ8eK#|ifUZpld2~4=VC>eqz0VQf|+#MO&U#guxetEg{$6&
z%#xa1m2D@N>^16|@&<Fgttk~Bo~J4p`}TVu;!!~qBb$tUvl9v6`9ACD4rKwyHAto=
zQCEQ+^H#2t*>A?YND|g(fKko2mGlGUeDam<4@3yk=Ki9ah@|~MlSUANB6J4b1S@$y
z;J)!=CHcv{E}t`tSepp6A7$y^B!1|>Nj%AE#b-r{HPZ=A@JYk!hNo7GZ%Z{DgJ8W2
zFY=1lcCeZ_BAz;Mgg!Py)McBIy#2opeYput+omWtF1ZCF2o+-`{SQNV0B4K|JRwiq
zldoO0Mi!=2S?aNlRi3F$4cm&$!%3gz1=q47)~L>y)Jraz2#ZBT?{N}?KjzbMY+zgv
zJ|)@O9uGuoTu=>4fr+6YsDRFB-?J;6Ej}nO-Nq7gy(ULL?P$#LKfuOB^Eux{P!jHP
zc$UX$Fcrx)!%~vL$*%#F3snBo5Fjx`?~T+xVzQIw>rS>uPt|fMr(Jt>m7&`xi{@X%
z!e8sGSu*S;d_~#OD)YUGC2@$iixxXC)-g?ibyi}9(s%>2eP_&h6@Ye?28-#9N&dah
z&f^pwLU%tXrKpgtG|~!(jJ}_`I;F`c?Pp@%Ve#L-?UjX{{7@8(3$c*J-Cnzrjj*=L
z-?*Iyxa}5HWS9Bdk;|xhemft&QV}!%yG2(j!<W0OUF7tPSi(Nr(*86kPRSE*@7GPL
zuWf=Ztz$jEh>^uyA$>6M;}F0hYurquEWL%nb@IfLe^H0gcioz@#6{AXw9HcO`u}gv
z8NMc|l||lebb@rn57TkowNzU#ZyJ*I^ZE$43LC+{v^ul|TQSl8t|rvVeCU?)Cb^gm
zrwNFEJxspdy(d2$5XKAmcPWwc6I(-3Qb>^XBD*O!>i@2TTptI#^KhT(i}~i%Zx&L$
zp=0;)H;c~xN@Q7*yVJmzP{HY<N-Iu)jdP|Szh7^}rr+N-m1!=wq&|}5!a*e_R%(J<
zLhB_NXc96mO3LjB#8Ch3CM;Wn{&QKXPT$c@XVR0#X}P56(q|T*XCkgNhD4SqI^i4j
zS|%oE-gy)?+V>eTWR!3|{_eqd=n9O_78s-#>gJ5HquI+cFqq*x&m}UItSU@U5+fS2
z3VAbTrt{|c0NN8)`Rv(mn`(I#tP;%hMQq1eyRbLrhwywGIPxVdSZ2XqfPF9LDE(`J
z{@=A6P|W4T#6U+-i9CTv39OLy`Q&BY_p}I-9Mu^8jh_y;Dt3Ykui@+{_9;doM)qmr
z8Kg9#b$EzSKCLe!J`Vgz0zaK8xtKF`5z39k(#>5LnT>h~^jwGFhEtp;m0vqVKN^GR
z={qPkh`%60Q1MvE_(UW9Bc@sKH({M3K~U3xn{MtOYabrdiH-S_54J>K?h1Z~3ZgM&
z7gvWs94Bm=c$z0B8w4RVm)jci5WTNCruc7$4FuY^&P@w@N)q2m@*_2LIn-Be0$EWa
zm<3B-%VFbcfPLi=nbAeF@f-Z~VvOFz_xZzwEacx2v?&ckt=N7jXeg@zRe0-&RH(G_
z*;|l!JU;f51@&SUJqddzW@7c}e)oi1=}G6e+4u)D{g3yxacU^pKlO19@%8sV%=7#t
ziBTsVm7EuskZeRntJ#Nml8EbA;2RkFmigfumXU1W8~nAAY|y~&n!vhrVEkT0Y51an
zS=f4X4yxGyl`6Za5tzjpoF6rJOaGN`IYfJq$bHhA@obCL(*XbnSm~#m_yeqmnxGUL
zxYUV#tvL9=xaP>+mUxD_DNh9b|5C%5W*DUgmjWsBvV9zw9x5o0^6yi@*J`oLC;RP%
zWzwCOooh|vt_@~}+~fTTkgSfpgZX)!%*yUuE^Pm4NHb&HHiyk(v%4+D4?k$cR3YQl
zCE7OgXV$8zAgipSzA9}H*~sgsO)PdT*p;*36dz0r?axmshuv)*Hl<Tt>)euZ$qbP1
zfy991Eo74L0Ii%idK%647g#_7V)^smbL%%nKD&LvhKR^~hok7#^MQPvd;Y1GYPo$(
z;TEek@1Rc~;`it>?x(z*D2LSZk3iLGTm|MkzA}v|iXP3%bXJ_4hXHKb?W4u%CP02_
zrQo+Ib6;Fxi!J{}*nbdF<8Jn4m$P9X>s~4@W@c)-?6kv!&y_k@nmZHL#8o65PwZAz
z3Lz~!rzQQ4)AvWYYLF0rT#=UAUL;jz+(f!ynGB}WpJ|Z}E~*A;+KVCQ8Y7M3R*M$h
zck`zCv+Nq38Y==kHr!JE9T&RQ*lPYxz#5T!tFne2<I660ech+$MV!FfbME=<T3$iE
z`RqBfD(02n7nQTSuqS$$OI*%ahGeK}k1C6HS{_l*%FhHOqT-EzK+%u3Qx{G{q|QaT
z{iD>zWmY4O*nQguZUrp-n#Lzp(Ly9|SRH<vRlTm=LtEAe^yjc7{f;P6>rjgRtR;s<
z2uSnMt-9<Qg@?Z8=Vv<?Lr%L<r|P%`*LFCSG;qhJ4LOQ}4cBp_Ra*{A*XJ7lPP6Ry
z5dTSAZXf)n9ouF3vep#`!e)dw_D<zQ__oc4%p9W7(xi}vwW+yAUHr0z+RUe(1twj)
zPJ05aT+k-=a?o@*h}iXhVR7?<;9c`ZkYpoSgdua*V17$3H>6LwQT)qqoF>HY!7zY{
z=>ifm_F34ccWK>5zXt9IDLwOo`Pz6B)!+&WsuOchF*wyGF7F>|LJKKhB~y7f^a(*-
z5r#ZNWzWPO=>vLzk7e1LH{c70WxP(9ur`(@@8H+G$g9H2Zl;X3pK(fg58T^da2o4Y
zGc$%6=Kn;okjYNw8$!RzxTD3O8Va%&hcQ8=4_S5vqMr+a6$vzd(jaB@9Q(;ZIggV(
zcB2$KWc5>48JPhP5A+w#Z+OAXHt*zN68kpa0)9tiV^s8SVr5|`$QOQm!Yeo<(r>r0
zZo`)wkkARE?EAMvp#l5wr+cs5TXe$TE5n^d3<luRPMWhydK#^&uiEMpCp_(%c{@xZ
zQ`L{;IH!(tJk2K;Ym{qZ%b`@SWa(cHCepgAuN*ZpzjK6j9%qK`>MW_@W<J*z>7Drp
z%+4q?1nxoQnNW8!=eMjs8L^Nw?5@eCD;wHaeWkPao$>-uTN-74p?82qFiJt&I5TiJ
z%W0Ee6tvv=)+wQG%njku2o0g|MAc1v1eNRHv$-)O)^avjY`Y4t-;X<|%82Ju69Xm<
z^b3VS6lUOl^DZ}lJc?uZC5rzroyXLcS+XC?Tg22}h4o7u_D09lE+V4wB>{|IDEYCI
zD@68Wp=2VwSp#~ql75Zv)fUv1VrdQ&Z~u2vR9C8ZRz;1woCn{T)%Y@RM&i*Jxf>Ez
z3fQf@q(5YyWoGJTe#}%@K?-YpC*)%f>n^$^OA6W@_M2(KNKg3I<6u;4E{J{W`sU~!
znc(8(9n6}cD0TJ}%P;Pnhcq1}3^csxxw6j>+kZU?Zl;}-gk4DjFpB8;)gD+4vKmgY
z3W*Yn*?G617se{s1>j0iGdgr-kZ)7+(2_@;cwLKmGvUwt1K=T9*nha9OOwLr?-Nw6
z?I3<eFr-awJ{pvvQ_Wbi(DUafRz}0EvyA<)vI@m0!^}R9juil(5d=4v4}L<f5eW7b
zYzSW|b6oHB@bXL@xKGVVRu`k&d*iGzG{cTe?|SK%s0MSTrgCb9j;eI7ZWnMcwwa7d
zwrK=!m9Y&{ucfXV{yb0B$@u5413}Nh>8@?3bF_X$a7Ex^kCHyRRb_Fq!*u73fHN%a
zGp)Z8!D&s`ZiI3D<0U~iD(oqW*Tl0DUxyNCcv=`@^apHpX@tEAXdo(xhLt%-Ri~{C
z?K)~;VYdR4!P;}Hs8346tB<vtNUjpE9Z$?6eQT#I3CaYCBTEclfw)E<(EP)_bQ-|1
z29<S=M1h<#KT?J=f8;5%9s?38HAOTCtl+K+6;x<3xk>`nK{iW|zz>5<b}K4!9xVUL
z82hIvJ^9+ljPTz4L=}C<Sdi~o_zjw~S6`Wo@lK6o6k;B8!0L&m>orf`nl5ET#Oi;F
z+SxjMY?zKB-6Ebccd1s&Y(v#J@m*Jc8fHwve7X1rPtUI|;swRrnD~sjp4frzr0|<v
zewyorLT>I!spQvS&BUjU3+`kO(Vd<R^9v9+;Rg%R%Mn#Qbta~|q=!k<G1PCuJR>`+
z6%~PSdo`psPPN}VXn;?Qu)gRldUIgMNAyn!`lkP|^oYxT(`F1m;Y1k^z!hLw)*#lU
z^-QYGq|dLs5cQ+=7wTPsiLGP#W22O(!&V_4udsu%NZn;U{-65q{ftn@(a^7dQ)mW$
z0q<-04>lFtBXvA-0!)eBBE*w5#*okzv3f>8(pnwp3DjC*5V)yDdgW6;_Vj3=p>}EW
zJh+L3X|r02yz+{?K2w9_mp#H#f}$OSekgYSHu+&Y8ddWWadORHZB2P_8jL1OZY*61
zi^9n0Zmo7@(xB;jh1!mN=`<rD?UcaG(#WB>%H`G40EZQ*ul-R{0=M(?DjT9ud1Ikf
z|4wZyeD@N^9+`Px>sj>K=?+SE%}<{!N*fBA6}fSyuN{OI0iTD|mP8G_dpzGDdOQ$m
zTZ@sj2URjf2TO}ho1+hcQW~XSK6EN_>^A#D9V<4^&e%-zBW3B6K8m~3M;{iA0o8zM
z5UIWpn|hH*tv)GiQ$$t^wo@wvU3C=+Lzi&>N^8^dDI^}(R!>u7#5c7Btr+}pqhVi$
z!+J^vl9DFb-B02%qHxD!GM46t*>Wi~R3+mINGA)BLfB*}ViV?O?#Jg_@y*V3rH+;O
z+#A+yN}8P3_~A|?)XTZNIj}gzLAz}xSSYz<q?C?5Jev0ib4-&%ehh>FeWYTr%b$^h
zHm|SNN#e?i1v4m8fn4s|`?q3Wu}Q2gGL+C+xYj{xwG#DU={S3Pifj3?ANp1kWjLid
zC`{E;W87|KsE^)kl+y0(<@VPkBE0Kiq&rS$COF~R)bF9pIN)v;={)GVhFp7Ttbb9E
z?k&>CVWTKh<?fYt5|^mu5>uPG1?=PEeOL_Agug_mpuL93W*NZy6Ls}QL0^sc{U2`h
z)R6mM6zD1s0?|&VJ_5cjdO`P|a|oZjMpRlosC6-zBDV`bvyofn)^X&+rQqoneZe}_
zFb@ZyZC=x!*pdyE9YpgfpXu>NG8W+_3$XD{UOm*>3yQ!c`p9)L^W$fJ70*N_nV#s@
z(rX8u#ZFnuCY4?weu2jAO79|u+2C7GeR)ste@=BKORNDQf`N)Dh10{14-3t3eW|&i
z7yGQIed0akfj#Wxyp@iAzZd5L4u2@z0!>QISwpsZ%mz|IK@Cm{a&0Ru5AMdW2bukF
znCwVc7=Hjx+#f<Xoj)Sx&@<}CA{MBceToAF)-_An@kx6Jka&-~&2|Q;GKjS0OZz>F
z{AvqE#k}PTB)ME@%vUI#WojCX0tj%AR5QYgX)#c_syo|P(w-t(0Ifq1zSu%Q!<;Z-
z;Ff%Wg?B(Whz0+OQk%Qz0q`;^B2!|eQLW)@hauOa10Qa$7^=4dn>L}{-Ah<ji3wwS
zbIOyqfrfj+xHm3=y&6oq6L3<VgX}71ifBHG9AqJ*LPTt3D~@J84klavX=j2frB3VB
zFTgT2L2VJwaMZ36c4)8jbaESP$w;G4+Ou>@%}8Z1A=h;qy3Qd4Mr@**V87EUWq<W-
z03-yq7RP;b*r52~{Nyn$`kAQ6ikZI+$*W_Kv)-dS?bctNg$grJ>ZWm^&!b(tWB^RH
zD<>~_GduSmI<fa6|Kj}ZVs2&JKa1<_b(42o1_tby*Irh5i0{x@v4%TO?JU(o?=?|=
z7lk-b0b?P)<+Q<DtDV@;Me=SKWa#S3Ws?o|H2WUh+ma1C6*GM&R2gdeGBH_{f3$Gj
ze&VL6(sjr3?oO1ohL%?3uKSohiRzG=TE-?ULs|VR=(SsOIE7D(P*x7@AAeN6CXa$i
z{mG#%>e>a|OT?T9Q#4CpjLK*}D5z#}MXw4t6{H$FTS5%33N(37bDQdLWR<FqgJx7$
z2`=<ubL!mZs_-8%+EBiu;H@FMakmLN??1ub-MCKC_jyydL5US9l3j8u#!_<=v~krE
z{jtp*N-KZjYm1P{st?<IHv;FM6V=-}*GEXX92JeH0Y@Va6uW#uN4&~RPJFFO)EX8c
zZ3OzcBfsK-(FE}X_LHVH?}-_>In)l6P&srNZ6T^oU~k6Ua)B^O$#3bJ{E8j;szI3F
zUfo@(azNLu$TM_xhd8H5W~9>cu#*duU@>w~Hrkq_M;yWTbDmcoJLP3t%mmBu`Gc6D
zQtKvAnEdTyf+o<NZBO@gLfa4Ui=6>E5^{36m<}KOTkqsB2TAX~M?qbv)uQ9Fp?BtK
zA24FHPGgC1YfhU_wqCYkg#vyQ8DicR0^Ir^+2yI~Z}&oYkM4>$B0Ep>V+gUAbN@=Y
zPG?~vKF-=5O(OnzdoE$?trK>j1jrUK)Hp5*{9+_(Q4mfdbV(2nPI=-lc^uh#aLa;l
z2y4fg6(M-|?{uZU@LCA#E|h|BlA%%47t?j9EYZ~Ee8do9xzxf+VNxbGkb@Rtrc*jC
zgmLJN0E{#0-DsMhjGdE%_Zi)mOB@m0SuKM8k}iCYke5H=l~tpMtc9YPmLcG?II-JR
z7t;1X!FUGQ<e$muVm3Q9fQnG_wlDW$j2XQ7|BAR}SRr{>8bOKefAO@IgN-czgm$}u
zJuw=^A8=;#LOYETER(O+D2YN(>c~;n$l7ihv5gw`r2E#Aqx6;Ma{nVGsWdNIN=`*G
zTY~=2QnKRapOi!czRgEM_-AMVH*0T7I2v*hEe)(l&Xf10v?Qh0y<xVvH0fXc)`!D<
z`7hr-6&Ge7Z{O!gOm4Sm-+j(kctNc#!Gn;UBot(X9$C&~Riq?-B*`8UMCxE<p9`KS
z&;=lUWm$i5K>a2e<&Tk_$mu+p-t*^pi$It+BxScprYDzkitP!c5=5Cx>4{D4TJBZr
z#ph~wn;lyY9=|5_D)#A+5c9$23!gZ%wbm93&4z3*U<F7wWaVY%e~OXF`|E!cBmOzZ
z(A)-5W(bzmQ$|Vp_cl*7?oz}p;2iheDRyTPQUdM>=!X2B!U>dJwsuGeD(wGkD7j;g
z6}Uhl=4Qx@btx_Jx$D1Arv(T{#*0YRTm7xcG0QrGDSBZbB(>hwjGHn^X*DL2ayz3!
zY{szdZ`^p^|Bb>qw_4Y%m+hK*5mC2W)|dS|ckDUz8+g;rAR68rC^*Nus}3D)Ie6LD
z*~{jw5T;re2r_CEs>}#h6((&v-D~{kE<LQTj+Z8;-tW2_2@aS?g!ZBYi7?SJ559#R
zVbp)Zjz&&^A(a7^oKVm((T9t%03r5Vce5WTPt~{c0DK{8C11Wm+UYQ;9!inhJhRgs
zmPUA4QGz4K112a5Hh78Oz!*o)&kGqk4=sBJrmQqH&tfaace5R^n7APR*n*md<&G@+
zH1cwJLa$PujW>#@7XN|XHCVD7Z@!giB9BKhFoby;%*EWW1M6uNtr}6^2GX`VT;C<-
zuSHqoOpx?P`v8#+;e6>uUq@*<NdCYh0{pktNA1WB#Wz5I*NM~HY5ZZYH)dv+XynI;
zOkx6gm>}nuQYXo&YXY`nV4`U|ZXp?`bZ~&u!D`ly;<Up!Uxe4<9&#B-XbGd}BMa{J
zK><SprHwxQDt0GI!b+~+^Ui`z6KE(_B*zNezd{)tB6iK$h!@@w^}G=VyA^*b^uGtL
zVgL~<+b8S)2CkPI|L=h-mB?}wL`8qV#zY&GRH;mzFo`}6bSfPalwdb<4Q2U~|HA_@
zK0oR5T{zvUQfID&6GAE0(<^S*;Cak9K_|*ex{=mTCly*w#px;g^IT07qf!Wi4aTi!
ziJXPpGSw#NglC}Mxw^baih<eY9~LoaIZ&rEQy^<5u@N|@Be4*(&wks&(HZx)@3w24
zt1nz^3C?W-FU~#*-_l4&DdFR!R+WQ7E>xpW>sUpkeMEr2oKim*z6=~eFTl;Ud|H|k
zYZ6-${bb@JtVW9a+jy*WSbV_IEC$L!%TkR8R`Z9G8-coTA&E^)C6T)4!NB}0B9S6Q
zlK>_Gf5Zg&_Lx(^6XfGb_7?L-AZ35HlGfguiN|^&ofMo4SOYb0LpsUDCnsRkNs5re
z7ub-inF95K*}$N>wJtx7ksp#KihKhY0RSUj`UF(6CCm%w>=0W(a)NJr)4w%Ew2D3_
zW{TW#@)z`(2n=?fNAILK&>02KC!|l+hHcnK!{}RBxq$|lxMGQ20`Q{DQj(KZ)Wc)o
zTN2cSrD&*T_^@jqK#o)S?@qn-^;3*!rEIaQZc1(-R}WFMYiWt`$P9`Ci792b6y*u2
zuDG0%+Sg&{298}Dr_B3VP^;Se-8d>RZ4@&0Lo~6@-B-g)k;YIbdJvOY5Tq$$U9B^6
zGUFClem+(f39B2FnrU><PoW`x43Ni8O;7t9j1e+;_(tgtXkh;e5cim3z{_{|h~kSk
z*(#gzg%;26Y?Bgumh=*4dHA4TWchlD)M4vYF>wj^mXJr$gWM2Y^2e~xN=YhRzQsxF
z=JmkQvp^fdzlB1@L~B7EPgku3^;unY(>nVQv5ERE{?&#jgqqvHcF5$du5lb|Q?ST4
zv7~m#v0n4{%^?(C@g7Bjt^%2w`>kqpEMnQh6?VHC{$<+wrQf|exoI%DiF7omMGy*g
z$dwg(M7l!5jIdN8F+K8iM}|anY)tIbsd-UJ+u9RnNk+J!@{l!)x*f)%3o{8$U$U4y
z{3A!%R0Bku$9YwnlTWzH>v%C!nKZk`cAnngq?Sn>E%}^7NE%(YElFf9*~-&d4O5#Y
z!7Kget4g}1SP*T*Ik=h0wz!E}Fj||{6eIc%Pfk)qcUG>Rai8HDxDw$BYyA@Pd+X<i
zW)ha0BAxgtiAnx?8J`uiLlj)E)RAh(+aw;U90vovGO<6ewKTAlDf)?@M2((o_qw*z
zr2^_|^9xe`cI~hjX`x)3?IodlfN|>gsXBHN^Le=_AH;C9Y?2z9$|W1=Nr!e)<&X0L
z<A}mBbrKrrwC=mRN2C(;MWi~R;Z_QJ0eaX?Z@gaGG5t|6Fw>L7SdS~AQ&$3`zP1~S
z+F`LX6`HWfVbg757a~%o_#v3c!)l<Uzbp?F_T*sI?(2GZSh!(TFjr$0W;@=b>3V%k
z13y;TVOmAG%DOGUGk`G+_qX1+>KXQk{-jvvQi=;VY!=pxr!1kC^nKe*621u)UA?w8
zVpEoPz6JX(%Eb`uS4FjelN2A;$3mtBTzCp5Sqj$UomCY8a|MPUCqm0q|DDRs?DA#<
z^#Lf4nIW0~pZFbAg}C7q!H4;(H^|4okAz<_@p$}oEG$D?qTWiEy1?CTQ~bC;K0b?m
z^^U?_;zTdUb}`QYr+t$C=(hv-Cfg+FFe69W`@NVzN|>2->bnzDK?UAyY6Xj)o7wVP
zbNZ}xxf*e9O~cW=$ryC?Si;)PdLJxcJeJD+jG`_3t62$}UYjzLPlKIWaJ1luum!hj
z9eM;4ob~Nh?4w*@<QNGiTi_97gsU@a0LFL|gDRP|u2}2oPu2WK_c(?20P9#wPPQU_
z(slNK<zGOF*t<8$dW+;gxQS1tI43+ma_y!ag&FC=IHJ+UzOsLaP~Jt=i905wlA`@=
z)UkCy(F&j5-9o6dec8UYCHvyZ%|+j#Is1vf<6T6D2;73%&b@fqGNUDY&C+0b!$J4z
zSIc@pIL~{!(XS<jTK=p3?;xXEXJ(>m+IN9Kcc)J>hQj|Y1XkCF-A2q3BKz`vr_Ek2
z!Okm4Ueh*E8&RP$1wZX}6`Fp~i~`!w+PyV5pmm#`o4cu68w=oGOgUL#paR4(K|AqO
z4t>XWUupi#R}$%|ba81=@|^wR2zk+rbC!Nt)yJ4P;=6v!lGA^82XlUeC(&DFP7+7=
zFv|4)Y4iQZ?k%h>6Xk==H9s7AI>S4R#Da{5(`$d$c({8eL1sYvUWi1&SSZ{~ht)__
zgFISqqjmUGGr=|59<B61p6cg~li6twmdzoN`1W)c@zcFOunLi?&o0rP-y>Dd5iC4^
zZn)!k2|r5LJBAF0dg!EmezGA%Fc_*76DqV7WGPQIZ`7^@i5LcvBGcOSH`^)4YmId&
z!OX2JqQb=3Mo6j$U)MVj`ixRI9X%L;x4CYn+_^IyvR>~-Sr816A?fthEx4oBBE29q
zw@%%&X2mo>F-ja(CVve?X@N$QW*KGv;f#XWM~(MXs~D%?afVLxi<088Vu(6YSD%rl
z)gv-Dfw+e~bYKn%2EH)z9|SK-^$&s<rD6*e5v4M~2ptF-bY+4sgadDCAW|t|<)-S4
z;EE1@-OY(5Eb{Xrtr13Z5@CxZVNqm{6bYd^zUmr5c|64tD-=e{x%ltM0P3`$N*FC0
zz6c7Q`ECIOVrHNlB}^o(D#aA^D2tLvs>_FrP+ijzhe`>Yis^?l&4sU(d`YQ;0aHlh
z7xK)3kB!`9&}@d@?#8Le7obL%$$~O|ps9d($NjbO3qv1|mM+q_8ZG_)`4l2FEIR=~
z2b`AYSe7}>>vX$M!~I-=5-X75)6RXb{OY>s1KI9!%tP<(h2J|>218an?NX)8_;eSD
z3!Q(WH-GrEJ4ZF0qy(e-SO&8i?7Rw(h-MLeuEgI)7hG~!(bJYwX>&2v00LVCX7YFR
z?m)C*zu5)%yoy&@m#t>gEIG|5)8jiWYSNop8v`}*+7Xh@2`+$678Y7J_uN$L9`0PV
zz-+1fhkaed5%M*kZ;Qq;cPm<GtS>-&DcXzEC_B<B>k>9a<XWFLu!*kn_qPra@xEow
zF~8!?Saxj>hr}G!?_gVBr92%*$Fw_YKiDaD_l=13qp=fcp_!&EH{%usT%GHf1TnuF
z9nZIchrwx`!LR#lLqO|lclV$zV6YNA{2xs92wdX!diwHzqt1OkC=rhLPjp{FB=-hz
zosLly;a>^N#aU3zzuj~=U9^idT2GNil$|lj;=y<z#ue#eqVdx>i9`|MTGsct{!A$T
zBapr1W@3k6$7dQ`@<m^|=*kTRgqzfe+qs7)lP|c$;PdhtsnJRU<wT8<mBl(Wu9D|9
zF{A^+QCpIkQj=kCTCwYSOZHdU(-LJ4t=282UXF9N8SZ|w4Rjl=&zCeAP>g+R4Vgik
zjG-i+DtwVVKcF&AGb9{ZA75>SH`Og;%;48U%pdwT>)PMVt5oYUAwMN1tJ&9m+`o65
zdU*a#GXw3Bu%n=i1aCbww54NB!Po0~aX8)u<W`xU*zfP+IOqM*y-HiE?!Vlw`!+2L
zH<{_!{W7`c#QA&{9&F&XQ*$#~qXn`b_L%UF8N~V<3P=dlQ<^Ffgx2tX^m@bDM=wwJ
zD*`!hw0|?K2%<|3P3!|Pme(^b)bfmfW5fy@EyPr+A4K~Uy8pR<Dh`4AH!rYl7vj-+
zm>;g=ig-CVzh7w$a*Aa{6gq8h0TjOx)qq;$%*FcxvX-xLIB2ErSs_8~7rLe5oew+n
zkGjO<cfH_T<hKU-3qNG#I-p$e_pNUP{OKhu+LFLSE5TO7q>uHgG98yJ9^FZl)~{CN
z`_mV&1^##TuJWxvpl^-n7<C55+a>IrCE<ZWA+Zn>{myyy3N!fxlR%mj-NMl!6uq(P
zK>PHF0vB804NCg%cIa&C)H|s<&+Wj+VP8ONkl4<n4^bHWobcASd79*h*G+?#&E@_I
zOWjjwo^+6$PW*YaTI=W3=&-Xg$@cVv7Oo13w}P4swN5;&fD=uUOP5TqSSOijsbi|q
zKoom>&^5B`P!VU`%#6nj!xKKK=nnI5j~Ei{dzuB0n1Ao3|DH8`N2!Lu<|IscF^na-
zKGLpxMzO_>Ez?9R=@#4&Wdhc<XD1`_`H+7aTVX8FXaR;#Ts}4#%rhoKT1djT5m-Q`
zCcdT4Da&E>f7tg(;K@pu<L_yG2p9uR)J6ZIKahtwB6T<bj~^7GM{&d?^JSS4i5I91
zyV08trrdCDg#Sa7xXCY{UeDpewGM%L$->E)3`qP(eG5<hKdJ98vMym$c<l+Ck6$&e
zoj?~Ak0ZwO5+Kt6^_Mcvq9-uz&*|9+*V7oSQQSsD(JOaQ#K(TMq4eQ@>c%w44%hcM
zRlDWrib<J)u8awtHSJc>KO@ffx>y8C=ZgTNS+?uhEh;XSF9YpR(h$o5Oi_RLr)(4<
zEm4OW{IibZk)D#f_6SIp1zdbRT#Ylmkgud@dPE#O+&-#a_kaW*!9OpTF1Wr7%Q{5p
zGE0^@T3t|`_?p`yW*sPI(<Ka!IPDm=4OOMKeR--GE%SQx&f7O7K2%ayi{7Sg?>){>
zS4|C^10CCnpzG^=?In(Rb?IZ!;M(B-Z8B^wl@?2NOn17Jc3Y!^fGgJ5#HfFG%xeGF
z6cU-|$c;A8&nrZsmp@Bq;93e5j7YiflW|!(GCbaxn;0dSE=u`QK@~rShNrO5Rk9C>
z(#){G<z^GYTYrI#0C@|k0CY+JzH~=&-{Z?!7-os2bp~TJ2rxPib4Yb;KJs0d9~N88
zkh4YhxDTKlKu8<mQsYb{sZ-X742V?3tm<uSGaH;scDk;J=Ua=SFtDg;45<gc!^LFP
zWJEx`<(b4Q%idP)S0L(Jkkl#J3CDa`WupohA7iU}-?(rKyUGO;J!F$ft*@9%C1BgN
zk83P{&yeFhaG#zHnzR+yx4k9v<Hm<$teKDFj{Z%LA)D)iR{7SBOhsB2w_ku<X5j)~
zAQx~mr%)o!dP1Zxvw&#@wR!8Xo^Vo-z?<QdUs%0!-KAaX<b|ku#H})Y35XXkuT|4e
zSj%eN9G)Y-rWq(l9w8~n5zfVe3wsk?^Ovnea!aQ!7I?HJmvP^(G|JFzU~bPn`Fs!Q
zi0MU)<9;jk@vT}WVkaA`wAA~Kqm|}-re5a!)oRaGEfJc*!oKH-PiSj?*lR#Uc`Qo+
z7f<XOn#<yf>?uE<ujdPLxy)`63kX#wEsH)Mlo>9N)E3tzZ&6p#C4Y#GS*NL}Nm{3Q
z#i>p@eNA|!Hcsmrd^wY)8H!%RtPQIU@xM(83@gGipBalW#bULtUsTKeL`*3%oW|hs
zz1BOUnFcB1h{Ov<@;V`Taj%-(6jP)sfq~!LA$|sT>25ai>&I6uc@A4IK=EtPkWWty
z=M}A78N!oT({N8y3y9**tvXhGNX<~?r;)k0hN6v(1DrzJi%&iSq}-)98A)FAhWJT?
zKW^|4%tetFgTPxCUq$%IOBZv}6pw1EeFvCIyJ#*|mFagPr>w`Z*9=g-0O#S2E|`k^
zztf2m->6y{Y??*En?qW`W`2R0`@{{OYnmucx?B}*aR}sZj5HG9a5LjwHE{5`vf&vx
zF1c`P$T%@}4QPB)Z!Avv;aW8R%AB8Q)L1u^aEMI3VD)K<b5n^;h$d9q=SV3hTLYJ9
zyQ4(e6IF!;w{SpHDh{SmVHsNRb9BLHsz&V*W4~#Kb%RhXmDqJ}OJ;q$sJVwq9iodG
z7x;=x$$MNye2YkTjn$Q(IJibii%vOdLzt)Joj;iitw1!%PC5cPy1Tt&Za#Q$yK%Wx
zzIxk&8xA7Mddu0SY2Lc1z4<8+AlPgl+>D871rC1g7JqZbj6By&P%XK9G`;{f;W!@>
z>K%+UXh_xV5Xrzv!jJz|gpc<%<PRSZwGEeVXal$AAyG6LW2s0jXaz~#%b2n#<AHT(
zyqqp_8%4?k9B*p*+8>?6;X!y(@3vbXuHuH~CIR2{Hw9!)*PHx~Gi5y`qF&@nqT4FD
z1Jo}XVx>M>Y#6n)@fSs{*^bWGteN;>Is1*BWiP4Z=2Q&kA4|~Yx$3ZEy+W_p{$V&v
zbvQjeaOdRjG)<oQwYWqUoI+r(Gld)tus-2IhS7B@Exco~Kpb+TutG<0`%}(HAg<6k
z+;aHU*vx70dk9S&hu}C+Pd0H3H?@i)9JaFNvOq2g2+3gZWTwoz%HIB6@Cdk=ez=hx
zWzWzMSz-hu!}aB{%g)kUyB7I8yrJaN?31=#h9|`+L!9DvWL_9G0teU2U)XM&N_+mE
z%x`HRNK%2Q8UdVs2m&G@Xc)TP>{7xZXl(ye_F96`Ts=q1;AXYX7^ss`Tu%pS@!yy@
zAYD&I@!uS`Yt2)B!{Ep=mDu3ErM4C}AuJXmivOk?C#$}o^AAo-GH?wlyKtRJUDZPP
z{yBo-!EkdK&r6?w++2h@9VfLy*A=;ry&C7nFdb(qP6M3}cBTFbQ|k=0Tov{*BnSa#
zzv-%bDY^00&y*|-A4rS?W~n391S|2%UT23H;K;Q+I`U@3#9ih-j$pDYEfecB^X<a3
ze!Jj4@YMyq@Z50LWi$)a_+67uRIc6vzX|e%D0UEGYY}ZLr~%qum6#D{4(G|J6H*@$
z_aWz1>Y9iZ;>}sr7R_?w^Vkwg1r5~C6RlehE{U-S5Ma`zBe4PGlE|IZfxFNTXN;K=
zSdR3u<?*%QR;f(USUM@ba<Q4jj4nyr`w^7mIU?upSbnL~akG6nI@Eo2151)bRlahy
z08Q;!hNUH__}^vD>?q?8A{=2QQIb5SD#s*w31J8_k;oJ0O?nR-$zgIRv}5KYs)-kb
zeyV&0&^zK8FS!yftp$H=fz@fSyi@o+SVuWGm1W#-DG=(3E#3`p3aq|kX&wqfMxH~u
zORd;1zw>rnvwUXqngWz=9JR~nL?b_)SYL&&ugN1!n$`*%ZdOBr+zeZ@IO;>1JPe=z
z@Wg4?@%ojmxnA~c)r}#j7_7<pLk-s?fi|we%{##J_&~nnyVNZ>WY)O%Lc<wdWlo2r
zEmd^pJ{yeIjv)c++cN12Wje_r&6+Zc^ndY!md$hEg2Do0)vG=3MXeFyJ#HvWSGKo&
zR;2<nxn{H&dvn~Y#!(n*JDwl>6p0P<F<wfjxIt7_b>I0TVPEb)$hHZI>(twxL3qr8
z<4iw`+`3XP6;Lo_)YPVUY#n$e4}aZ4blGXBTf}vc%59-G;>b|1%OxZlPBpc=whcrs
z-)WiFP-<TO1V2cd`8zk49sdT#wT)V9Ek(~7rt}9`u0BLw7w;(MMsjf%W~juUIFGnE
zco4!Z)sUPYmw0}^g{(wDOW2kE2PsVX4=GGp7P5j*@z)lz@=Ad+<M5@Mn7B}f&x!lK
z8(K)@E(}`0;o^5lAG8w&EsL$%2NHwNS?;rf&*}NycLr}W8xCBCDcCurex$rci9^Xs
zlVUMOB%-b>EVQD`QdjGmBDan$lQMPi^ZIWc@mQ)tVQ5ZQ@JnW_dzo@FAQS!%khvO)
zwj0niI8Gs`B}V19C(aE>9$!e6gBd-_R<j2!sqs$iT66A;F8a*hTlWygI#RR1Soyv#
zm<~1$<vTI8Z}^UkS_&nED1AG=LIiHrNse7>LKk3Zgu{9yjuOa%*@fgb52L@gJqUPD
z6MBaQ;xZK*W1h4?(6a&j+UR-6ajFz;TM3LP^m`k+<I|Q`(V$TphA$G67%TW~k?Y0U
zF!HN2C=3t8Ph7n;nS2x`mbuS&N_s3(U?xJm`+-?CfhM=K;}mrWAal}wF3Tc|K2XFK
z#*f`dyTNS43i$?BM~}G!LfFj;?=sJX`F|B^{mw!oh6`wyaTRozt21)I1cyXtb}(C5
zdi1aI^Jkn+V_AXd$`p@My7Z#0Lk*8bXbJQgBHjZ?W6a;%&&S=VGX%F08nQMmj|0|c
z+$VY**!g<YHR#idHN{JSV-X&m8p~zC@w7S{BLmhjx~j6YxqSj#Egg40yuLb%5w~D;
z38o|!J1-PJ;U_Np2^WFUl~2}1qmKjy9TqyQnYdXAEQU&yfBxHL6Qpz(a!s1R>Yi}P
zs!`P6w&rWSI~=PMMn!K6Ow4Wg0N|nV6HH&y!@3!Yy!f2qo#^}zdU)ayhTU*<NkYJJ
zEg3-56i;k=67e9cTk<ro2-K6FJ8*>pAmg&!kYwIacAr&RT{LozB#XLcl{kz78=Ln!
z5VZFzzC_<_3jKFtSaQAu-)LV^OyR5sj_Bg(Chh&=VoyW_eqxLk`tA-T*B&U2whw8U
zS7y6vzM#httvL_$XxrgWW|djY)FaS}=n9^LG}ifhyGm`=+f>|QRy<&aNf5u3YqAu%
zJE|MRPh2!v2#k)OeN`xFYJT%6^^Dl2r(1W1E?ntByw`9=m!zhL9S9yw=L_wA7a}S&
z<~VKlv60c$Ci9cn%q&Raaelcd_6mSEORi&$`ItWIt%N5pPK>B}iL2u|llpz*2SSfj
zY*QAVqt7?f#}-DS!EgetQ4?mmA}hAd?IAaFB1OIdYar(Wzl+$-U3i^8-`04rrt!Xs
zrd<_iTg~lPNTY$~JDBO(@(s0f4)HB%XQP_j-C;}_fTJ5Rq#IlrNXlb57lST&(iULp
z)rwkuqz6i6H|#ZMH}=84ptxaN))I*xw$w9WInv}b02b^m_$MWWY-Mjukv;kE+R!};
z?nipbH6a*7phh$hY6TJ;9~V3|vd&_mSjp~-<l+VW%GIz1_M5DFi9JFwar96>^#R`i
z_a2wUqhlYtdd}v41Ki7&f92miGvw17=d$Go%=bL=Lj`INw>KK(zC(q#`1^`ES6PfA
z*j=J9S9xk<J%*f0>;VXK9Xss56H5!Ue{?dh!|s2kgkBB{G*3gPxp^==^`EsIi&#>1
zXa@~6NyTH&-%&LiRFVT_AGuR6<c^ePF3w2ye<E{9g4i}-HtC0H24YC|*->>uu>G*k
znHW|>`eSHV(Ac5A$$eWOTo5{DBO~94g5Ky4TJ?>we1bxH;ic1p#z_@Ij91K>CD_~F
zM<yDhb{1-A^kDh@Kq|@!1W=2K9e<C%cqBx%ivX-vH;ULRgcQq`6X^&L%`m{1ndDb(
zRPyV!#m5N#m7h5?yw)`1!sA(_5t9plB=>-FI(w)1b`6h=Or=~VI$SCL0MktOfY~?B
zHUBb`5zO}7p?hc6W(p8K^+Mn*p(*JEh-O;e?ZXQzd!A}9O;|8h7ZbexP)eJ4EXqQR
z_jA}!(BeTUt5VB7a7w6#$}7U2C%$(}dKWB4&S(_SwAl5|T;z9kx&Tse!J@hzDwMQn
zh!l_O^dP7|C9d`(<!ZAF8#ann4%{L)-YyDruEyt+6W$QsLk-ok)8_or=sxPhBYZ{F
zy>0Nw7D3b~mm`GZ#x73J|0RFX55u}*;sGaS3_Wk;r+g;0DZkniWeiy5>YC~3zpqU?
zxlTXUILXGGDyR+!-QPufwr9}xcB%k48)%~Eps-vg4g@0KVZ6hJ>`%?cxe#amGCBmL
zEZd&De0m&XqbS;eBP3>?4Bz6T|3$jw&6-%5-YGxD>BENC=pH}V4FBCiGe4)`&-?y3
z_LMz$B6W+#N@0&gh5B{#X5!yPN7kn)+))A^Ql;RlvAg^)KgU&9CT7iyc*8r2YDHOT
zBjd^ziur+1813y?{sWo5&ydImiH1)K_<*57yRAwHCdHNO1sX*W*$iSK=TV;pc6Aw4
z1UzewJB60WwX>{bU!%C_AoN$dp#-NEAjsry<EA@MWXJuTX<TAVHe@Yw&tTuOO=;)T
zSifvczY^#*3_ptxe6L9Cdt-$7c%z~4e-Szh7GXFOpnRq5!J$pNAg!1mC`lm;z-!?!
zZp@9PcH}=3EOXZ)+MC{iKI|cm$NZR7lemgRSa;E{pXpt?Hcl6Hay59v`G(Mez{VwM
z-ktmpM$y&+4l#yOMk@j!RY+MIW^k+JN)tqfs+i3pvSq*nKrs*z@MTh>u9}TZ<Oj$V
zYmg1VJA{POYM+IkA+=#@KdDNlPL`n1l4eNR;CB|18U(e+VVt0NN`^52t7Me3JUkVd
zurIuOeu+Pwcr;G+Agr%1lZuY#{=`1J7x%kp;_#LAyWsF?*1C&^oGhdAr8`Z}xfEsT
zQ8(-%qM7bPmxCoe-4B}G?A)=I?&_V94=Igp9acr!6t2^ihxpD^C3uYydjIw91`<Ty
ztXBJ#Q^l1HZg=ujQY|`r<wnaV93@Uiu55~qCXOLCVEso&Q**r=;|gxLJ8d(SrM1|M
zccH`kwX__jGswNGMToTdphg7Ua#VNyPD6Z6>WAZgZ~l3(>fx;p(=172K@WO~gLpSU
zSNY_6+BQ;mw-}6Z-E%WYG)r6^HzQ5Qgkfe(xW>FS`>?A-FBGtGpOku=t?7kXr{P{K
z6TR@JliH(EQm1}qqdv>pPy0i3|G#WveeMssmCDKjmXc>%?)oXT0wWDj18%aW3x(1t
zX=bSsR2wjm!O(qVWiVc|Rcghjr&cUE)f)Rs4bIT>YcsbY9E8t^KqFHA@FCZ(zEXqm
z3e<jNy!@+rCMm$ZKGM{j6^l+6R^{)zo4XuLNu`-T)Rf>AAY4r_yMy2b!O%ITW`8`K
zPFz|Uy9hEE(Dkv|;`Z>di7t3yz+LBpBXiLIcOLo1;du8!3A>+aP%RAWOzadCCBD~0
zp+z|oO~q6xNf!=F5|7Iwp*c`Dylid$J}b+E9&|*l@qvB@wn^`_bn}Qv;8<jx@R}L8
zFBFEP$OMf?fv?WT51bn-NC%O_K3~R|S1@yHu;ecc8(Aow@-6(|!EDA&K;bH+9O4GC
zt90LfmDttA$Z2#^ju!TWzy35fL^7=})HQVL<>@~{InJ$$^El4Cmn6DR<`QlGegE&k
zs(3pK`w2tvO72hrBQdLfu6)sd6v@{~*gjQr>f3Rj2mXlOl<qfNeG1k%xz?P&Y4lsB
z>_(=}?P)iL?Jfgc(5dL8wGsx>$Is<LW@pp*#PaAk&02g~>-6cU#;m%@3sTk3%O*(T
zbW%5rW-k4g!P!v_O}Utvg;w0D29n)qM=O#>gG^JN3=@2@z+^BqZ%z%C2J@)r%jk_D
zK53~X9K9>6QtT=Wl9L=FYTPDucp3g3)=xbNmTzMWG%V{oM&%zn|8UanF@hO9H49nG
zXu$?yrVNFbepiU8$)2y&J`u2YYakRwM;q=hQ0{gx<mf*nyw`pYyK+|W-%NcEF(`C?
ziszh6HhhgtSz5jDq!FN=?{~|{<p&^ghR~cq9~oxNcLBHU7Y00<#<8~xwS*Bw=dN_!
zE%HZ@X~Hc`vO!o0;Fn-Op{WGGtK(l@?~(5ZWs3Q~s|AsX{(SW`wz0&+Z(#W(hhAJj
zGz|!qsbqCl@?@V^m`U2IgY03FT&!!ND(e`nmqz_7Rk5B`pkLrFaz*#Ytbkp#7`LgA
z%3bP5IAKg^{v9ynK>boKzD|NPmj5%_PZS3}*NUOy9DT43js|o@K95tW9tq=b>S^?w
zdV-3D-BMd31(_&CA97cAvmI5~D%8d1eH4zOSIjh-9G<<>hJ^QVm}9~py~?O*U0|m7
znPb6~|JAhO@CVnY#;=tCt%4ja6(k4a+_<>f!{D|*<Xl2<yQ4V1$1kFlnE8=oN{LHC
ziytDk*l(6ld`Qr>=nFe+GZ7X0E^?Q4k?IkioddXR9G_hXdo`}Bc=jx`RB;Oki;Xtg
z)2pO9QEo=Im{XT1K3QDyJAD^TgR1!eoLL1ONr$Q0b$o3u$ZXPVymo7-kX__Ow{zK{
zW!<fb!;;s0@;hENw{?r@N~70|(3R)Oyy<^6^^MV)G||?vZQGuB!ik-UZQFj5iEZ1q
zZQHhOJNfe7dw+c0Yt^YbtLyx#UcI~OoV_QXZ|W+5#=lJNfUi`^A@%E1do1A6Wb4_O
zo)K~A>l?SNeq@GfCp9MVAD(fdlyO<BRDygXuA?8ZOn+@b%g_V2=G+*2qf~szJwE)X
zPslNrB_^tkVq9sjkGHj`)Os*K-qM}4fZBqYa&x-$0DHsK5lT%)`!KMTg_07b?H|O-
zZ-|s(faN?i*7$K0<Y79@T}jYCZ(+*giZ!bAN!GZfpIC-tVzLJ=`Qe|hvUVs7-2K`J
zu-1stcb13GI!VI`wbz>BZ5+p@sjk@7Eb-*R4NnE$2z5cSq$w7?7*dN{@GSmP)JYya
ziZGNlNB0da(b5VU(?!;7e^)2oJY<l_bp?2+hW*fcl~li9nO@xy@U?Lto4yew=3dL6
z0+eFm+!KEc_)1&x|BPw7#Molxz=9B8_g%wC-u7MTo}#xA5#<%+0f{i?4TO*<CLp?F
z6>w$u!`Is8_r54!FWSH?k(8V?W&<mtlkIJhJ=NK#_1?8Y@$xT9RUrJs)XJ9ajUcj2
z@CXNZk-QAK(9{CNYJp-3bcF)Ku6Fb3@+ich!x)hs3njy4CBysV>B|^Uh^;SUdA4Rh
z{HD%AiW$o{0O;h(+|v#t(YCwf36{IxCjP3FIB6UQZ|vq7NM7lz%=(Yk3SQ|>`vUE6
z?4?~YWw!BW>jnQo+3l`_|An$m>jlW9dP)v&bS@$pKDzcgNES4(C2qcRg&8s2goExx
z8Ua)(<_l`rTH>84t2N#bf*F%ir(DvcbYrFtw9s;;fXb~T?*A&4VqT~Zm!}Y9h;5B#
zS+Yk%_T2}~|CZJ61h@=ED?T6zMO)3fh-^_J{#Fp5mOb9;Pm0gBI@5R-@HNWvI+nek
z?`6QXKXCl1J7{(A`(rTnrnzorI9%$iCM3b<p=u2@hxJ;V(6goB@&bP-dPod6ZmT3p
z<_vjgm53vM9Wa_tb+Xzl2ch~jAYywWEhWv-b$d8=ke#4Nkt@k5@aInxgFb(^FR&BT
zqffZ7ZM}L)qa%8QW3_k*W4#|oAx?M37$bshWz|J_NZsg~`;mWe_7+{I-_LQKFp;7J
z)92id+^7`Ie}uq)z5=EsD0X@lf*$qQ>s~N|P3?CcAYqpX@nm9=qmJy%dK#B;>>;-j
z<^HChA-{<jHXk5i1R*~L^t&F!Dq6sj5^n?7e?Za!_Tq*%zG`dXp~jfO1Bv}Yw40eb
z%_sKR@*2Bx=dzdL3V+cu(cQ|1erD}&q{Z6vI1F_`rq`VyYL)S;Z+GB^mo-y)@oPjw
z)!&(NG#`wI;3DV~owfuB_YHImu9aXR<-4pQ$V(RWtM`CmFlo#7R=pU&=zc^WiK7_s
zfe;`0KZfYhkqu-(3+8YR5qXW{U9;o-@IqI{n^EPfm>(V6j;LMrZ^$B;+gvpoA770@
zi0@&;6Q72@c{>Hm5e4d+Oa!8S*Y)^_y-nR0xAWN!ljJm@X`7)Xj{LGnSVaCe!tFQ5
zHjVoVv-z)@dWJz3<0keZF@|+Dcb1rOqY-(FdaX9*R3o7dmVe+m3w=XDz&)9^wYoJf
zy|U$&ycy2#=EC#%V1nqz-ebTw0Ef=ZtR@EnR+RZbxv1Cgzt^(Y4~MSBphoW_hDr%=
zCHa{GzSqR1>}f(_XnM3^g!*k#^qFh!Z5FXiODurqZFUziS!5{KUy+%MU8qzeO0E^?
z64dmA%UBwIaG9xD^#b<Vo<V}B=>7KJzzBp2Us|wkKXt)($<YWwu`pf&4{aJ+8H=2H
z2rkS2nr=B?EznH18TJ2~SM?trNIj<i;ek|zbjljZq$}e-gxH(qph6^z6+*tINV;ff
zT~<*5pNA$}7aV07uJN*6ZQdFwB-*-caSF-%dMI!``3><IrujtNG#@f=JU|r!>&^@i
z_N75jJ7i14YZMwM*Kc$p<AA3d$I+Gc^O!0>aL-eWpv=-UHQZ`5f;WERNIfleX?ig!
z;$(;8s22rHAz-8nF1GzWImp8g78!nvtc*te-X)#tqec6&<a{ivPMO0pO9sQB#H(0a
z%pIi8Dr8x@RYkzfI)?zL1MO9xPF<*z*Kos`UgYqZNHN!@NC_)x$-m@HBHlfa42{5E
zNf1i<-1|F)BNppgN?uipF=wi+_{u?PpN?1!JZiaR8wg@u=5l{>#+VZvs4@JMX8Mxz
zyg^GdI6=Guw;lI-e7J|B_3iw_jh?_wGUkABm|xi=j3w>xq1t?F28mQ{S9-P4@bYG7
z+lBT<N`Q0=GbcL2Dy9iNrvnc)vanRffnwX@?kM{qjK23l`RGL)6+JK%*){>q3pc<!
z_7PhTZxiDAk&-)8U^2Y+`$sh+`oh`1Fe54?gv-|O>wij>t^b35@YV}6L+C=dKl}AR
z&@Y{bzhY+@Wyu){N$LnGn3zE|Y2xxL>})B=sH)mj`y=M<xApxrqu}~S<D~BT$F@cK
zw`0mo!+(8PHPQdEKRnTEN7DrqKjhF2+f>D|2kTwvGgH&jK(s3zA0I8C<31kDa(GjU
z;oU$4Sbi2qu35!JCaeh;KXlNr<Ks>xHN_ZSLt(h4Bf7BFs^Eil$6zREnb|JCx$k~y
zL}c|)dMUTN&}kSs3m%ElO{vu>Osp&8)LzKKk82L+-0F&M^*G)}VEp3$Mkj#Nr@vX1
zC-3Ltqeqtel4_RvNg4rCmy9I-%Lukh6Xbdtko^Y~A^GXRo~O|MSh)`lMMWTI4q!{B
zv*Q8okO@xf;Pd2+Sxb0hA%>;+oxy%v1|EO>^N-UY9!($Y8WuT~29~3%Tny#x+}VhB
zd1nDKPx_t>rSn~O(<UB+>aBf%-c1YcCq@!=I1vVyARZ?aH1SgzR+NuBwLfl05RUfS
zC?It(e#|L{3D^Oe4%^gW6zSTrq^Dw!`@dZE$NzHG2g(e^W09~E0z3Hw_X8mJusdJN
z#Dgv>&&i^am}-NfGAtDdD1ZNkW!$$7xDlF$F5?U+E`&)V{Yh6}d37w4n;+wJ!b@1`
zO?>_QZho#@x5t%8`+m;w3dVE!8^1wc<Ay3S8fV2$y?T*E*Cf7bDmJ$(0IW_IQRbro
zBocP{D0KmQaZx^jdP!;}yah~FMK@Of7FDba#7t@%n;MI(D@un6wqs*^)f(+W$j!a}
zS9I#?=qRebySx6<O%u>{?vd4g>|C1!5t>no$YRr^VY-rh)LTBtH96hd#Fd;~@?EpD
zia#+)MG%I5qaRhR)1&EfBZRl(n|AqE^k#~X-+@5>I<~%@?JmRX&24*iV|#sdqws5g
z(^^#=)f!vyS_CnkG@`TNFowq}X~nyaWoyIxVP*BMqqhG1lE>l6)fI_F=sEjE)6ll#
zv4m7=$Ba+fWJjbKHz;@#BKn!&eI2kLdv69<c64!l<~<&Lx}p#V+n?;Dyz1g#6Jh_e
z=IZk}8ZM{#duwkZAKei8w=q*EmF$&PwcR`U0W8z(M<HaHG4U(9y&{W%*$5jJT)=f*
z47NfmwcfCiC^d^dBy{)n;9~X_-hTPegaLX_>l^b8v3;GuKWES+o~S%*Y()-{H_%cX
z$hNpGGRYkAQ&>`8k3#WvqM$>jh=9~dq2m2{G7?fr4C;*CZ;8(jZJ+Ot=(2I3;$9J~
zfR`rVk`4s<X)_t$BzTc;6a))~-+UG!nXajVYq$O>GQJaoK>5~*EAHUsdRr~ZGE+=5
zVl0r8bQB{opVfE$lPh6ITEB$M!%DY=`2vCa1%C;`bfMz~m0jU3_|q;7Ei-|s`R$vO
zU|JT0$JvA@FQR5>sQ*2HA+iN)CnyL(HlRvyMf=--8SYXT2>kC=cA|t#=ocZLDmoEg
zWA|nb{~moks5gY-RZJerf}WOVx@(!%Kk(d<SNJPzJiJUo!VYZaza9_bQ+^z0S-wuJ
zT?yw9pNW0~-i0~c3NfQ{s%k$yU`@hDRhTzgaPOW(zh#>^8jkAe&?E=<e%2rY#PpR}
zDEF-dLR^s1ZP3qnto@6LO=`vY@DCIl1#u=l^!_!x;As|C@|$is`KWS?f;@Ysz%rC@
zsfZ&I@Hno#Qe0_NdReHoesE8or(jQXk7)vjuUy0<N7NX8`*=r=4vGq9ng9ab-l~(3
zf3wk}3y*x~!`^+l;{3T##o0WZey7FZRFOB^k4gE*p-h0LTAUPZnsly_M%lQ79jEwG
zES^qSP$O6@q$#*ywfSQ_)}->(BP?~PMY+>G_4pb98L}U)Y&<&@1y7JEB9mwDS+2Bp
zjx?`b=g@~*hK$-pr>`#zzK0=L$uC-1cyl07d>Q!3^2XwoH#s6N#|O3xRI6NKhi-G=
zzNSlhI!AJ-bX)1R7{5?02{=!{UW6`aJBFq4@2$7aB4xyetEl77qIq+tNA@A?cLW&_
zcCBk5`PTc5#J~|D{_ltpOAar5VjJ(AEy6I-ebrO3aH+K#KSocT7Eeyh-#?<e>7HDw
z-2U>wX3Q1UZ}Yu_BGQZx2{RFs!tZeziXOmo<G5)<C0o;;d&}5cQLkbXErVK5H*|-C
zyYAme*D6K;+6d1voo+!+@Ns_?@L5h5?EDN98r1=4XGJWiCxs8bTEqJEk!A>#c2uod
z2#%AeN}6Em+Fv%Xt1Vt^Q}_unj6}A9R02x$;|Q_DWgWnWk?>4gf8bq2;B<WN5XRQ|
z4AM_9AIJjqQCACj)m1sjYy1o8=r!Q<E+s%>gk*my5wX+8)geQTOAGr?bj6Dz5U_z|
z0@bEz%`Dm0;H_}jj|zziZ{Y08fYOu)VT4j;=;Vv^71s$86&Un|NO@@#1pEyg0uE%7
ztbDCKOO_j?vN1gXl1Ca4!%jFj3W^Gubp-F!NEYaDTcE^6h>fwAeArwqiRobSEGE%P
z`xoFrDdB2!@|r(EV+u72QOc94wI6}RY?<sZ@$^Z(Xp}k2#*7{JDMUxvR^WmW5zn&A
zRLWrl=OH9&J8}Y#-ASBpf9k&#W6uwdtzOGk{T>t_$mqPy8M*KTph&!74rU^*dA6m>
zYD2XaLSjs?*bL@nf$B`?NE9ka+@}cCqU-ID<+`sGrk#w+q<@(G4ICc+YK7+!=u{n}
z(<P`e38b>oDJR_Qnxl|+_|dN+S1ieRCQ6I3ll0cm-Zp3!P>HL?X4$;wo9kLgnPoek
zxP^{SyueZ4yyR?r?Z}`TyLGH(Lh`_O?2+w=sH1S^H3i-|-TLDcY7x42v?)dHsE=mv
zebto#v>7VFX$h6zC&QmInR)D;`i0bN&0PPJD|bj!n2RAmli%AiR!<4xVCITz2^qCD
z#;}zlne(ykAX1jCUX_4Xu7UaMLv9mO4?V$<l=NOGxGRfu1wCdlO9K9z7Y09jO3oQl
z@XIQy+6UFA{E%0UQSgyiGGyVAqK*Po2OYHk&xvtQTM#YC?0H04QvyyaOaoFw>Cn*U
z5WD~y<sHMO1lT4HlegyO<>X!0h8B{&-;BO4-H?sEmF)8yL)aR6sH)!JHy4ZOJq3n|
zPACm73$62Ok_mE}*ucT>6aQPH+^wCB9<UAE4CAezo=;`8hrgq(-Iax1RaFJpbtl9r
zS(Eh@)lmYh#~79*186f*bVDq(<Y3ITH}86i`?2qLh7|DBOZbY=_hJ7nT-itVw{NhY
zi*fJiKPW*hJKyo7>kvoGNPIKc&6HrwbA`RV{-+u%Sq%fMjU(WTnKR^aKqKvjND^xS
zzmNK-##Y}gY%;KYMcN+PFsT}|J#xR#ducAY>Wp(mX6Ok)j8CKgEvCl58xPDa0lQ*1
zc32dQ3m0MaI#>h@-)v-iuhB%XBEX5Z=I3`Dngy=t{0YckK@@L>zaH7AY;?DLXt4%b
zZk&~^<}k$^Rt)+a={5beDi7guEjzciAn`tvbJ8BHl{fzBw0s79JX@`>{2@Wf0)8o8
zRb1wnG0$qQ2hfOju-#0vue;|ENH&Ie8Lead0~Up{OSsW+zpEf+F;|ePv=uZUuX)%R
zt`G`La@_x>W(0jXU7bWX^<M^0q*<kv@5rSBv$&S~n#Q?4KvIUf6_`<$-R;iZkVU9j
znv>2yCWx(m0H>sA%aIv92z)73p6d$KpO?Nh`L3^j{%(8fna$3BcXaZOvT=>OoSxNv
z{@q53QZ1RYe@Szz;J}nEWsX0sbqwA14b*gqNK+03Y!A>?efT>fL;1mE-vbIbIO};Y
zgH(OqIXe^zYQrthPjMBK(sY&*8P-0vE;!U;RKGlPPq-J`?4&3}X2IHLQy6eE@6mQ<
zWxpnXFgM_};SO|-8XBNF%WtJ;j%T*04|LTlIMN_2vP9MalkBqS1_3R%7=l_OlYEC&
zCrc<m<M3ha8Va0a*KQZF?h`%N(LxwL2s+9NFldWRlJu2yAM8&3aOBWWM&Q&u>{=dp
z+)X`DEFKZ0Y(2Fjqky%FE0tDMgk?FsJM$4o;v+Y%OS3poa4idU9!A=>2s2FszHJAr
z`oU{mk;P_=K8jG3m4Y3_^1pNbEiAVe&|0-6M#q93b9giWTzxe)b8NYIX7ky*5WfD!
zTgJWSvfJ~j<M3cz+gkUU!0e_dEMbR$J}wQ$J`$?1yYRaIgKMC;)1sgmd99xljj)zX
z)LZzhk3hH1s^M}jgtz3Iww+I@`8D-2+O=={ra8s1x$3adi9dateZiLt&|FyGAcXcU
zq{j`Zyw-Q{+i2EA80t5Ha5Z%`HTAyW0<;6Tr>@MrFD|YxBQvePZ{ss50So#0!}zJh
z-a-F3GkU^pIN%V|;j>zzn>aYKd0d({#oDK?lCHV)Z@;SUR~$K9vtGV1n1saG-Lm0f
zKkZt8j8~HUZ)#HY0PE|kIK9j_ZkSE}o3m305KnniPg(D7^UfT@P7%1Eb6ubSF~XJd
z)TVIH5rWlZaCNQ`vwDXVBBw4XCTR>Y<U-`zQ%)%A*c_pW<5|uGD9R*IP4NL<WNFk$
zd3W@CLka?iRZX%Xgzp=LyO=|bVO2Ema5NlM=-XH5H=PKCZm~XTegSb#q|==c-DR7(
z2T$jr@EKS2)_DWtL3q^QTAMpc&NwbDXlgz^KCtvV1ZS^c<^Hw4BF+qhXZGk3I}U-Y
zg~7!9WZYm|8%(=;$7R@c2Xt889g{U8ZN!#SU=EQczB6DB-kqZ;U=FX5VhiAYjHG;#
zk>WKz79!~+1SXujL`V%3?f#Z}cpTX9cs~ckUJX95^L1ZkbW<1%fbB;bR1gNPb*EH3
zUx)&sFtlS5n0#1%`EtwCKVfn5Z~`T$@&pKXST;=;L>c1zh1+s35MuR(Bb7O~W~6(H
zc<1)6(kqh4fEVR6PuN$MeJ`n&1%o=UphsxMLuFWzGRbI7w-|r*tM*%G<M1hi7)c#S
z3402@QrpC|(BA<*T&+*L)m>*dsvOC;nlKL^`9|<}7vS9T_utbYt6^e)Mr28m>T?yB
zk4~DN@cv3#o@Ex0Cmlt?!bn4TMm#5)*L8IfQ&%2K$z{0QlaQ5qVn@_U-?=NK5amxP
zR?r6(q{f8h@8I31gYYZpl^chZUI^Ck5W}P<vYhy19=<&8>|}eqjk+%hjBq;@E6%bY
zs??n`z>ZWND0X*xUo<~MHguNbJ$t!M|1xc2@RQ)U=drK{dT)<G{bKUrzT1;Pk`%>L
z3y9y0-n`mGBhIU|EIx}9s$(g#3a{w&LS6q4`Sc7RDD_??2a<7)X=lp&vif7!Kd}hW
z9*TO$co`CaqW0VORb+_?q~xh0efZfV&K%AdERCUyA9F^%QiZKV3bce^g!TiUZVOFQ
zPPg`^(?)$evDqs^uJ7r6QzBf@PK9ux^mNJE@J<+3Sz641;j#7%ofJliYv}o|@r@Zk
zI@u`>%h)%B^D!Zc&XS;~fJZRiN?C7+=<Jw!TxuDt?Sd=5{SC&5Cd`A2sVeW>I^KK$
z<?e!`oKOuuNP|!wLlnANRnHk)9u0bzw%N-r2-C;GVydhCbAV_)utL|yDo>iQko+)j
zkkFB!(YUL-e?pV1kU*Gr460oWpEEu3ef~tt-ZCn5<5M>e%4|Wu%uAFHY4qR|;Sv)<
z5HkzPED40|MOSw?M3UYz`Wuf83rrZQ(jyne6yX!(@GUl7ZHw$}@swW&ciaEK@hP-W
zDeb5&_Dm@AkajMZYkZ=fZ(-FR#`)<FJw5&fwbx5s4x;W-Fry_D>sfy?y|Z8bZG&P9
z<Nu-;%>Z~Um@A-2?Y`9*8qo4fV~MT%?Zb?}ZkaNoiLxP*IJ3AhWu6q9N${gi2_~F>
z(?wpK_1NfZTTF>|ZY?9{EyX=U<2JF#m}AzdV{33HPJ)p4j3DfS?kI@#g%}c&Qx+&U
z2lacIYV!xd3w*}FlUo#-BKdiGa<S%eW)|<RENm+*EGz12HLW=k*UAgnPX8XY|GFlJ
zE9{dxyHrPiqLbG&453MekmBXJyd@ln70LKK#1b;ZN3k9|g}3MwsN^VlglOE#S;Ae=
zSgiWLfeVX2P8f_wqJf|PKOTTr8DR<(M-YqClZ+nLzU-^|6&i0~YV}|5IYhU7W&Tbs
z?pef(J;w{O6TLS>TOUiYJdU16h?Xs&=7CGs8QdKYP%T>@A;C`Is{j0)vr&-dKJ_i1
zPf3>kEPi$gtcSQ9{k1x6g*%H8F2)gN*?Td)ROHkOdRf}?Jo&mY=B-4mM67yOaeA0A
z9YBHnPAmtbBa5IDM#6<QrflzHdAz1FzQZIPuKq!G=Q^z{nga3=aLug^yo1OHr$2}2
zZlR$gWFVNRnk)!KtU3m`T4b)c@Fl<8yYQol38VF7Ca{wVtFzR=ERCHb)NDMDU;Her
zLm3CzMi>s|W0$EaJ6F+p5&CZ<@QD~>KD7x1;uo**xi?d)Lab5qE*I{N)Dax1y{tWH
zad5mf^e)^>#<8vL8I&ko!RQ@?15Xuidcn|1cSUMzmhGINZ+lwB>wza1In_bGl#?>?
zdH&+^Ki<e3PoYV<sErO<VEd!K1)Q?12B5Z|oTEDU;Y-*ey=q58YZT+N1EY$yec0Ik
zvu;XYXY1Bz_8~?X+(jd^XnO1lc+4ml`aUMP;iD{3)SFiRwGqDI=*V4p<=jc;$OeoT
z@#XxUXw?6BVFB|vHy%Bw65p*fn6iv&>d(kmG1SS{(hTvuv;#4;xrMW#=?}2HY1V_E
zB5W=g4Z<xQ!KM-IESOr~@MTn{YzeR_;8}k2n0miQmg(T!+2O399ilXtN1yI`Va$q}
zo>@}-YE6J3SfVvc`GHC`^#JhL3)fkWC$zDr#fb%)_ixjpqomYUb*+B@!oTnUP8#WX
z1pudbkl&&4m9j`MZE!uP7Yqq^y?6WW@o}$P2Zb&bET!E3_~n$(3QC7QpM_hTH6U(z
z7X7=+_}fOj{wkq(Bj9@pUQ_|0A@U7Dyhw@#p|SAszQ4?hSAcx$toYc<4YD<gkg5-~
zejV~a8HtiQyb5Hyrp33DI}y~DeVR+1oqY44luz-tFh_6m<M&)?sDt`<7(R@DKt^sC
zjnAm;Kkz02ue|^RJ<USQDaPIHs7$7Q_=*uguDxlos%%+ll{WJQKKtJ5y;YxXf^?5c
zXk3$k2!~V}yP1xkn#tJsN}D@&i)<oh&1Qp7S}lYE_hrzUS}aVymt%W=8VdbHRIrU;
z`wGtDQ-Kr>2Nww{!Wn(!>SN2sT#8ik`LGyA1NSAJ2wl0t<#99n73U`pw%sS$6E7dt
zcEJmgE5nDEr$cM_w?&_AwcfeWs8b7+1cX9wUwX-KX}ZDU%`>qrW`bAjy5D`f^Xpf|
zvs4wMd8eg^4X0=S;*s>JYZ%@L6Svj9(Var#)MdVxsr9LC3u5?fB@}`~)8?+rdXFR{
zv963O3Wezg<81MvP77IW@NPm{Q%?E@Dy+B?XlQQv3hJOm(Pl{kOmFb;q?v~Bq?#k;
zv~>_JhMxECCQDMFwU2;sagBarr2QgT2e6NHn2$R0)i4yMr)YY|iyB7N(ZTWie4ugP
zL#0HIGJY|+UhW`mKOVc2`X&gD^4zzK5R$p;?xtAdqC(39w2d2aH@^(0!~XQ)&-Nf1
zlW{N;2oF)He$UtgkV0i7iJcj|)goDhk6t;A3u6#+jiHs)Zo^wT+s&Wz9gx5vb|^X`
z`|*mBr&w?`$l>Md6A_|-O7>gu7PEhzaWb*cEP65uQ0#Iq8pyUpgo;F(FLQg4Mk5~Z
zq);cPtrx3f)1Q-w7wcm{^9Vp;!MTSy{E11+f2MA3FNw3e)rqo6MtsLf)8kmehOJZ5
z$NT;f<ijCFRFgBa$kTwc3PZbof-ZEsCFmvy7E?hjW`a}KpMvFbXur7mQ)UW>-qe8<
z+j9i=HvsMG|68CQz&#+hpxB9=CZUs$xF3jm{&<+wgzfHtmVE6S4p%R<MPp9`*DA}=
zfnSpgZZc}9v!0zPNv=U`Ie012hiy5>A4W7N0ifw7xA@3E*xv|yIfM-82C`(A*?e{h
zoJ+kWybeO641cvkb#ZI{aooANPrw5Y4gS)MG5&_MG7LhIy*SiD41Oyt8;fuB-;Z~W
zbAy5iZEq$+XLF2+BjrIMN1(%sQd1ABd=2g!5&)cd;%MKWu9pm5%NO;Q20_A1xN^dq
zkzP1Rz_Kb#->MtqMawt1?UYt$RxJ83$q}J;->|5%F@Uz5K{%G=NTfTvpg(tX9(?_i
z8#Z4D;wE927YZ%<C)WRD3$#>`_TbKAWIke51Sl4B`0AENa4^C|vrn1Cm}&<O#pp><
z|F8vzQjC_ed085j@l6>P!-cekI5^lG>Lq?ZK1uj=bYLeEW8^^4sq;qIeo&hfh+e#?
zP2*LmAGTm;@R~7XyQWmBho<_|51*Rn9_b4!g#-d_>5af1)A($v4~8RdSCvO4Wy!B<
zpPcfVs*@k++kH1M4d~?9dL9C>M<$4>!Eoso-*&xUdZ6F9#WZUvRaoFZ<axMjL<KDX
zslun}oOP!^s`M1c*2)@m=)-MBW(s7LE2}cbki>Q9_*?fLv;rtArwpz#VICY037OHH
z^HVNy?lPGnRSr{ABp9-#Rs^P6i3{qav+k@X;>Q$|YJpi{FtS0NLMwOJ{f3_3d;B*b
z8T^fWk>EN@#%31qT|+K}+c`7`6LCp#o7QQ!g3X{p`arvI_LmLfaW3$RFpD9;ov8(J
z&FBwSKVgl;@N%w<mGr5Ukj2p0o|)F$5{Y9K7NIcOd%J+)3S7vrK8jh~p~-1;@kLqG
ze7F>sz3xjPr5^O4*&<o=pkM769MY(uADybeLZ@D!68f1_*}~4!`(#TbsAEvUYXRl7
zq97ROhj>6|jX;w%DB3voxR5wY1pRWu5g>wzLAB~rR3q6$UWAV9v01+|yz}jyF#J=R
zU0gg{>T6r4!rmPBWKJT=`wKfkO-7A=86064*I?t|5Q=T}*vn-J_6sxP$>h)49Z^sR
zb?cF(8U+z@wD4WJ#_aYd_IiIZl08#KE7ATPg~=$WkU-fL#+vtR35YUWdTLZA|CErp
zUeVS5HX`?B3Ja&|5=E&~RJl9-_wza96+3D6^kA=#$vZ2FY}OFxWq>Iag5DGl>Y-!6
z!4GfLwm<G=Y*TFFXl~A&r2jyai3jeiGZOgH>jb5Pk<p${!p%=sS%xeZoq+Z7*IaOP
zCUU4Ai*;6kG=k}GOX|5Pwrs5$MjQUZAZ-tGwWinZ2B8mPkN{2l^9jQX1?}lojH7we
zZyWcpefoG0vObpP6)cy0f*u0QxtldEW#FmD5jP%w9U}1Zd%~6=3hFOC7$7{``bI7R
zY}6GF-rqFpAY=;p6D4o+`Sp~o=D}+J66#vY>t!ImcL<v~+)75{m&Py)r!qxdQIeAZ
z2oL1d_R2>TlR(jm-3w9C6L;AA205?&e5mYj+^*Jp6j?Yj<z1#946kbc*L%?FZc`~p
zhtRD<l66xlF=MLnoq;Ofb?byDm14r&3tj+SJKkxVNWY56FE7dQo$|m;;z*hdzZv-@
znV|yO2xW=4I^zo-<inf8@)VA4q+b?SB$>kY=D0?O3q8q7FiU588YRep^*rWLKXcKv
z<sdxKUk7%yZK{jXNZ-W%;8devureD3t08;CP7cec#zwagGMd-8=YPyG#d~3-cwb&i
z3UruQ^cNAd#2<T;dg@?DyDu*4hskS_#~h@J_)%zc3vXYZ+b<s}rNj<(4>?rtXGd&Z
znCL{dOx1Y5b$$^Vr|DkM`lV^^0c=EKTD_Cri|J|q(T%Edr%v)1c*>^w7%jL$V*b+{
zV>mCFcz+HvMk6gBKY^_X=xFi5ZpxUMvk}nVC@U+`<I~U0>V>~+Qu{Jy=(UaOT%c<U
zg`+&9Hog*GuBGa~<V<f@!ImAj5tY))t@LV6QIPm@lI6v#wX&@cS8j49QcuKBB}<R3
z))-x9YG11Glxx0iRO`ez&n}k%zyu7V{C4vC14jccpcKWQZ75!B<%bRWA<<kReKawi
z)?%MspZT6~y>TokUwx}dDIe!&=01Y7aI6q|C2OyTB2*eR4N^`MBsJz-z}cy92zyv^
z^bG4xF>WP$F*zjt8=fr(@S(}Pv9;mRr*1Xko6X|SlB)Moe6hz^>@eDA?x0u7X-qUw
zgTFdyFCt&>8UK-h#?eMGTmdr9v|0FDGtNo|JF_jdC`r40$BZ{+m9lXxPgnwrf-vlc
z-n?x}PbB9O8}>EJh)f06;TJI~rnTt|vkSPd$Uoi$SsAZOxR8%U86*m;^SeDAMWiHp
z5!7GjP}wdjbtL~_VvN#6G*OBIHK-E<(*{fhS<YcTvdxEBd9GN3RpIlv?bR_zVSrnc
zKc0Q^x6>5tjvW`)kXd(ISZ*Cf&By4uZ-C0<=mh)55PdI5(8AIK-1#zPH)CVkHJ5u4
zMOyy_NTpC+oE*<DB@`6vkV@8?#d3H0-BWsFK`QPiQ@yV^|3%!%s8*<x>_CBDQx<BS
z+JiEh<=lNw<!|lc9-e3SexrsteN=x)9m`7DflZyxcicoV!>?(*rTRE9&O(v@G)%=h
zO5fEjP&OPAkgmo;BpRe$I2;%K!|09N_+Xc-rw5oV5TSFNi7lC|eknIT-KztmOq>Z%
zwJ3iPL}O3S-4p&M50@7g5mcqc9tB^x9_vgxp!*&DS1u5gZl@gEhm!M?b`*^f@Mii&
zb&*?{#tGsMmRRXo)8B)R@9Kn>d8a!+@+gw1&n~$YNxF(|evzlB-{<P^n^T?)s#jsu
zspNw?Nfha6UH8u>Stcw_=#ftd#tt~*b(^!Ju$rFwpS*J_K{2G=Ke3;J>cZbBUg7em
zPDQm9?m@!rDEQvaZ>ZnBBr~<TSYEObjZr+qx;?3>yUa#jqBWaF*}~Sc-?ti%`=*~#
zQJ%8STW#IK6ArR34h*70+66UOXXeq^w{UmzOatI+zBi^=g=cZ$V_cyIyC5K%XHnqJ
zzm1veef|l6Mwp#5QU*J4_a=r1%Gqw_rPQsfmX&=37eBpR)XO_Ix!4oZ1h`836w%Mp
zd1GMF4<wkBf4g`l5q`9$lg;SJ6O@^W1ZxH7-7{b+I)RYWGgLrEsQMcD4sN*4U-*A`
zA-BgBt|SWG&ff=Q!VxfFSYVK$syYL8i;sFwYuWncA$W%s(lS>}<9=P6wi5OrwkqL=
z*fJtEzeW>c*4W_F8)@DQ5q%E|c4ZD~3Hls!R3iwhAn_Z-D2JBV$CY-w?Fo_p6Z)*Z
z-Yk7736fx?6+G4+nigIZLD*Iz!nOnQ<JA6hn)g}8>7++fS|TQJdL53elv;NiV*pJM
z<`c2yw&`vIwOwSjuCeS*-;vt{%VR!w$Px@m0=P<q^e|!&i$sc^Va`enCMlnOQ{*EJ
zUsTDSrixP<NMJp2yvskYn6MbBTRkzSMB{=Jy#cB9BFQ4dj`I|jxZ8#rN?1@bTB-db
ztm7pc$7*6y(DXd1B(3tgAK7;IWahjnEYk&;>{shD8b?A)Ee|+7Vwiu6n@McDY$8g+
zp7ZxSeZ!Mq%bp(Dmtn?($-)2ogdjR0o)@LaLm-9}*L)j@3*&?%otjPkh>A+DtC5!O
zM&6|2LgIn0_<~6W!Gn{@(`1q7E}4TZ{7<<~m~-Bs*zw4GEX(SbDFAbdzc!Ys%v6(q
zvCv!HdrC?l8^ZjoGFR^#nKXUo1#T*O2}BrU@ifMCULzK5R#03%hqd@=p2~$fWcy2g
zh%aTCO?(rqKZ#(V7NBjCgA!E}K8Ad&t&`E!WOmB04lVgZc*Hv0#QxlzKDYng-J+>3
zSwElxEQZeYc+R}9TUzUnL>v$i*n8~7)A(2*If*Q*02`a$N8S{LVj0{ib@SJ0JatA@
zfLdh?qYNBYGFk*l4Xn^m1YY|$QSZV&J${0mlExuxx8{<%mWc%8LSrRcXW-o2jDU&9
zTw2{g)topco%lnMb7B=oWiw0VGQIDSq3tgli(fVkDhHKAg;IlYi?5GQMpBQOs|lKi
zwyj^I8HnRebZknU+OJI)WBmDL*K4oH<PS)jDR?x&6s8NA=1dG*aVCbh%BfN0{%mZx
zrpd49tCR+z)RJv{VudW%{grL&B+z5nW7Q-_E`=ZeCS+VA&y-YB2~RLFZK2klSCbY6
z{Ghp9VNVn2GdIs0GuoKmC$yIbJSzl=4rnGOO7<!knyiLK?pEr?P&iu$hm59_$9D|^
zWf()5s!6gXR@$%#G8{~=<&}|X<Sp;A^3JSG&HXqz6vFYd=0jc$tiAd@g&)t$YD-TW
zUsbtq#xDKkM|)f9a3fFypqSJKAH7DFnZNZ2LhJ_WQ0c|u67LP9BH|{Zn>L1?Gv7Dh
zEppD=^oq-1T`b!4p7~sX(<_}Pw<|5as_0$K;jze9(FqH%`m6T;%>Qs){E&{7rd6TL
zN*bkwb!bHGT`~ujsuwanmQzcsbMquf2@T$@!3-#uJL*sPf`C@sPGtE;a%sB}6n4RL
zh_rYlk;iKoXp*eBr8Ij{l&nn8(1TOr;&zKlRZ}Zm{!Rx_Dd;Ch70)JC1<4dBC{u^2
zT<C;+nxK_p6e{KMTe4S+n_M(}xJcqcwaB;%B;<9LIdsdKmB9V+B<D|lNpVC(f0etu
z$C}bPR<&_ppi(GL$PF0_>RHQi6<4#MAm@-2ZX(KHoEu~C6V4y$u9EfJKankl!uqW{
zAU%KAZ#z#UfjGGSeCuTW`K-|BsP1~#od}&#d`_E_rk$K{;<$%+L}KJHdG;1uF;Mq*
z>R;>DmpWQBGv`en=JZrrR_e%+sW%uDM~XL!Z0-DH-Lh1fPD5Lr_ma`JRS*X~EKfIA
z@j<lmRNcdEdA{wf7P$ha`3c7VI5tAyPV}Z+?xBoSRY@onXpwx6?P>|aa<;)6TrcQ>
zz=mlW#5Ghiop<L^%Og{SB(-9MQyY*6?R|Kvnl-6=QV;qHi&xymk{P;(ZP3Hh6!_si
zO`&8seI$sE9vLcSXD&K|A!rZ~Z<XC6SCj6?fB<SG(%0%DD2k?XTTEe$9)wm>D-V$T
z_Y&#8t)-a=SJ$S4r*F=t{rS)?akaWP$ilfNygLY6Igu!p7xwGUifWDrSI}dtZ{JC>
z_Tor-hykkXu2nI><%a=IDRxI+Zap@}G3{8n03r2uiE;vaa_zmo|Ix*WH!J)1r#P>O
z3b?rd?U&+RvR%SNx22G(3MR(&UF`lZrvO^gakbEEt#HX3prsgdEPk95bY*Z^Wa}tv
zDt!;$ub=|isA#LrN;08`p`MWplL3IpxiFL%Ng7h|QjUs3iNPwIM+O{Wy=Z_IHZimW
z+%aR>GHp}ezyj>i2}S#;M*yHa*AcjNeS@{0D;0%S-8V-iV`U_?+9hB9soEghINOqD
zUc5mMdOZY_PKXrQKYMR26ywEp-bBcY0`JrhS9mkVywnKnK7)`~zICF<TJ1P@r7lQ3
za;RUm#xX`dq0Im4CV1QIM1;@l`|3sRtz1Ks_rSAWgBr&Lvq+Eec6u`=ooIUb->MG(
zb`@@Cq8l<ngrbH80$UtAGAG}UWam+AHCO53T<KRi!7YGfWrIJo2vb;EKv)7!Va8Id
zk?82rPX@AARLyc-F5^5U`nSQ+A9f-otX`d^w%Q7C8U41xVvL&}MR>Sr0|+-zTsi*m
zFy@7Ehk?jfRa&x--nv+oJAS;^69>QxgiMikVQSsqLv$6*ciLRfTFM4X|1ieNm<o?f
zOQA^G=SSs1GIf9f8#lIRv9&KnMBxUjx}&W6uT|?pJ<AasN9m?XEKHj5>QbLSPaBH+
zikaBV^Jts=lx!5pq>4`z%GwTwI32r-JcsgwQG<h(?HMr^n{C+7NopPG&rk52%?%fj
zla1Kr_QAf!$6M*}W#9q!l%N*$&jN@=b>7Jc2k;zyALS&5W)1qHA7g$pbY51z5)PJS
zteI<`?nXPI?v#JXy-euWJE>U2|AG)ENr@47l9R|XJHTH|ScEeWr#3#ZkCwu{IH0U}
z5S?Sx_X3RpI?3@#hC|z#c*L1D3PofLi8F#LY<OMRclpN~Lz!Pn-nPuUT#<O&&=(wv
zPgKNL&k~EX=VKPPiRVyT%(qvI7CJ;LX75-)LC4k=m><;a%)2w<Ts2(cxg3({*4q~p
zZ2SBl&Fm`Fn#t>077j(%=CbdmCK#Je6;jkeT<aRh9jSR1MBU1dvuR|_6z3*e^oox`
zUYBEF(<A{L`#wd58&(gl@3YC?gR|Yeoyh<%Oy#h;!)3X{&ERxh0s3~HH0s`|C7n}a
zrqtJ(+d}zOBg?$FcZEjGKf+I6RV9+k+vuG?${DG3stYiRCxz%H5d&`xJnM&yKAAFp
z!s*OgLt6n9)Ypf=zvT$>Ar2Vn`Y`EU6Dl&hc-@+1c}|gzafIA~wOxh`w$6Cxk>gu_
z1tsbAHkCuiVxpt^*{vG+6E(4aCqX%)8U>*=eAD#tD#>3_eGB3i@LGorb)wTx)<#KD
zM2;r=j?*npTxHbh;Xc4}2%ruL;U3Vb5_z!sFJ?nsV{e=r;p74u0=YAF;?>b0%m*r$
zTeRxS9p-GiXY<M>m<q|DX8(i<EUJB~Rp+sk8s#(Tw77MfUggfDlr_hDncmN?9vvw@
zZFi&B4LZSq%VB`I3_9>MR_+hsv?>SfUro5tIjX7PKRsdz9A7DIQ8!2zfy9t-q%v<u
z+8&`S=yuq2FCQ^#uQ#oA6s(_C8Gh1RsxN!?QE*h?9$ORBk7(%*Po7<D)_s{Ymb7jq
z<8D_RLE!{%V*JiawmlwAP51m7Vo<`YreSy$bk=6Xbj@9F%^Rm7V%u6p<vq_M-z;QX
zQ`Zdn%b4%}uGt&3r$;OG_)k6d3~n`bJt2==RN_cX(`Ns@vrA=yw4dU%50Ruuc5mr^
z?Y;2Q7VG(0igqbT<yorTY*B-1ssd&*41BC=<)Y{x?Odr6<WgBuSwpdPx{(cE<-~7}
znNAa7;ZN0av=QZfg4-DD=T>cmw%_rrRriw+?X|U+NB-K;TxR;iOa7Y(aJ3b{R|r-$
z;oeL3pDMR-%^(UTS{_mqD$jlw^UHJ9*<q8_+B{u?!*GqRRjLS{-x=J8veWb8?@Vg%
z#-^P-xaKbPC9{<z=&A=qS+}7|&euFQ<qWAT9(&A~3Lfm<y)Qv_L&Pl<NcN=Qwy=7i
zODeBx_E&XkHpg!MKH9iyH|gYVLOC5BW9^nQJ<pXs&y#<iy#uEGkMscW4au%Pal6FF
zJq$imCaRw*VTM+^;E{APR}YC>$Cf}((_8!Xl#HZ?w$s`ZOBoJQoBLdI*X!CyEKq$;
znn&R5{!8z!)$6gNI*j%0MI0U?>w+ifvq@uppZzY0G0$*>D{qQrp)L1?Q2P>Wn&B6&
z>56Fu<>%dq)7lF)THw^{KCAfkyV;lOcHzD4Gs=YqIewy;RBkzF6+}w~VemEp{JPGj
z`KwL=aH(5}#t!m!*Ykwe^R}v=O5+8GCkazs>z1aMIhgv=Y-9N2mCDWU_TI%5gkm`<
z@T3AwrG)F}!*s5Ci6ZK@_^!xzZ)1{)%wLYBMfs~#^dg{TCtJ3nRm`4=2%qq(D<9?L
zR1Ua?0$n%_w@;P%k=932NsE?IJ~V~3!VUK3*t~0Mh3B(F&oI^-6FUar*iuK7s=ZD$
z3$<_z>9dPPCFS@+FlUw<H6o29h4#>A+BkM9SotuLeTnnuGvkkLTU&OJC7OIdt9-PL
z?vHls!NARvwqV*jP1Z4XoAOP8X-$7tG47gH$c?M2L5<Vlb!YOeL?*fOt-dh^uI%IJ
zPB<W{>4SP((A_Ev0paU11ge_SatyjP)5a7Oxg7Kc_;rj|za22&Yr@{T`=6JDA4j`~
z&+e|DamvFDwU*xqlGpbg{DXbVtmG{n4bO6$@mCJEVb_OwkD`JSJ6CU>^ww=i0g5%1
z7!ZX4CitraHt$HgO(N8d!>dogGfr`uz8y*iBo)fWs~!atsy+#=zn6bjHo6&mf$A}^
zjrQg0t?Y{(-b|@3Yz@(28H)FBvyE$~jv5yuIJ7HQcPtxPL3KPE_v7#{J%5^^%A)HK
zG`ePX4h}-qDSr!>;qFAEU+JyC!XxHLtg?V!w#LXl{FiXi@UF~KPaTeZrr*j6WO`ef
z5;!Zoi>+q<ZWFlp9XF{zg)ssObU}ev6nx1`nb8j4;bY1a+f35(xKG#ryzP28V@6mi
z2C@=_rBkb-^}bIQDNz5@v^4%&M0pU1q#xIXH?cil`UMbCEE+ju3zkoqQzJ2{ZipbL
zFP?i$=>&wVlC~Vi8m1F%098TWbCXpG_-p<0&IFrUzzK(3Wg>puO$2XH9XRPV80N8{
z5P+7mHn#M~#0iiX`|zlmWyC!gf8^)bKvStCv+IwHDN1^+t)s6a$iUO=y0VIShF;4u
zamq(ndR7*K9)I;Czy1|~2r87aozi9qWx2z*+3O!j(*%V0-;$^@uF?cUl*~!5GQhpi
zGX>J4mcFVBD=#yO#h6Gn%#w^XHtxcb@i!9O&$p`DWB5hX$lcbe|Cung67}`t=-x|v
zRT}gnpFX)5#7>YNo#><>mCR~2LYcq4kG3dx;cv&SH=_DG?r=tt-G4%3G?ss`KL-0G
z{IXx4`wr5NUTlMuhkMMrCtGHmji3iQ_?Z4j;G_qKe;zx5FUnxdwVoOZ4ik4eNRHQu
z<L*}gMaJsv)k<@~K2EJGa%W3bhdF9*B(&8qOW3~(f1{xdJJNLh!=hPmWEh4$+17NM
zl2`$BFTHx*n?p`vX^6os)nX0iaL*IWJ%hzKJSsvK(B&dx)&vjvzKEi};HEM%W0UTI
zho#6@2ZHugMe8d`&p)E!dN9L(cQpV#bHfwbE?sYJip&UYBG%1>pU+y>t_C{$mKWSw
zdMFiDE^<*MlTN#^ko#2oYOq4<tPJd+bxn=32nprauHn>&i`whzs^UsV2Y8*{V!ID(
z>|-ec-FzTJ(E5@3r0$%N7<|5p306eszOYzidIeab)-m=qQE^!Clq;2cI3g`60<ajN
z@_$$%rof)W2jnu3f+br6`9nIP#m#19K<}74e8&3Pn0l_=K7AUwdu_F<{j+PRhfT4N
zQzK8nCs05Hw*)In2Ri#uiDhQ60Vq(6cZR$Cn;1+R{RluhYSQyP$cXXh@^~*DHB<x6
zKk67tA{fCgogiT>e7im^PR7}Cl3&~3uiM|vEeKlL+Qx&A#3GY}a!Y2M8f3sKfS11~
zGL$0!Uif4?k2Py}PO{ii4&kS8o757LPryUlf$t5VCP1Caj&>EbP^e$+kzcH)@I<!!
zZn-dWRghtAM|))sEP%to=^lHSfX5np$ZOd9#9Ijr8F2w&nZDBg(+NAd{!q%w0YCa0
zM<BSKzmQ*M%sAelvtX-sM<f@9hFa&zPhh>n7~aSwaj?>-IF#ZK))<Pl4Crn&LGuK?
z!}C_r=p^!w@^9V6FqN8q8$FaVNmrNR24}Qy$Tx`7YyTv)dM93UV8>a^-;z#?>O|%c
zoYA;fTR1XeZW@u_LF0<sMAmy~<+x!?Fo>f7M4Jb$7KgxZ`az1YBf*K;;Zu{czN-Zx
z;7#r5@^9s82X5Sgm{)F`osh}<>7?~ZTRUD_KsJtwQK@ck^ItLDGUU*HG9zF$O&d`z
z$I-OW)i1*GaRTKPMdShC@<$uSs!)s6erdEm%z=qio@-Pd8q{uQXxx?PT&YWTL|E{=
z;VMq#2E(vR^|X-ugok6`vluU2e+p%<7PJ>+rPyQRiKN2FsgDg?P0ED|c)#RV)ul`@
zi@{)bnsnM3&Z`3`wOZC$1#Q?<rq7oU;s==56sk<BuwV%o_B;5rM9Yf~qxxO9={UuM
zkKg$AxW_hS-!`Zk5=7NwdR%8qy79ZYIbl1dSvw;|)dks29(%~gr#M669|8!QqQUkY
z0FHq1)itN4`eWC^fstyKA-@vcbeJ)8L@Hfj_MU+-!d(%rAK4I*Rd+|Py1XfD1b5gw
zZ>>LS)hDfTiR!`SD8yyV_-0QjAEoU!>PwApfT#+)t#n$VWr-WCj-c-^emN;%5Huh(
zARr(pAO!^r)g-zONn2<jAW&i;Aj}`{e-|(i(f?Q=AVUXZeJ5jOb75l>a~pFfb6Xn*
z3rAa<|3ApEyoKt^7R9@?D=^S(83GXU|4sehAO%06t@X`ql#H$ItbRiM-*j+@|DFQ*
OxdVPIp)c@H`~LuZUnQLY

literal 0
HcmV?d00001

diff --git a/Solutions/ZeroTrust(TIC3.0)/Package/createUiDefinition.json b/Solutions/ZeroTrust(TIC3.0)/Package/createUiDefinition.json
index 563df6bfd7..e4119cce95 100644
--- a/Solutions/ZeroTrust(TIC3.0)/Package/createUiDefinition.json
+++ b/Solutions/ZeroTrust(TIC3.0)/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Microsoft Sentinel Zero Trust (TIC 3.0) solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across 25+ Microsoft and 3rd party products. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡[Microsoft Zero Trust Model](https://www.microsoft.com/en-in/security/business/zero-trust?rtc=1) 💡[Trusted Internet Connections: Core Guidance Documents](https://www.cisa.gov/tic) \n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel Zero Trust (TIC 3.0) solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across 25+ Microsoft and 3rd party products. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡[Microsoft Zero Trust Model](https://www.microsoft.com/en-in/security/business/zero-trust?rtc=1) 💡[Trusted Internet Connections: Core Guidance Documents](https://www.cisa.gov/tic) \n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json b/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json
index 395ce5a5a1..0584abd99b 100644
--- a/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json
+++ b/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json
@@ -38,74 +38,63 @@
     }
   },
   "variables": {
-    "solutionId": "azuresentinel.azure-sentinel-solution-zerotrust",
-    "_solutionId": "[variables('solutionId')]",
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
-    "TemplateEmptyArray": "[json('[]')]",
-    "blanks": "[replace('b', 'b', '')]",
+    "_solutionName": "ZeroTrust(TIC3.0)",
+    "_solutionVersion": "3.0.0",
+    "solutionId": "azuresentinel.azure-sentinel-solution-zerotrust",
+    "_solutionId": "[variables('solutionId')]",
     "workbookVersion1": "1.0.0",
     "workbookContentId1": "ZeroTrust(TIC3.0)Workbook",
     "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
-    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
     "_workbookContentId1": "[variables('workbookContentId1')]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+    "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
     "analyticRuleVersion1": "1.0.0",
     "analyticRulecontentId1": "4942992d-a4d3-44b0-9cf4-b5a23811d82d",
     "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+    "TemplateEmptyArray": "[json('[]')]",
     "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
-    "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
+    "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+    "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
     "Notify_GovernanceComplianceTeam-ZeroTrust": "Notify_GovernanceComplianceTeam-ZeroTrust",
     "_Notify_GovernanceComplianceTeam-ZeroTrust": "[variables('Notify_GovernanceComplianceTeam-ZeroTrust')]",
     "playbookVersion1": "1.0",
     "playbookContentId1": "Notify_GovernanceComplianceTeam-ZeroTrust",
     "_playbookContentId1": "[variables('playbookContentId1')]",
     "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
-    "playbookTemplateSpecName1": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1')))]",
+    "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+    "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
     "Open_DevOpsTaskRecommendation-ZeroTrust": "Open_DevOpsTaskRecommendation-ZeroTrust",
     "_Open_DevOpsTaskRecommendation-ZeroTrust": "[variables('Open_DevOpsTaskRecommendation-ZeroTrust')]",
     "playbookVersion2": "1.0",
     "playbookContentId2": "Open_DevOpsTaskRecommendation-ZeroTrust",
     "_playbookContentId2": "[variables('playbookContentId2')]",
     "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
-    "playbookTemplateSpecName2": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2')))]",
+    "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
+    "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
     "Open_JIRATicketRecommendation-ZeroTrust": "Open_JIRATicketRecommendation-ZeroTrust",
     "_Open_JIRATicketRecommendation-ZeroTrust": "[variables('Open_JIRATicketRecommendation-ZeroTrust')]",
     "playbookVersion3": "1.0",
     "playbookContentId3": "Open_JIRATicketRecommendation-ZeroTrust",
     "_playbookContentId3": "[variables('playbookContentId3')]",
     "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
-    "playbookTemplateSpecName3": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3')))]"
+    "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
+    "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
+    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('workbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
-      "properties": {
-        "description": "ZeroTrust(TIC3.0) Workbook with template",
-        "displayName": "ZeroTrust(TIC3.0) workbook template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ZeroTrustTIC3Workbook with template version 2.0.6",
+        "description": "ZeroTrustTIC3Workbook Workbook with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -123,7 +112,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"[variables('TemplateEmptyArray')]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"id\":\"6539479a-3e0d-42c6-bcbe-2d1f11bb9896\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/0xxx6arkaS)\"},\"name\":\"Survey\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Zero Trust (TIC 3.0) control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security and partner offerings, while only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \\r\\n\\r\\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\\r\\n| <strong> Roles </strong> | <strong> Rights </strong> | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Automation Contributor| Deploy/Modify Playbooks & Automation Rules |\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments)<br>\\r\\n2️⃣  [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\\r\\n3️⃣  [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n4️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n5️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\\r\\n6️⃣ [Implement CLAW Aggregator](https://github.com/Azure/trusted-internet-connection)<br>\\r\\n7️⃣ [Configure Auto Provisioning of Microsoft Defender for Cloud Agents](https://docs.microsoft.com/azure/defender-for-cloud/enable-data-collection)<br>\\r\\n8️⃣ [Review Microsoft Service Trust Portal Documentation/Audit/Resources](https://servicetrust.microsoft.com/)<br>\\r\\n\\r\\n### Recommended Enrichments\\r\\n✳️[Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n✳️[Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n✳️[Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall)<br>\\r\\n✳️[Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\\r\\n✳️[Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)<br>\\r\\n✳️[Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)<br>\\r\\n✳️[Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n✳️[Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)<br>\\r\\n✳️[Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)<br>\\r\\n✳️[Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\\r\\n✳️[Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)<br>\\r\\n✳️[Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)<br>\\r\\n\\r\\n### Print/Export Report\\r\\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply<br>\\r\\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content<br>\\r\\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print<br>\\r\\n\\r\\n### Important\\r\\nThis solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. Each control is associated with one or more 💡[Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview) definitions. These policies may help you 💡[assess compliance](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data) with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. \",\"style\":\"info\"},\"name\":\"Help\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Microsoft Zero Trust Deployment Center](https://docs.microsoft.com/security/zero-trust)\\r\\n![Image Name](https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4KvMM?ver=13f6&q=0&m=6&h=600&w=1600&b=%23FFFFFFFF&u=t&l=f&f=jpg&o=t&aim=true  \\\"Security Policy Enforcement\\\")\\r\\n\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Zero Trust Model\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 109\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Trusted Internet Connections 3.0](https://www.cisa.gov/trusted-internet-connections)\\r\\n\\r\\n| <em> Security Objectives </em> |\\r\\n| : | : | \\r\\n| <strong> Manage Traffic </strong>| Observe, validate, and filter data connections to align with authorized activities; least privilege and default deny |\\r\\n| <strong> Protect Traffic Confidentiality </strong>| Ensure only authorized parties can discern the contents of data in transit; sender and receiver identification and enforcement |\\r\\n| <strong> Protect Traffic Integrity </strong>| Prevent alteration of data in transit; detect altered data in transit |\\r\\n| <strong> Ensure Service Resiliency </strong>| Promote resilient application and security services for continuous operation as the technology and threat landscape evolve |\\r\\n| <strong> Ensure Effective Response </strong>| Promote timely reaction and adapt future response to discovered threats; policies defined and implemented; simplified adoption of new countermeasures |\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Trusted Internet Connections 3.0\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\n---\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡[Microsoft Zero Trust Model](https://www.microsoft.com/security/business/zero-trust) 💡[Trusted Internet Connections](https://www.cisa.gov/trusted-internet-connections)\"},\"name\":\"Workbook Overview\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"79\",\"name\":\"group - 22\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"21\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Data Connectors\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Content\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"GC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Azure Lighthouse\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AL\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Files\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Files\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Email\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 107\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cec6c07e-2856-4c77-8b48-98935f2c1218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isControlsCrosswalkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"20f1daf6-59a0-4673-b1bf-cc388d52debf\"},{\"id\":\"2919b971-fb14-440c-ab42-50304df3ceab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isGCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"GC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"fa7b0ee3-8d6e-4ff7-bb64-cf2241f30f98\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAzureLighthouseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AL\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9944cda7-77aa-4189-8061-afc260130b84\"},{\"id\":\"eab3e5a8-66c3-4304-8c2b-43264e858ba8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUniversalSecurityCapabilitiesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Universal Security Capabilities\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isFilesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Files\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"67de7a24-1840-4fc5-94d5-a6b5d7520a7c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEmailVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Email\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ec480379-6561-4a30-b005-7533da78ed14\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Web\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Web\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Networking\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Networking\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Resiliency\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resiliency\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"DNS\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Enterprise\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Data Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data Protection\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 109\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"740b611b-8155-4e96-bbcc-bbdba0541143\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isWebVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Web\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"62d67234-8fb2-43e6-b5d2-945692493431\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Networking\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResiliencyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resiliency\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4f04758a-2908-474e-bfe0-13d072241fd2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9cb339a8-c8b4-43ad-b2e5-76f61b87d8c1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionDetectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion Detection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4b799471-726e-432c-b577-2f45474d883c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"584fbe21-b31b-49cb-bd65-62ef850a8310\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUnifiedCommunicationsCollaborationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Unified Communications & Collaboration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"78d61c25-823a-4232-8a32-1a7e7018e596\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataProtectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data Protection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4da988d5-15f9-4ea8-bbd5-2153bfcae0a0\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)\\r\\n---\\r\\nThis section provides a mechanism to find, fix, and resolve Zero Trust (TIC 3.0) recommendations. A selector provides capability to filter by all, specific, or groups of TIC 3.0 control families. Upon selection, subordinate panels will summarize recommendations by control family, status over time, recommendations, and resources identified. These panels are helpful for identifying the controls of interest, status over time, and impacted resources. The recommendation details pane provides a mechanism to identify specific recommendation details with deep-links to pivot to Microsoft Defender for Cloud for remediation. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ControlFamily\",\"label\":\"Control Family\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Universal Security Capabilities\\\", \\\"label\\\": \\\"Universal Security Capabilities\\\"},\\r\\n    {\\\"value\\\": \\\"Files\\\", \\\"label\\\": \\\"Files\\\"},\\r\\n    {\\\"value\\\": \\\"Email\\\", \\\"label\\\": \\\"Email\\\"},\\r\\n    {\\\"value\\\": \\\"Web\\\", \\\"label\\\": \\\"Web\\\"},\\r\\n    {\\\"value\\\": \\\"Networking\\\", \\\"label\\\": \\\"Networking\\\"},\\r\\n    {\\\"value\\\": \\\"Resiliency\\\", \\\"label\\\": \\\"Resiliency\\\"},\\r\\n    {\\\"value\\\": \\\"DNS\\\", \\\"label\\\": \\\"DNS\\\"},\\r\\n    {\\\"value\\\": \\\"Intrusion Detection\\\", \\\"label\\\": \\\"Intrusion Detection\\\"},\\r\\n    {\\\"value\\\": \\\"Enterprise\\\", \\\"label\\\": \\\"Enterprise\\\"},\\r\\n    {\\\"value\\\": \\\"Unified Communications & Collaboration\\\", \\\"label\\\": \\\"Unified Communications & Collaboration\\\"},\\r\\n    {\\\"value\\\": \\\"Data Protection\\\", \\\"label\\\": \\\"Data Protection\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by ControlFamily\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project ControlFamily, Total, PassedControls, Passed, Failed\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Control Family\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by AssessedResourceId\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project AssessedResourceId, Total, PassedControls, Passed, Failed\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by ControlFamily\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"No Current Zero Trust(TIC 3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Microsoft Defender for Cloud: Regulatory Compliance Blade.\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| project ResourceID=AssessedResourceId, RecommendationName=RecommendationDisplayName, ControlFamily, Severity=RecommendationSeverity, CurrentState=RecommendationState, RecommendationLink, DiscoveredTimeUTC, assessmentKey\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendation Details\",\"noDataMessage\":\"No Current Zero Trust (TIC 3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Microsoft Defender for Cloud: Regulatory Compliance Blade.\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Rank\",\"formatter\":5},{\"columnMatch\":\"RecommendationSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":2500,\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\"},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Controls Crosswalk](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n---\\r\\nControls crosswalk provides a mapping of Zero Trust (TIC 3.0) controls across additional compliance frameworks. This provides free-text search capabilities mapping Zero Trust pillars, TIC 3.0 controls, Microsoft offering overlays, and the NIST Cybersecurity Framework.\"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Control Name\\\"]: string, [\\\"Zero Trust Pillars\\\"]: string, [\\\"TIC 3.0 Control Family\\\"]: string, [\\\"NIST Cybersecurity Framework\\\"]: string, [\\\"Microsoft Offerings\\\"]: string) [\\r\\n\\\"Backup & Recovery\\\", \\\"Data, Infrastructure\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.IP, PR.DS, RS.MI, RC.RP\\\", \\\"Backup Vaults, Recovery Services Vaults, Microsoft Defender for Cloud\\\",\\r\\n\\\"Central Log Management with Analysis\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.PT, DE.AE, RS.AN\\\", \\\"Microsoft Defender for Cloud, Azure Monitor, Azure Lighthouse\\\",\\r\\n\\\"Configuration Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.DS, PR.IP, PR.MA\\\", \\\"Automation Accounts, Azure Active Directory, Microsoft Defender for Cloud\\\",\\r\\n\\\"Incident Response Plan & Incident Handling\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Inventory\\\", \\\"Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.DS, PR.IP\\\", \\\"Azure Resource Graph Explorer, Azure Active Directory, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Least Privilege\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.IP, PR.PT, DE.CM\\\", \\\"Azure Active Directory, Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Secure Administration\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"PR.MA\\\", \\\"Azure Active Directory, Privileged Identity Management, Microsoft Defender for Cloud\\\",\\r\\n\\\"Strong Authentication\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"PR.AC\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud, Microsoft Sentinel, Key Vault\\\",\\r\\n\\\"Time Synchronization\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"PR.IP\\\", \\\"Azure Portal, Virtual Machines, Microsoft Defender for Cloud\\\",\\r\\n\\\"Vulnerability Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, PR.IP, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Patch Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.IP, PR.MA\\\", \\\"Automation Accounts, Microsoft Defender for Cloud\\\",\\r\\n\\\"Auditing & Accounting\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.SC, PR.AC, PR.PT\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"Resilience\\\", \\\"Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.PT\\\", \\\"DDoS Protection Plans, Availability Sets, Load Balancing, Virtual Machine Scale Sets\\\",\\r\\n\\\"Enterprise Threat Intelligence\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Sentinel, Microsoft Defender Security Intelligence Portal, MSTICpy\\\",\\r\\n\\\"Situational Awareness\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Dynamic Threat Discovery\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Policy Enforcement Parity\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"PR.DS, PR.IP, PR.MA\\\", \\\"Azure Policy, Microsoft Defender for Cloud\\\",\\r\\n\\\"Effective Use of Shared Services\\\", \\\"Data, Apps\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO\\\", \\\"Azure Lighthouse, Customer Lockbox, Azure Active Directory\\\",\\r\\n\\\"Integrated Desktop, Mobile, & Remote Policies\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.DS, PR.IP, PR.MA\\\", \\\"Azure Active Directory, Microsoft Endpoint Manager\\\",\\r\\n\\\"Anti-Malware\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Files\\\", \\\"PR.DS, PR.PT, DE.CM, DE.DP, RS.MI\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Identity, Microsoft 365 Defender, Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Content Disarm & Reconstruction\\\", \\\"Data, Apps\\\", \\\"Files\\\", \\\"PR.PT, DE.CM, DE.DP\\\", \\\"Microsoft 365 Defender, Microsoft Endpoint Manager Admin Center, Microsoft Sentinel\\\",\\r\\n\\\"Detonation Chamber\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Files\\\", \\\"DE.CM, DE.DP, RS.AN, RS.MI\\\", \\\"Microsoft 365 Defender, Microsoft Endpoint Manager, Microsoft Sentinel\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Files\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft Sentinel, Office 365 Security & Compliance Center\\\",\\r\\n\\\"Anti-Phishing Protections\\\", \\\"Identity, Endpoints, Data\\\", \\\"Email\\\", \\\"PR.AT, PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender\\\",\\r\\n\\\"Anti-SPAM Protections\\\", \\\"Identity, Endpoints, Data\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender\\\",\\r\\n\\\"Authenticated Received Chain\\\", \\\"Authenticated Received Chain\\\", \\\"Email\\\", \\\"PR.AC\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Email\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft 365 Defender\\\",\\r\\n\\\"DMARC for Incoming Email\\\", \\\"Identities, Data\\\", \\\"Email\\\", \\\"PR.PT, PR.IP\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"DMARC for Outgoing Email\\\", \\\"Identities, Data\\\", \\\"Email\\\", \\\"PR.PT, PR.IP\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"Encryption for Email Transmission\\\", \\\"Data\\\", \\\"Email\\\", \\\"PR.PT, PR.DS\\\", \\\"Microsoft 365 Admin Center, Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Malicious URL Protections\\\", \\\"Network\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender, Microsoft Sentinel\\\",\\r\\n\\\"URL Click-Through Protection\\\", \\\"Network\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender, Microsoft Sentinel\\\",\\r\\n\\\"Break & Inspect\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Firewall Policies, Network Watcher\\\",\\r\\n\\\"Active Content Mitigation\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Web Application Firewall Policies, Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Certificate Denylisting\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Defender for Cloud, Firewall Policies, Key Vault\\\",\\r\\n\\\"Content Filtering\\\", \\\"Endpoints, Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM, DE.DP\\\", \\\"Firewalls, Firewall Policies, Microsoft 365 Defender\\\",\\r\\n\\\"Authenticated Proxy\\\", \\\"Identities, Network\\\", \\\"Web\\\", \\\"PR.AC\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Web\\\", \\\"PR.DS\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Identity Portal, Microsoft 365 Defender, Microsoft Defender for Cloud Apps, Office 365 Security & Compliance Center, Azure Information Protection\\\",\\r\\n\\\"DNS-over-HTTPS Filtering\\\", \\\"Endpoints, Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Defender for Cloud, Azure Firewall, Microsoft 365 Defender\\\",\\r\\n\\\"RFC Compliance Enforcement\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Web Application Firewall, Azure Firewall\\\",\\r\\n\\\"Domain Category Filtering\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.AC, PR.IP\\\", \\\"Azure Firewall\\\",\\r\\n\\\"Domain Reputation Filter\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Azure Firewall, Microsoft Sentinel\\\",\\r\\n\\\"Bandwidth Control\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Azure Firewall\\\",\\r\\n\\\"Malicious Content Filtering\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.DS, PR.PT, PR.CM\\\", \\\"Microsoft Defender for Cloud, Microsoft Sentinel, Azure Firewall, Web Application Firewall\\\",\\r\\n\\\"Access Control\\\", \\\"Identities, Network\\\", \\\"Web\\\", \\\"PR.AC\\\", \\\"Microsoft Defender for Cloud, Privileged Identity Management\\\",\\r\\n\\\"Access Control\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.IP, DE.CM\\\", \\\"Microsoft Defender for Cloud, Network Security Groups, Azure Firewall, Web Application Firewall, Virtual Network Gateways, ExpressRoute Circuits\\\",\\r\\n\\\"IP Denylisting\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Sentinel, Azure Firewall\\\",\\r\\n\\\"Host Containment\\\", \\\"Endpoints, Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.IP, PR.PT\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Network Segmentation\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC\\\", \\\"Virtual Networks, Microsoft Defender for Cloud\\\",\\r\\n\\\"Microsegmentation\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.DS, PR.IP, PR.PT\\\", \\\"Application Security Groups, Network Security Groups, Microsoft Defender for Cloud\\\",\\r\\n\\\"DDoS Protections\\\", \\\"Data, Apps, Infrastructure, Network\\\", \\\"Resiliency\\\", \\\"PR.PT\\\", \\\"DDoS Protection Plans, Microsoft Sentinel\\\",\\r\\n\\\"Elastic Expansion\\\", \\\"Infrastructure\\\", \\\"Resiliency\\\", \\\"ID.AM, PR.DS\\\", \\\"Virtual Machine Scale Sets, Azure SQL, Load Balancer, Traffic Manager Profiles, Microsoft Defender for Cloud\\\",\\r\\n\\\"Regional Delivery\\\", \\\"Infrastructure\\\", \\\"Resiliency\\\", \\\"ID.AM, PR.AC, PR.DS\\\", \\\"Availability Sets, Azure Active Directory, Microsoft Defender for Cloud\\\",\\r\\n\\\"DNS Sinkholing\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Azure Firewall, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"DNSSEC for Agency Clients\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Azure Firewall, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"DNSSEC for Agency Domains\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Endpoint Detection & Response\\\", \\\"Endpoints, Infrastructure\\\", \\\"Intrusion Detection\\\", \\\"DE.AE, DE.CM, RS.AN\\\", \\\"Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Intrusion Protection Systems (IPS)\\\", \\\"Network\\\", \\\"Intrusion Detection\\\", \\\"DE.AE, DE.CM, DE.DP, RS.AN\\\", \\\"Azure Firewall, Microsoft Sentinel\\\",\\r\\n\\\"Adaptive Access Control\\\", \\\"Identities\\\", \\\"Intrusion Detection\\\", \\\"PR.AC, DE.CM\\\", \\\"Microsoft Defender for Cloud, Azure Active Directory\\\",\\r\\n\\\"Deception Platforms\\\", \\\"Identities\\\", \\\"Intrusion Detection\\\", \\\"PR.PT, DE.AE, RS.AN\\\", \\\"Microsoft Sentinel, Microsoft Defender for Identity\\\",\\r\\n\\\"Certificate Transparency Log Monitoring\\\", \\\"Infrastructure, Apps\\\", \\\"Intrusion Detection\\\", \\\"DE.CM\\\", \\\"Key Vault, Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Security Orchestration, Automation, & Response (SOAR)\\\", \\\"Visibility & Automation\\\", \\\"Enterprise\\\", \\\"DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Shadow IT Detection\\\", \\\"Endpoints, Infrastructure, Apps\\\", \\\"Enterprise\\\", \\\"PR.IP, PR.MA, DE.CM\\\", \\\"Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft 365 Defender, Microsoft Defender for IoT\\\",\\r\\n\\\"Virtual Private Network (VPN)\\\", \\\"Network\\\", \\\"Enterprise\\\", \\\"PR.AC, PR.DS, PR.IP, PR.MA, PR.PT\\\", \\\"Virtual Network Gateways, Microsoft Defender for Cloud\\\",\\r\\n\\\"UCC Identity Verification\\\", \\\"Identities\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.AC\\\", \\\"Microsoft 365 Admin Center, Azure Active Directory\\\",\\r\\n\\\"UCC Encrypted Communication\\\", \\\"Data\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.PT, PR.DS\\\", \\\"Microsoft 365 Admin Center\\\",\\r\\n\\\"UCC Connection Termination\\\", \\\"Identities\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.AC, PR.IP, PR.AT\\\", \\\"Microsoft Teams\\\",\\r\\n\\\"UCC Data Loss Prevention\\\", \\\"Data\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.DS\\\", \\\"Microsoft 365 Defender, Microsoft 365 Compliance Center\\\",\\r\\n\\\"Access Control\\\", \\\"Identities\\\", \\\"Data Protection\\\", \\\"PR.AC, PR.IP, DE.CM\\\", \\\"Azure Active Directory\\\",\\r\\n\\\"Protections for Data at Rest\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Microsoft Defender for Cloud, Key Vault\\\",\\r\\n\\\"Protections for Data in Transit\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Microsoft Defender for Cloud, Key Vault\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft Sentinel, Office 365 Security & Compliance Center\\\",\\r\\n\\\"Data Access & Use Telemetry\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM\\\", \\\"Azure Active Directory, Azure Information Protection, Microsoft 365 Compliance Center\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Control Name\\\"],[\\\"Zero Trust Pillars\\\"],[\\\"TIC 3.0 Control Family\\\"],[\\\"NIST Cybersecurity Framework\\\"],[\\\"Microsoft Offerings\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TIC 3.0 Control Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Microsoft Offerings\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isControlsCrosswalkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\n\\r\\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"b1cd1f8a-e807-4deb-93f4-7812e5ed014a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Data Connectors >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorsBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":\"[variables('TemplateEmptyArray')]\"}}]},\"customWidth\":\"20\",\"name\":\"EL0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/best-practices\",\"linkTarget\":\"Url\",\"linkLabel\":\"Best Practices\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-all-in-one-accelerator/ba-p/1807933\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel All-In-One Accelerator\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://docs.microsoft.com/learn/browse/?wt.mc_id=resilience_skilling_webpage_gdc&terms=sentinel\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel Training\",\"style\":\"link\"}]},\"customWidth\":\"40\",\"name\":\"links - 29\"}],\"exportParameters\":true},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Foundational Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Activity Connector](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"909d0019-23cb-43ad-8285-9f1dca1cd1be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"58cc25ab-a9af-4516-99e1-fa22e0637a76\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActivity\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"33\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Active Directory (AAD) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"23ba579d-c894-43be-9fe1-d1b04bc34d7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SignInLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"SigninLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Active Directory\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"7c97e893-29f3-4d4c-a379-f220bb82518c\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectory\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory (AAD) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Office 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-office-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"68bd12c8-e473-45d1-8bbc-2dd9f326ea69\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"OfficeActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Office365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Office 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-cloud)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"1673e4cf-354f-4a42-bed2-2374be47779e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDfC\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Azure Security Center\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"56600b70-0e55-433a-be86-b7c561bced8b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSecurityCenter\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for Cloud Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Network Security Groups (NSG) Connector](https://docs.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b17ce357-e8d5-4c7c-a4f0-765598462a1c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NSG\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"NetworkSecurityGroupEvent\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"935bb630-1fce-4021-b7b4-c010b9e05973\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureNSG\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Network Security Groups (NSG) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Security Events (AMA) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"d9af27d9-8c90-4c85-a57f-f329257d9956\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AMA\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d002eb41-c632-429b-8504-846b69314620\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsSecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Security Events (AMA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Security Events via Legacy Agent Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CLAA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b2737fbc-c0e2-4584-9fba-ee7d057d7db0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityEvent\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9a8b0649-e79b-4a30-be25-4a5486f302ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"SecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Security Events via Legacy Agent Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [DNS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-dns-server-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNS\",\"label\":\"Status\",\"type\":1,\"query\":\"DnsEvents\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DNS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"DNS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Storage Accounts Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-storage-account)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4f291c03-8d98-47b6-ba82-1282322bb7a5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"StorageLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"StorageBlobLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureStorageAccount\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Storage Logs Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Common Event Format (CEF) Connector](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4fcf795c-75b8-4010-bd24-1d66511ff6e8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CommonSecurityLog\",\"label\":\"Status\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"452e02e1-b0c4-4b9b-8a54-bc9295db22b9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"CEF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Common Event Format (CEF) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Syslog Connector](https://docs.microsoft.com/azure/sentinel/connect-syslog)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"fa63a08f-dd08-4e11-bcb6-c075a6d6c15c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Syslog\",\"label\":\"Status\",\"type\":1,\"query\":\"Syslog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"021644a3-bd51-4b09-8117-017a89c71d58\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Syslog\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Syslog Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"18ed59f0-c497-44b1-94b7-8700051cf189\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWS\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSCloudTrail\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"393c465e-4398-428b-8da2-87ac07d8a987\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AWS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) S3 Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWSS3\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSVPCFlow\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AwsS3\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Google Cloud Platform IAM Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#google-workspace-g-suite-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GCP\",\"label\":\"Status\",\"type\":1,\"query\":\"GCP_IAM_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"1f2ba663-dd7a-49b6-87ba-0b8adf6d2d34\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector - Copy\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Basic Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft 365 Defender Connector](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"M365Defender\",\"label\":\"Status\",\"type\":1,\"query\":\"AlertEvidence\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Endpoint Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-endpoint)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDE\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftDefenderAdvancedThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WindowsFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"WindowsFirewall\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Web Application Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-web-application-firewall-waf)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureWAF\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType in (\\\"APPLICATIONGATEWAYS\\\", \\\"FRONTDOORS\\\", \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"PROFILES\\\")\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WAF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Web Application Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure SQL Databases Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-sql-databases)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SQL\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where Category contains \\\"SQL\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSql\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"SQL Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Key Vault Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-key-vault)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureKeyVault\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceProvider == \\\"MICROSOFT.KEYVAULT\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKeyVault\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Key Vault Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure DDoS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DDoS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType == \\\"PUBLICIPADDRESSES\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DDOS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure DDoS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [VMware ESXi Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#vmware-esxi-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VMwareESXi\",\"label\":\"Status\",\"type\":1,\"query\":\"VMwareESXi\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"[variables('blanks')]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"VMwareESXi\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"VMware ESXi Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud: Continuous Export](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export?tabs=azure-portal)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityRecommendation\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityRecommendation\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":\"[variables('TemplateEmptyArray')]\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Continuous Export Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Intermediate Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Information Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-information-protection-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InformationProtectionLogs_CL\",\"type\":1,\"query\":\"InformationProtectionLogs_CL​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Status\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureInformationProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Information Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Dynamics 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dynamics-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dynamics365Activity\",\"label\":\"Status\",\"type\":1,\"query\":\"Dynamics365Activity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Dynamics365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Dynamics 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Kubernetes Service (AKS) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-kubernetes-service-aks)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AKS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"kube-audit\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKubernetes\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Kubernetes Service (AKS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Qualys Vulnerability Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-vm-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Qualys\",\"label\":\"Status\",\"type\":1,\"query\":\"QualysHostDetection_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":\"[variables('blanks')]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"QualysVulnerabilityManagement\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Qualys Vulnerability Management Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Advanced Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Entity Behavior (UEBA)](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"BehaviorAnalytics\",\"label\":\"Status\",\"type\":1,\"query\":\"BehaviorAnalytics​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"EntitySearchBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":\"[variables('TemplateEmptyArray')]\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Entity Behavior (UEBA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Active Directory Identity Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AADIP\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Active Directory Identity Protection\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectoryIdentityProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory Identity Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence TAXII Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-taxii)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TAXII\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem !in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence TAXII Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence Platform Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-tip)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatIntelligence\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligence\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence Platform Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for IoT Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-iot)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MD4IOT\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Security Center for IoT\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"IoT\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for IoT Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview: Insider Risk Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-insider-risk-management-irm-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IRM\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProductName == \\\"Microsoft 365 Insider Risk Management\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"OfficeIRM\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Purview: Insider Risk Management Connector\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 6\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"isDCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Data Connectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Content](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog)\\r\\n---\\r\\n\\r\\nThe following content packages provide utility for regulated industries use cases.\"},\"name\":\"NS Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions\",\"linkTarget\":\"Url\",\"linkLabel\":\"About Microsoft Sentinel Content & Solutions\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog\",\"linkTarget\":\"Url\",\"linkLabel\":\"Content Hub Catalog\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"40\",\"name\":\"group - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"76c7831e-386d-4289-8145-486f52cba8ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Content Hub >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ContentHub.ReactView\",\"extensionName\":\"Microsoft_Azure_SentinelUS\",\"bladeParameters\":\"[variables('TemplateEmptyArray')]\"}}]},\"customWidth\":\"40\",\"name\":\"EL0\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/331934iC71A9ECE39F53E71/image-size/large?v=v2&px=999)\\r\\n\\r\\n\"},\"customWidth\":\"80\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)\"},\"customWidth\":\"90\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\n\\r\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/366916iE9E6352466301203/image-size/large?v=v2&px=999)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Security Benchmark v3](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nEnables Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673\",\"linkTarget\":\"Url\",\"linkLabel\":\"Announce Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/v57gWjvcY4o\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"cc5f4830-f090-4f5e-afb2-47adba6be532\",\"cellValue\":\"https://youtu.be/qVJjwOipHDA\",\"linkTarget\":\"Url\",\"linkLabel\":\"ASC in the Field\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Azure%20Security%20Benchmark%20v3\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/356031i1852A90B40FA85CF/image-size/large?v=v2&px=999)\"},\"customWidth\":\"86\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Insider Risk Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786)\\r\\n---\\r\\n\\r\\nInsider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional). This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftPurviewInsiderRiskManagement\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/326371i9E5EA3A8269A3D54/image-size/large?v=v2&px=999)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)\\r\\n---\\r\\n\\r\\nThis solution provides the foundation for building a SOC for monitoring IoT/ OT and includes (1) workbook for visibility/reporting, (14) analytics rules for monitoring, and (4) playbooks for response. The workbook leverages Microsoft Sentinel telemetry to create visualization to understand, analyze, and respond to IoT/OT threats. Understanding alerts over time provides unprecedented insights into security posture and where teams need to focus to harden against threats. Deep links directly to Microsoft Defender for IoT alerts empower analysts to focus on remediating threats rather than pivoting between tools. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"8f7dce97-a41c-42b3-b62f-a21fbf5a1420\",\"cellValue\":\"https://youtu.be/hZS2aplJoy8\",\"linkTarget\":\"Url\",\"linkLabel\":\"YouTube Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/339516iD1FE1014CDCB1E04/image-size/large?v=v2&px=999)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maturity Model for Event Log Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident.\\\"Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.\\\" For more information, see 💡[OMB's M-21-31 Memorandum](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/quV_80ts__k\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MaturityModelForEventLogManagementM2131\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342601i34E2E96C5959D837/image-dimensions/799x468?v=v2)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\\r\\n---\\r\\n\\r\\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis%26Response/Workbooks/Images/ThreatAnalysis%26ResponseWhite1.png?raw=true)\"},\"customWidth\":\" 100\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence Workbook](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nThe most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. <br>\\r\\n\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265\",\"linkTarget\":\"Url\",\"linkLabel\":\"Workbook Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/SjEG7iVVBbI\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/ThreatIntelligence.json\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/318165iE3D0AFA0BD5DF73C/image-size/large?v=v2&px=999)\"},\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isGCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Content\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n---\\r\\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Azure Active Directory (Azure AD) tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"1cf637a7-121d-4722-b511-b0c460625e31\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Access Azure Lighthouse\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"LighthouseBlade\",\"extensionName\":\"Microsoft_Azure_CustomerHub\",\"bladeParameters\":\"[variables('TemplateEmptyArray')]\"}}]},\"customWidth\":\"50\",\"name\":\"links - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend ManageeTenantId = tostring(properties.registrationDefinition.properties.manageeTenantId)\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManageeTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"CreatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1}],\"filter\":true}},\"name\":\"query - 21 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAzureLighthouseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Universal Security Capabilities](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\n---\\r\\nUniversal capabilities are enterprise-level capabilities that outline guiding principles for TIC use cases. Universal capabilities are selected to be broadly applicable; the same list of capabilities apply to every use case. However, certain use cases may provide unique guidance on specific capabilities where necessary. Agencies have significant discretion regarding how to meet the individual security capability requirements and address their particular needs. Agencies are free to determine the level of rigor necessary for applying universal capabilities based on federal guidelines and risk tolerance. While it is expected that agencies may often be able to employ a common solution to fulfill multiple roles or serve multiple purposes, the selection of an appropriate set of solutions is left to each agency.\"},\"customWidth\":\"40\",\"name\":\"text - 105\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 105\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Backup and Recovery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Backup\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Central Log Management with Analysis\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Central\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Configuration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Response Plan and Incident Handling\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Incident\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Inventory\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Inventory\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Privilege\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Least\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Secure Administration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Secure\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Strong Authentication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Strong\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Time Synchronization\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Time\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Vulnerability\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2adea420-fa6e-4073-8a78-1aeada742e2c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBackupVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Backup\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCentralVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Central\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"04e846bb-6bca-4981-863b-76f4e8ea5667\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isConfigurationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Configuration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7498b0e3-e4dd-44c9-868d-d5baef71ba17\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIncidentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Incident\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7010b3e9-27e4-40b0-8d4b-fdd05f940d92\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isInventoryVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Inventory\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c9285caf-952f-458a-ac89-3fdb2871151f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isLeastVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Least\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"356132e1-e5e8-4fd4-8a56-95bd91bc9470\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSecureVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Secure\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8d5eb913-9e91-4f61-930b-26335aaad1cf\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isStrongVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Strong\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"232d115f-5a82-4a70-aa2d-12fb00993230\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTimeVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Time\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"da3d19be-b7ed-4449-83ea-c9a001f54315\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isVulnerabilityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Vulnerability\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5e32dd42-2359-4ed6-a5e9-303873a50442\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Patch Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Patch\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Auditing and Accounting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Auditing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Resilience\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resilience\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Enterprise Threat Intelligence\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Situational Awareness\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Situational\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Dynamic Threat Discovery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Dynamic\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Policy Enforcement Parity\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Policy\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Effective Use of Shared Services\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Effective\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Integrated Desktop, Mobile, and Remote Policies\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Integrated\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2dc83cdc-c5e9-4ea7-a986-0294effc2e8e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPatchVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Patch\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuditingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Auditing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"be23e804-75f9-486d-8478-8af0ed3b0b6d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResilienceVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resilience\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"41d2063e-0f2b-47dc-9c7c-2cdcdafb80ec\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2752897-08eb-4f06-adae-d7e0b278acef\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSituationalVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Situational\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0531d0e3-8eb9-4c7f-bedb-d29aed642c1b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDynamicVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Dynamic\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ee837eb2-25bb-4a51-bdd7-5d58640fb780\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPolicyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Policy\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"683d9906-de4f-400f-b92e-8f6d5f346db7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEffectiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Effective\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6e5570df-f9fa-4ce9-b79c-74068100c9c6\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntegratedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Integrated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e7db70e6-eafa-4cb0-ac08-58719fad7c33\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Backup and Recovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nKeeping copies of configuration and data, as needed, to allow for the quick restoration of service in the event of malicious incidents, system failures, or corruption.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Backup](https://azure.microsoft.com/services/backup/)\\r\\n\\r\\n### Implementation \\r\\n💡 [What is the Azure Backup Service?](https://docs.microsoft.com/azure/backup/backup-overview)<br>\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Configure Recovery Service Vaults](https://docs.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Backup Vaults](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview) <br>\\r\\n🔀 [Recovery Services Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.RecoveryServices%2Fvaults) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.IP, PR.DS, RS.MI, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"recover\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"recover\\\" or type contains \\\"restore\\\" or type contains \\\"back\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Backup & Recovery Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBackupVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Backup and Recovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Central Log Management & Analysis](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCollecting, storing, and analyzing telemetry, where the collection and storage are designed to facilitate data fusion and the security analysis aids in discovery and response to malicious activity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [What is Azure Lighthouse?](https://docs.microsoft.com/azure/lighthouse/overview)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) <br>\\r\\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade)<br> \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"log\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Logging Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate  = sumif(_BilledSize, _IsBillable==true)  by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\\r\\n          ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\\r\\n| order by ['Table Size']  desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCentralVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Central Log Management with Analysis\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nImplementing a formal plan for documenting, managing changes to the environment, and monitoring for deviations, preferably automated.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\\r\\n💡 [Ensure Your Endpoints Are Configured Properly](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines)<br>\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"config\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| summarize count() by OperationName\\r\\n| where OperationName <> \\\"Other\\\"\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Audit Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isConfigurationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response Plan and Incident Handling](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDocumenting and implementing a set of instructions, procedures, or technical capabilities to sense and detect, respond to, limit consequences of malicious cyber attacks, and restore the integrity of the network and associated systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Quickstart: Tutorial: Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Incidents\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"High\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"High\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"[variables('blanks')]\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Medium\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Medium \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"[variables('blanks')]\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Low\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Low\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"[variables('blanks')]\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"yellow\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where dayofyear(TimeGenerated) == dayofyear(now())\\n| summarize count()\\n\\n\\n\",\"size\":4,\"title\":\"New Today\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"[variables('blanks')]\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"blueDark\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"}]},\"customWidth\":\"50\",\"name\":\"Incidents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber\\r\\n| where Status == \\\"Closed\\\"\\r\\n| extend TimeToRespond =  (CreatedTime - FirstActivityTime)/1h \\r\\n| extend TimeToResolve =  (ClosedTime - CreatedTime)/1h\\r\\n| extend AssignedAnalyst = tostring(Owner.assignedTo)\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| project IncidentName=Title, IncidentNumber, Severity, IncidentUrl, [\\\"MITRE ATT&CK Tactics\\\"], AssignedAnalyst, Classification, ClassificationComment, ClassificationReason, Description, TimeToRespond, TimeToResolve, IncidentStartTime=CreatedTime, IncidentClosedTime=ClosedTime, IncidentBlade\\r\\n| sort by IncidentClosedTime desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Closure Reports\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"TimeToRespond\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"TimeToResolve\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIncidentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Plan and Incident Handling\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Inventory](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeveloping, documenting, and maintaining a current inventory of all systems, networks, and components so that only authorized endpoints are given access, and unauthorized and un-managed endpoints are found and prevented from gaining access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\\r\\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br>\\r\\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Resource Graph Explorer](https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade) <br>\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"Implemented\"},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"04JUL76\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"Asset Inventory Implemented, Plan of Action & Milestones Documented, System Security Plan (SSP) Updated\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where  type contains \\\"microsoft\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Count by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"ResourceFlat\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| summarize count() by ResourceDisplayName\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Application Inventory & Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceRegistryEvents  \\r\\n| summarize arg_max(TimeGenerated, *) by InitiatingProcessFileName, DeviceName\\r\\n| summarize count() by InitiatingProcessFileName\\r\\n| where InitiatingProcessFileName <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Software Inventory by Initiating Process\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isInventoryVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Inventory\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDesigning the security architecture such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Administrator roles by admin task in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/delegate-by-task)<br>\\r\\n💡 [Overview of role-based access control in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\\r\\n💡 [Azure Active Directory Sign-In Activity](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.IP, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"identity\\\" or RecommendationDisplayName contains \\\"privilege\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Valid Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles_ = strcat(AssignedRoles)\\r\\n| extend UserPrincipalName = MailAddress\\r\\n| where MailAddress <> \\\"\\\"\\r\\n| distinct UserPrincipalName, GroupMemberships, AssignedRoles_\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Assigned Roles & Group Memberships\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isLeastVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Least Privilege\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Secure Administration](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nPerforming administrative tasks in a secure manner, using secure protocols.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Delegate Administration in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/concept-delegation)<br>\\r\\n💡 [Start Using Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started#)<br> \\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"admin\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n| distinct OperationName, Identity, AADOperationType, InitiatedBy, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InitiatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSecureVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Secure Administration\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Strong Authentication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVerifying the identity of users, endpoints, or other entities through rigorous means (e.g. multi-factor authentication) before granting access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Plan an Azure AD Multi-Factor Authentication Deployment](https://docs.microsoft.com/azure/active-directory/authentication/howto)<br>\\r\\n💡 [How it works: Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\\r\\n💡 [Remediate recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations)<br>\\r\\n💡 [SecretManagement and Accessing Linux VMs in Azure](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\\r\\n💡 [Eliminate Password-Based Attacks on Azure Linux VMs](https://techcommunity.microsoft.com/t5/azure-security-center/eliminate-password-based-attacks-on-azure-linux-vms/ba-p/2271139)<br>\\r\\n💡 [Quickstart: Create a Key Vault Using the Azure Portal](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"authentication\\\" or RecommendationDisplayName contains \\\"JIT\\\" or RecommendationDisplayName contains \\\"password\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Title contains \\\"auth\\\" or Title contains \\\"password\\\" or Title contains \\\"login\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Authentication Attacks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isStrongVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\" Strong Authentication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Time Synchronization](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCoordinating clocks on all systems (e.g. servers, workstations, network endpoints) to enable accurate comparison of timestamps between systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Time Sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Portal](https://portal.azure.com/) <br>\\r\\n🔀 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"runtime\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isTimeVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nProactively working to discover vulnerabilities, including the use of both active and passive means of discovery, and taking action to mitigate discovered vulnerabilities.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br>\\r\\n💡 [Microsoft Defender for Cloud's Integrated Vulnerability Assessment Solution for Azure and Hybrid Machine](https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment)<br>\\r\\n💡 [Threat and Vulnerability Management Walk-Through](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft 365 Defender: Threat & Vulnerability Management](https://security.microsoft.com/tvm_dashboard)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, PR.IP, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"vuln\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ResourceId, CceId\\r\\n|project CceId, RuleSeverity, Description, ResourceId\\r\\n|limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Resource, CceId\\r\\n| summarize count() by ResourceId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Count by Asset\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isVulnerabilityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Vulnerability Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Patch Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentifying, acquiring, installing, and verifying patches for products and systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Update Management Overview](https://docs.microsoft.com/azure/automation/update-management/overview)<br>\\r\\n💡 [Enable Update Management From the Azure Portal](https://docs.microsoft.com/azure/automation/update-management/enable-from-portal)<br>\\r\\n💡 [Handling Planned Maintenance Notifications Using the Azure Portal](https://docs.microsoft.com/azure/virtual-machines/maintenance-notifications-portal)<br>\\r\\n💡 [Managing Platform Updates with Maintenance Control](https://docs.microsoft.com/azure/virtual-machines/maintenance-control?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json)<br>\\r\\n💡 [Scheduling Maintenance Updates with Maintenance Control and Azure Functions](https://github.com/Azure/azure-docs-powershell-samples/tree/master/maintenance-auto-scheduler)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br> \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"update\\\" or RecommendationDisplayName contains \\\"upgrade\\\" or RecommendationDisplayName contains \\\"version\\\" or RecommendationDisplayName contains \\\"patch\\\" or RecommendationDisplayName contains \\\"java\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isPatchVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Patch Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Auditing and Accounting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCapturing business records, including logs and other telemetry, and making them available for auditing and accounting as required. Design of the auditing system should take insider threat into consideration, including separation of duties violation tracking, such that insider abuse or misuse can be detected.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\\r\\n💡 [Tutorial: Grant a User Access to Azure Resources Using the Azure Portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Auditing Microsoft Sentinel Activities](https://techcommunity.microsoft.com/t5/azure-sentinel/auditing-azure-sentinel-activities/ba-p/1718328)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br> \\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> \\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br> \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.SC, PR.AC, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"audit\\\" or RecommendationDisplayName contains \\\"account\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"rowLimit\":100}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuditingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Auditing and Accounting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resilience](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEnsuring that systems, services, and protections maintain acceptable performance under adverse conditions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans) <br>\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\\r\\n🔀 [Load Balancing](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br> \\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability)<br> \\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)<br>\\r\\n💡 [What are virtual machine scale sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview)<br> \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.BE, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"balance\\\" or RecommendationDisplayName contains \\\"denial\\\" or RecommendationDisplayName contains \\\"recover\\\" or RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"scale\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"dos\\\"or type contains \\\"balance\\\" or type contains \\\"recover\\\" or type contains \\\"back\\\" or type contains \\\"scale\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Resilience Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"DDoSMitigationReports\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| extend TopAttackVector = tostring(parse_json(AttackVectors_s)[0]) \\r\\n| extend Total_packets_ = tostring(parse_json(TrafficOverview_s).Total_packets) \\r\\n| extend Total_packets_dropped_ = todouble(parse_json(TrafficOverview_s).Total_packets_dropped)\\r\\n| extend TotalPackets =todouble(Total_packets_)\\r\\n| where TotalPackets > 0\\r\\n| where TopAttackVector <> \\\"\\\"\\r\\n| project TopAttackVector, TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , SourceIP=IPAddress, Resource, TimeGenerated\\r\\n| sort by TotalPacketsDropped desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Denial of Service Attacks Observed\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TopAttackVector\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TotalPackets\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"TotalPacketsDropped\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Resource\",\"formatter\":5},{\"columnMatch\":\"Total_packets_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Total_packets_dropped_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isResilienceVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resilience\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise Threat Intelligence](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nObtaining threat intelligence from private and government sources and implementing mitigation for the identified risks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) 🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n💡 [Microsoft Security Intelligence Portal](https://www.microsoft.com/wdsi)<br>\\r\\n💡 [Microsoft Graph Security tiIndicators API](https://docs.microsoft.com/graph/api/resources/tiindicator)<br>\\r\\n💡 [MSTIC Jupyter and Python Security Tools](https://github.com/Microsoft/msticpy)<br>\\r\\n💡 [Use Jupyter Notebook to Hunt for Security Threats](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender Security Intelligence Portal](https://microsoft.com/wdsi)<br>\\r\\n🔀 [MSTICpy](https://github.com/Microsoft/msticpy) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cyber Threat Intelligence Indicator Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"intel\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Threat Intelligence\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where Tactics <> \\\"\\\"\\r\\n| where Tactics <> \\\"Unknown\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n| summarize count() by Tactics\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts by MITRE ATT&CK Tactics Observed\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Tactics\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Threat Intelligence\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Situational Awareness](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMaintaining effective awareness, both current and historical, across all components.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Visibility Into Alerts](https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts By Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by ProductName\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts Over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSituationalVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Situational Awareness\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Dynamic Threat Discovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nUsing dynamic approaches (e.g. heuristics, baselining, etc.) to discover new malicious activity\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Advanced Multistage Attack Detection in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/fusion)<br>\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)<br>\\r\\n💡 [Heuristic Detections in Microsoft Defender for Cloud](https://azure.microsoft.com/blog/heuristic-dns-detections-in-azure-security-center/)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"defender\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Sign-in\\\"\\r\\n    | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n        ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n        or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n    | join (\\r\\n        SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indication from AAD\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n    | where TimeGenerated > ago(28d)\\r\\n    | where OperationName == \\\"Add member to role\\\"\\r\\n    | mv-expand TargetResources\\r\\n    | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n    | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n    | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n    | where isnotempty(RoleName)\\r\\n    | extend TargetId = tostring(TargetResources.id)\\r\\n    | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n    | join kind=inner (\\r\\n        BehaviorAnalytics\\r\\n        | where ActionType == \\\"Add member to role\\\"\\r\\n        | where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n        )\\r\\n        on $left._ItemId == $right.SourceRecordId\\r\\n    | extend AnomalyName = \\\"Anomalous Role Assignment\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Account Manipulation\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access.  The query below generates an output of all high Blast Radius users performing Add member to privileged role, or ones that add users for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n    BehaviorAnalytics\\r\\n    | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n    | where ActionType == \\\"ResourceAccess\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n        Tactic = \\\"Lateral Movement\\\",\\r\\n        Technique = \\\"\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n    | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n        Tactic = \\\"Lateral Movement\\\",\\r\\n        Technique = \\\"\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n    | where ActionType == \\\"InteractiveLogon\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n    | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n        Tactic = \\\"Privilege Escalation\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administrator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Reset user password\\\"\\r\\n    | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n    | join (\\r\\n        AuditLogs\\r\\n        | where OperationName == \\\"Reset user password\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | mv-expand TargetResources\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n        Tactic = \\\"Impact\\\",\\r\\n        Technique = \\\"Account Access Removal\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n    | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Sign-in\\\"\\r\\n    | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n    | join (\\r\\n        SigninLogs\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n        Tactic = \\\"Initial Access\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n    | where ActivityType == \\\"LogOn\\\"\\r\\n    | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n    | join (\\r\\n        SigninLogs  \\r\\n        | where Status.errorCode == 50126\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n        Tactic = \\\"Credential Access\\\",\\r\\n        Technique = \\\"Brute Force\\\",\\r\\n        SubTechnique = \\\"Password Guessing\\\",\\r\\n        Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n    | where OperationName == \\\"Update user\\\"\\r\\n    | mv-expand AdditionalDetails\\r\\n    | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n    | mv-expand TargetResources\\r\\n    | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n    | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n    | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n    | where isnotempty(RoleName)\\r\\n    | extend TargetId = tostring(TargetResources.id)\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | join kind=inner ( \\r\\n        BehaviorAnalytics\\r\\n        | where ActionType == \\\"Update user\\\"\\r\\n        | where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n        )\\r\\n        on $left._ItemId == $right.SourceRecordId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n    | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Account Manipulation\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to privileged role, or ones that changed users for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Add user\\\"\\r\\n    | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n    | join(\\r\\n        AuditLogs\\r\\n        | where OperationName == \\\"Add user\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | mv-expand TargetResources\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n        UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Create Account\\\",\\r\\n        SubTechnique = \\\"Cloud Account\\\",\\r\\n        Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n    | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n    | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n    | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n    | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n    | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n    | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n    | mv-expand AlertIds\\r\\n    | extend AlertId = tostring(AlertIds)\\r\\n    | join kind= innerunique ( \\r\\n        SecurityAlert \\r\\n        )\\r\\n        on $left.AlertId == $right.SystemAlertId\\r\\n    | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n    | mv-expand todynamic(Entities)\\r\\n    | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n    | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n        Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n    | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n    | union TopUsersByAnomalies\\r\\n    | extend \\r\\n        AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n        SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n        UPNExists = iff(isempty(UPN), false, true),\\r\\n        NameExists = iff(isempty(Name), false, true),\\r\\n        SidExists = iff(isempty(Sid), false, true),\\r\\n        AADExists = iff(isempty(AadUserId), false, true)\\r\\n    | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n    | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n    | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n    | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where UserPrincipalName !contains \\\"[\\\"\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by AlertCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Entity Behavior Analytics Alerts\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"fusion\\\" or Title contains \\\"dynamic\\\" or Title contains \\\"anomal\\\" or Title contains \\\"behavior\\\" or Title contains \\\"learning\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Dynamic Threat Discovery\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDynamicVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Dynamic Threat Discovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Policy Enforcement Parity](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nConsistently applying security protections and other policies, independent of the communication mechanism, forwarding path, or endpoints used.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure Policy?](https://docs.microsoft.com/azure/governance/policy/overview)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview) <Br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPolicyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Policy Enforcement Parity\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Effective Use of Shared Services](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmploying shared services, where applicable, that can be individually tailored, measured to independently validate service conformance, and offer effective protections for tenants against malicious actors, both external as well as internal to the service provider.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Started with Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)<br>\\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)<br>\\r\\n💡 [What are External Identities in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/external-identities/compare-with-b2c)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade) <br>\\r\\n🔀 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) <br>\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"guest\\\" or RecommendationDisplayName contains \\\"shared\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| where UserType == \\\"Guest\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, UserType, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Guest Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"not shared\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEffectiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Effective Use of Shared Services\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Integrated Desktop, Mobile, and Remote Policies](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDefining polices such that they apply to a given agency entity no matter its location.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [What are Common Ways to Use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://devicemanagement.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| extend DeviceOS = tostring(DeviceDetail.operatingSystem)\\r\\n| summarize count() by DeviceOS\\r\\n| where DeviceOS <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Application by Operating System\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| mv-expand ConditionalAccessPolicies\\r\\n| extend ConditionalAccessPolicy = tostring(ConditionalAccessPolicies.displayName)\\r\\n| summarize count() by ConditionalAccessPolicy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntegratedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Integrated Desktop, Mobile, and Remote Policies\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UniversalSecurityCapabilities\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Files](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nFile-based protections including anti-malware, malicious code removal, content disarm & reconstruction, and detonation chambers.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Files Capabilities Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Malware\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malware\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content Disarm & Reconstruction\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Content\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Detonation Chamber\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Detonation\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMalwareVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malware\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isContentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Content\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1f176b0f-1f2f-4e12-afb0-3f10c834ef24\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDetonationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Detonation\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b17f2902-5d29-45b2-8712-bff5b7dd1487\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"793ffbca-13bc-4fac-9535-048cbd9efc54\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Malware](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-malware protections detect the presence of malicious code and facilitate its quarantine or removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/azure-defender/)\\r\\n✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) ✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)\\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Antimalware Extension for Windows](https://docs.microsoft.com/azure/virtual-machines/extensions/iaas-antimalware-windows)<br>\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Microsoft Defender for Cloud Apps: Malware Detection](https://docs.microsoft.com/cloud-app-security/anomaly-detection-policy#malware-detection)<br>\\r\\n💡 [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Defender for Identity](https://portal.atp.azure.com/) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, DE.CM, DE.DP, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"malware\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"malware\\\" or Title contains \\\"malware\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Malware\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where AlertName contains \\\"mal\\\"\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detected by Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMalwareVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Malware\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Disarm & Reconstruction](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent disarm and reconstruction technology detects the presence of unapproved active content and facilitates its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [EmailAttachmentInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailattachmentinfo) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)\\r\\n\\r\\n### Implementation \\r\\n💡 [Setup Safe Attachments Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies)<br>\\r\\n💡 [Threat and Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)<br>\\r\\n💡 [Microsoft Defender Application Guard overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)<br>\\r\\n💡 [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"exploit\\\" or Title contains \\\"exploit\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Exploits\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailAttachmentInfo\\r\\n| extend Detection = strcat(DetectionMethods)\\r\\n| where ThreatTypes <> \\\"\\\"\\r\\n| project RecipientEmailAddress, FileName, ThreatTypes, ThreatNames, Detection, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Safe Attachments: Attachment Mitigation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isContentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Disarm & Reconstruction\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Detonation Chamber](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDetonation chambers facilitate the detection of malicious code through the use of protected and isolated execution environments to analyze the files.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Submit File for Deep Analysis](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#submit-files-for-deep-analysis)<br>\\r\\n💡 [Using the Built-in URL Detonation in Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-new-built-in-url-detonation-in-azure-sentinel/ba-p/996229)<br>\\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n💡 [Safe Attachments in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-attachments)<br>\\r\\n💡 [Microsoft Defender Application Guard overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)<br>\\r\\n💡 [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy)<br>\\r\\n\\r\\n### Microsoft Portals \\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM, DE.DP, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"detonation\\\" or Title contains \\\"detonation\\\" or Description contains \\\"sand\\\" or Title contains \\\"sand\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Detonation\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods <>\\\"\\\"\\r\\n| project RecipientEmailAddress, DeliveryAction, DeliveryLocation, EmailDirection, EmailAction, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Detonation: SafeLinks, SafeAttachments, SafeFiles\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailDirection\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Outbound\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"left\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DetectionMethods\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDetonationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Detonation Chamber\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Hunt for Threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)<br>\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br> \\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"data\\\" or Title contains \\\"data\\\" or Description contains \\\"loss\\\" or Title contains \\\"loss\\\" or Description contains \\\"exfil\\\" or Title contains \\\"exfil\\\" or Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, LabelName_s, Operation_s, Activity_s, IPv4_s, ProtectionOwner_s, ApplicationName_s, ProcessName_s, Platform_s, ContentId_g, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Scan/Monitor for Sensitive Data with Azure Information Protection\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"yellow\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"FilesGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Email](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEmail-based protections including anti-phishing, anti-spam, authenticated received chain, data loss prevention, DMARC for incoming/outgoing mail, email encryption, and malicious URL protections.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Email Capabilities Help\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 107\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Phishing Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Phishing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Spam Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Spam\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticated Received Chain\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Authenticated\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DMARC for Incoming Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Incoming\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPhishingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Phishing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSpamVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Spam\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5e162b71-5dff-4440-8bd9-111c1ec62efb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuthenticatedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Authenticated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"37272499-cf34-4fd3-8f26-5929ea74e783\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2086488a-60de-43a5-a31f-0ae0eca9abd3\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIncomingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Incoming\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e35e9dbc-8e1d-4749-9fe3-6e1b7cc19f2c\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DMARC for Outgoing Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Outgoing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Encryption for Email Transmission\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Encryption\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious URL Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malicious\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"URL Click-Through Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Url\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2477e9e4-bcad-49d6-a4b6-df6672debb7b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isOutgoingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Outgoing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEncryptionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Encryption\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1fa8afad-de60-4eb0-8a40-a43bde323bdb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMaliciousVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malicious\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"125bc4a9-0a88-4bef-80c9-2707fa0e5f74\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUrlVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Url\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e62d359a-891b-4663-9384-b7891d8dc461\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Phishing Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-phishing protections detect instances of phishing and prevent users from accessing them.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Anti-Phishing Protection in Microsoft 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-phishing-protection)<br>\\r\\n💡 [Configure Anti-Phishing Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-atp-anti-phishing-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AT, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"email\\\" or Title contains \\\"phish\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Phishing\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPhishingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Phishing Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-SPAM Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-SPAM protections detect and quarantine instances of SPAM.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Anti-Spam protection in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-protection)<br>\\r\\n💡 [Configure Anti-Spam Policies in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam <> \\\"Skipped\\\"\\r\\n| where Spam <> \\\"Not spam\\\"\\r\\n| where Spam <> \\\"\\\"\\r\\n| project Spam, RecipientEmailAddress, DeliveryAction, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Email Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSpamVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-SPAM Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Received Chain](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated Received Chain allows for an intermediary, like a mailing list or forwarding service, to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How Microsoft 365 Utilizes Authenticated Received Chain (ARC)](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-utilizes-authenticated-received-chain-arc)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Alerts for DMARC, SPF, DKIM Validations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_AlertName_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_AlertName_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuthenticatedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Received Chain\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n💡 [How DLP Works Between the Security & Compliance Center and Exchange Admin Centers](https://docs.microsoft.com/microsoft-365/compliance/how-dlp-works-between-admin-centers)<br>\\r\\n💡 [Email Entity Page](https://docs.microsoft.com/microsoft-365/security/office-365-security/mdo-email-entity-page)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| where Title contains \\\"email\\\" or Title contains \\\"phish\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Email Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Incoming Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections authenticate incoming email according to the DMARC email authentication protocol defined in RFC 7489.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)<br>\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)<Br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"inbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIncomingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Incoming Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Outgoing Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections facilitate the authentication of outgoing email by signing the emails and ensuring that external parties may validate the email signatures. The DMARC email authentication protocol is defined in RFC7489.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)<br>\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)<Br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"outbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Outbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isOutgoingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Outgoing Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Encryption for Email Transmission](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmail services are configured to use encrypted connections, when possible, for communications between clients and other email servers.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Email Encryption](https://docs.microsoft.com/microsoft-365/compliance/ome)<br>\\r\\n💡 [How Exchange Online Uses TLS to Secure Email Connections](https://docs.microsoft.com/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections)<br>\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)<br>\\r\\n💡 [Setup New Message Encryption Capabilities](https://docs.microsoft.com/microsoft-365/compliance/set-up-new-message-encryption-capabilities)<br>\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)<br>\\r\\n💡 [Manage Office 365 Message Encryption](https://docs.microsoft.com/microsoft-365/compliance/manage-office-365-message-encryption)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br> 🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>  🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"encrypt\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information.\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEncryptionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Encryption for Email Transmission\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious URL Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious URL protections detect malicious URLs in emails and prevent users from accessing them.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods contains \\\"url\\\"\\r\\n| join (EmailUrlInfo) on NetworkMessageId\\r\\n| project RecipientEmailAddress, DeliveryAction, Url, UrlDomain, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"SafeLinks Email Protections\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMaliciousVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious URL Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [URL Click-Through Protection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nURL click-through protections ensure that when a URL from an email is clicked, the requester is directed to a protection that verifies the security of the URL destination before permitting access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"url\\\" or Title contains \\\"url\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Urls\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUrlVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"URL Click-Through Protection\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Email Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Web](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nWeb-based protections including break/inspect, active content mitigation, certificate blacklisting/consensus, content filtering, authenticated proxy, data loss prevention, DNS-over-HTTPS filtering, RFC compliance enforcement, domain category filtering, domain reputation filtering, bandwidth control, malicious content filtering, and access control.\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Web Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 108\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Break and Inspect\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Break\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Active Content Mitigation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Active\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Certificate Denylisting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Certificate\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Content\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticated Proxy\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Authenticated\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNS-over-HTTPS Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a30d01d0-38f1-4a91-9cf6-cdb181d676b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBreakVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Break\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isActiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Active\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2b0b9d3-128b-4ec7-a1e8-287df84633da\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCertificateVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Certificate\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"508474da-365f-43db-9c42-4331e8648144\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isContentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Content\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"68f6fab3-9f4c-4ea8-ac17-064809f6740e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuthenticatedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Authenticated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a539291a-2744-47ef-9558-f15986ecf508\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"bd2ce9fe-9e44-4bcf-9f00-83a04c86e456\"},{\"id\":\"5cb17a08-31fb-4eee-87d8-abef7ecbb7e2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"RFC Compliance Enforcement\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RFC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Domain Category Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Category\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Domain Reputation Filter\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Reputation\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Bandwidth Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Bandwidth\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious Content Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malicious\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0114faf6-043c-452c-9249-34899d8965a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRFCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RFC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCategoryVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Category\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"35f239a8-a4dc-4e7f-8b70-dd4c876151db\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isReputationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Reputation\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"57218915-069e-4559-94ff-29144252c397\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBandwidthVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Bandwidth\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d77f49a8-0e58-46c3-b705-5a61736b41ea\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMaliciousVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malicious\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a11bbfd4-4c45-4527-b1d2-6cab517590cb\"},{\"id\":\"a1bdb4f4-7f9d-48f8-8deb-e979a7e203a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Break and Inspect](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBreak-and-Inspect systems, or encryption proxies, terminate encrypted traffic, logging or performing policy enforcement against the plaintext, and re-encrypting the traffic, if applicable, before transmitting to the final destination.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall/) ✳️ [Network Watcher](https://azure.microsoft.com/services/network-watcher/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features) <br>\\r\\n💡 [Inspect Traffic with Azure Firewall](https://docs.microsoft.com/azure/private-link/inspect-traffic-with-azure-firewall) <br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal) <br>\\r\\n💡 [Create an Azure Network Watcher instance](https://docs.microsoft.com/azure/network-watcher/network-watcher-create) <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)  <br>\\r\\n🔀 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)  <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"protected by Azure Firewall\\\" or RecommendationDisplayName contains \\\"watcher\\\" or RecommendationDisplayName contains \\\"proxy\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"azurefirewalls\\\" or type contains \\\"firewallpolicies\\\" or type contains \\\"networkwatchers\\\" or type contains \\\"webapplicationfirewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Break & Inspect Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBreakVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Break and Inspect\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Active Content Mitigation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nActive content mitigation protections detect the presence of unapproved active content and facilitate its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n\\r\\n### Implementation \\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡[Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)<br>\\r\\n💡[Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)  <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"Web Application Firewall\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"webapplicationfirewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Content Mitigation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message: string, ruleName_s: string, clientIp_s: string, clientIP_s: string, action_s: string, transactionId_s: string, trackingReference_s: string) [\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\"]);\\r\\nFakeData\\r\\n| union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"Application Gateway\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"Application Gateway\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"Application Gateway\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"Application Gateway\\\" contains \\\"cdn\\\")) and (\\\"SOC-NS-AG-WAFV2 - 1129440\\\" == \\\"All\\\" or Resource in ('SOC-NS-AG-WAFV2'))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '*' == Action or '*' == \\\"*\\\" \\r\\n| where '*' == requestUri_s or '*' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule contains \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\", 1), \\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule contains \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule, \\\"):\\\", 1)), \\\"\\\"), Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure WAF Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Rule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redDark\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isActiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Active Content Mitigation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate denylisting protections prevent communication with entities that use a set of known bad certificates.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Certificates Used by Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-certificates)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Quickstart: Create a Key Vault using the Azure Portal](https://docs.microsoft.com/azure/key-vault/general/quick-create-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"certificate\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\" \\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCertificateVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent filtering protections detect the presence of unapproved content and facilitate its removal or denial of access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Firewall Web Categories](https://docs.microsoft.com/azure/firewall/web-categories)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-content-filtering)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n    materialize(\\r\\n    AzureDiagnostics\\r\\n    | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n    | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n    | where msg_s has \\\" Reason:\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n        and msg_s !has \\\"No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | where msg_s has \\\"Rule Collection Group\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    )\\r\\n| summarize Count = count(), last_log = datetime_diff(\\\"second\\\", now(), max(TimeGenerated)) by RuleCollection, Rule, WebCategory\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Firewall: Content Enforcement\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isContentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Proxy](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated proxies require entities to authenticate with the proxy before making use of it, enabling user, group, and location-aware security controls.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Plan an Azure AD Application Proxy Deployment](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-deployment-plan)<br>\\r\\n💡 [Configure Real-Time Application Access Monitoring with Microsoft Defender for Cloud Apps and Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security)<br>\\r\\n💡 [Protect Apps with Microsoft Defender for Cloud Apps Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| mv-expand ConditionalAccessPolicies\\r\\n| extend ConditionalAccessPolicy = tostring(ConditionalAccessPolicies.displayName)\\r\\n| summarize count() by ConditionalAccessPolicy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuthenticatedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Proxy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for Cloud Apps: File Policies](https://docs.microsoft.com/cloud-app-security/data-protection-policies)<br>\\r\\n💡 [Content Inspection for Protected Files](https://docs.microsoft.com/cloud-app-security/content-inspection)<br>\\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Defender for Identity Portal](https://portal.atp.azure.com/) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Exfiltration\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\"},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_W\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS-over-HTTPS Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS-over-HTTPS filtering prevents entities from using the DNS-over-HTTPS protocol, possibly evading DNS-based protections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Azure Firewall DNS settings](https://docs.microsoft.com/azure/firewall/dns-settings)<br>\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [Azure Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS-over-HTTPS Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [RFC Compliance Enforcement](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRFC compliant enforcement technologies ensure that traffic complies with protocol definitions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation\\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡[Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) <br> \\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\r\\n| where details_file_s contains \\\"rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\\\"\\r\\n| summarize count() by ResourceId, Message\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protocol Enforcement Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRFCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RFC Compliance Enforcement\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Category Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain category filtering technologies allow for classes of domains (e.g. banking, medical) to receive a different set of security protections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall: Web Categories](https://docs.microsoft.com/azure/firewall/premium-deploy#web-categories-testing) <br> \\r\\n💡 [Use FQDN Filtering in Network Rules](https://docs.microsoft.com/azure/firewall/fqdn-filtering-network-rules) <br> \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features) <br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br> \\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)\\t<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n    materialize(\\r\\n    AzureDiagnostics\\r\\n    | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n    | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n    | where msg_s has \\\" Reason:\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n        and msg_s !has \\\"No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | where msg_s has \\\"Rule Collection Group\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    )\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '*' == SourceIP or '*' == \\\"*\\\"  \\r\\n| summarize count() by FQDN\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Domain & Category Filtering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FQDN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCategoryVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Category Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Reputation Filter](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain reputation filtering protections are a form of domain denylisting based on a domain’s reputation, as defined by either the agency or an external entity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Threat Intelligence-Based Filtering](https://docs.microsoft.com/azure/firewall/threat-intel)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where msg_s <> \\\" request from  to . Action: . ThreatIntel: \\\"\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url: \\\" Url \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n)\\r\\n| summarize by ThreatIntelMsg, Url, FQDN, Action, Protocol, SourceIP, SourcePort, DestinationPort,  TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: Threat Intelligence URL Blocks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"FQDN\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"FQDN\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isReputationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Reputation Filter\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Bandwidth Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBandwidth control technologies allow for limiting the amount of bandwidth used by different classes of domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Metrics](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Monitor Metrics Overview](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics)<br>\\r\\n💡 [Monitor Azure Firewall Logs and Metrics](https://docs.microsoft.com/azure/firewall/firewall-diagnostics)  \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"Bandwidth Control\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"40\",\"name\":\"Control Smartcard\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5084e141-6c56-4d7f-bd8a-09f7ef9af1bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Resource\",\"label\":\"Azure Firewalls\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| project id, name\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"parameters - 1\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":604800000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--Throughput\",\"aggregation\":4,\"splitBy\":\"[variables('blanks')]\",\"columnName\":\"All Firewall Throughput Average\"}],\"title\":\"Average Throughput of Firewall Traffic\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"metric - 25\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBandwidthVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bandwidth Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious content filtering protections detect the presence of malicious content and facilitate its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)  ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for Cloud's enhanced security features](https://docs.microsoft.com/azure/defender-for-cloud/enhanced-security-features-overview)<br>\\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡 [Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)<br>\\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)  <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, PR.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"firewall\\\" or RecommendationDisplayName contains \\\"defender\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"mal\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Malicious Content\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\"},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| project Category, ResourceType, OperationName);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n    | summarize Volume=count() by OperationName\\r\\n    | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n    | summarize Volume=count() by OperationName\\r\\n    | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n    | where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n    | summarize Volume=count() by Category\\r\\n)\\r\\n| sort by Volume desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protections by Rule Category\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"SelectedCategory\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Volume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMaliciousVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies limiting what actions may be performed by connected users and entities.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Overview of Role-Based Access Control in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\\r\\n💡 [What is Azure AD Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Secure Your Management Ports With Just-In-Time Access](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"Just\\\" or RecommendationDisplayName contains \\\"privilege\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Web Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Networking](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nNetwork-based protections including network access controls, IP denylisting, host containment, network segmentation, and microsegmentation. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Networking Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 109\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"IP Denylisting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Host Containment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Host\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Network Segmentation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Network\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Microsegmentation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Micro\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"50ab20f8-9e71-4938-a67c-fc3cddda9d3e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isHostVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Host\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"297ab54c-7fb4-4d69-b331-d06b5848b0c2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Network\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4c49d950-1bd2-45c1-8a98-4f17abff2088\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMicroVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Micro\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"cf2d16a5-def7-4887-87ff-188258574464\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control protections prevent the ingest, egress, or transiting of unauthorized network traffic.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)<br>\\r\\n💡 [Tutorial: Create and Manage a VPN Gateway using Azure Portal]( https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)<br>\\r\\n💡 [What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> 🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)<br> 🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) <br>🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br> 🔀 [ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)  \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"network access\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Networking Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where OperationName == \\\"NetworkSecurityGroupEvents\\\"\\r\\n| extend NetworkMap=strcat(\\\"NetworkMap\\\")\\r\\n| summarize count() by ruleName_s, NetworkMap\\r\\n| project NetworkSecurityGroupRule=ruleName_s, FlowCount=count_, NetworkMap\\r\\n| sort by FlowCount desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Map & Flow Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"NetworkSecurityGroupRule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Lateral_Movement\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FlowCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"NetworkMap\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Network  Map >>\",\"bladeOpenContext\":{\"bladeName\":\"NetworkMapBlade\",\"extensionName\":\"Microsoft_Azure_Security_R3\",\"bladeParameters\":\"[variables('TemplateEmptyArray')]\"}}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IP Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIP denylisting protections prevent the ingest or transiting of traffic received from or destined to a denylisted IP address.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n💡 [Azure Firewall Threat Intelligence Configuration](https://docs.microsoft.com/azure/firewall-Manager/threat-intelligence-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n\\t    iff(isnotempty(Url), \\\"URL\\\",\\r\\n\\t    iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n\\t    iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n\\t    iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n\\t    \\\"Other\\\")))))\\r\\n| where IndicatorType == \\\"IP\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by IndicatorType\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Sentinel: Threat Intelligence IP Indicators Ingested\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VMConnection\\r\\n| extend NetworkSourceIP=RemoteIp\\r\\n| where NetworkSourceIP <> \\\"\\\"\\r\\n| extend FirewallManager=strcat(\\\"FirewallManager\\\")\\r\\n| join (ThreatIntelligenceIndicator) on NetworkSourceIP\\r\\n| extend Indicator = strcat(NetworkSourceIP, FileHashValue, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName)\\r\\n| extend Source=SourceSystem1\\r\\n| summarize count () by ThreatType, Action, Indicator, Direction, _ResourceId, FirewallManager, RemoteCountry, RemoteIp, Source\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence: IP Denylisting\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FirewallManager\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Firewall Manager >>\",\"bladeOpenContext\":{\"bladeName\":\"FirewallManagerMenuBlade\",\"extensionName\":\"Microsoft_Azure_HybridNetworking\",\"bladeParameters\":\"[variables('TemplateEmptyArray')]\"}}},{\"columnMatch\":\"RemoteCountry\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"RiskIQ_Lookup\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"RiskIQ Lookup >\"}},{\"columnMatch\":\"VirusTotalURL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"VirusTotal Lookup >\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"RemoteCountry\",\"latitude\":\"RemoteLatitude\",\"longitude\":\"RemoteLongitude\",\"sizeSettings\":\"RemoteCountry\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"RemoteCountry\",\"legendMetric\":\"RemoteCountry\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"RemoteIp\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"redBright\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Threat Intelligence: IP Denylisting\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IP Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Host Containment](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nHost containment protections enable a network to revoke or quarantine a host’s access to the network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/automation-in-azure-sentinel)<br>\\r\\n💡 [How to Isolate an Azure VM Using Microsoft Defender for Cloud’s Workflow Automation](https://techcommunity.microsoft.com/t5/azure-security-center/how-to-isolate-an-azure-vm-using-azure-security-center-s/ba-p/1250985)<br>\\r\\n💡 [Isolate Endpoints from the Network](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-endpoints-from-the-network)<br>\\r\\n\\r\\n### Microsoft Portals \\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"logic\\\"\\r\\n| where id contains \\\"block\\\" or id contains \\\"isolate\\\" or id contains \\\"lock\\\" or id contains \\\"revoke\\\" or id contains \\\"quarantine\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Containment Automations Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isHostVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Host Containment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Segmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nNetwork segmentation separates a given network into subnetworks, facilitating security controls between the subnetworks, and decreasing the attack surface of the network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Implement Network Segmentation Patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)<br>\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"segment\\\" or RecommendationDisplayName contains \\\"network security group\\\" or RecommendationDisplayName contains \\\"subnet\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"networksecuritygroups\\\" or type contains \\\"virtualnetworks\\\" or type contains \\\"tables\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Segmentation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Network Segmentation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsegmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMicrosegmentation divides the network, either physically or virtually, according to the communication needs of application and data workflows, facilitating security controls to protect the data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Network Security & Containment](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n💡 [Implement network segmentation patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)<br>\\r\\n💡 [Application Security Groups](https://docs.microsoft.com/azure/virtual-network/application-security-groups)<br>\\r\\n💡 [Tutorial: Filter Network Traffic with a Network Security Group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Application Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) <br>\\r\\n🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"application gateway\\\" or RecommendationDisplayName contains \\\"security group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"applicationgateway\\\" or type contains \\\"securitygroup\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsegementation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMicroVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Microsegmentation\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Networking Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resiliency](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nResiliency measures including DDoS protections, elastic expansion, and regional delivery.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resiliency Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 110\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DDoS Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DDoS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Elastic Expansion\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Elastic\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Regional Delivery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Regional\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDDoSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DDoS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isElasticVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Elastic\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c6997d7f-b3e5-431c-b747-ea5a75b533e0\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRegionalVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Regional\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"250d293f-5d5f-4944-8cd4-5ec0183b9053\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DDoS Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDDoS protections mitigate the effects of distributed denial of service attacks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dos\\\" or Title contains \\\"denial\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: DDoS\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\"},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type contains \\\"microsoft.network/ddosprotectionplans\\\"\\r\\n| extend RG = substring(id, 0, indexof(id, '/providers'))\\r\\n| extend virtualNetworks = properties.virtualNetworks\\r\\n| mvexpand bagexpansion=array virtualNetworks\\r\\n| extend VNETid = virtualNetworks.id\\r\\n| project-away kind, managedBy, sku, plan, identity, zones, extendedLocation, name, tenantId, properties, tags, virtualNetworks, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Protection Plans\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"location\",\"formatter\":17},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":\"[variables('blanks')]\",\"showIcon\":true}},{\"columnMatch\":\"VNETid\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"[variables('blanks')]\",\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"id\",\"label\":\"Name\"},{\"columnId\":\"type\",\"label\":\"Type\"},{\"columnId\":\"location\",\"label\":\"Region\"},{\"columnId\":\"subscriptionId\",\"label\":\"Subscription\"},{\"columnId\":\"VNETid\",\"label\":\"Virtual Networks\"}]},\"sortBy\":\"[variables('TemplateEmptyArray')]\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoSPlans\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"DDoSMitigationReports\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| extend TopAttackVector = tostring(parse_json(AttackVectors_s)[0]) \\r\\n| extend Total_packets_ = tostring(parse_json(TrafficOverview_s).Total_packets) \\r\\n| extend Total_packets_dropped_ = todouble(parse_json(TrafficOverview_s).Total_packets_dropped)\\r\\n| extend TotalPackets =todouble(Total_packets_)\\r\\n| where TotalPackets > 0\\r\\n| where TopAttackVector <> \\\"\\\"\\r\\n| project TopAttackVector, TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , SourceIP=IPAddress, Resource, TimeGenerated\\r\\n| sort by TotalPacketsDropped desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Mitigation Activity\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TopAttackVector\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TotalPackets\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"TotalPacketsDropped\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Resource\",\"formatter\":5},{\"columnMatch\":\"Total_packets_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Total_packets_dropped_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDDoSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoS Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Elastic Expansion](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nElastic expansion enables agencies to dynamically expand the resources available for services as conditions require.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/) ✳️ [Traffic Manager]( https://azure.microsoft.com/services/traffic-manager/) ✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) ✳️ [Azure Availability Zones]( https://azure.microsoft.com/global-infrastructure/availability-zones/)\\r\\n\\r\\n### Implementation \\r\\n💡 [What are Virtual Machine Scale Sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview) <br>\\r\\n💡 [Elastic Pools Help You Manage and Scale Multiple Databases in Azure SQL Database](https://www.cisa.gov/trusted-internet-connections)<br>\\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)<br>\\r\\n💡 [What is Traffic Manager?](https://docs.microsoft.com/azure/traffic-Manager/traffic-Manager-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)<br> 🔀 [Azure SQL](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fazuresql)<br> 🔀 [Load Balancer](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br> 🔀 [Traffic Manager Profiles](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2Ftrafficmanagerprofiles)<br> 🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"load\\\" or Description contains \\\"scale\\\" or Description contains \\\"front\\\" or Description contains \\\"traffic manager\\\" or Description contains \\\"pool\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"scale\\\" or type contains \\\"traffic\\\" or type contains \\\"load\\\" or type contains \\\"balance\\\" or type contains \\\"pool\\\" or type contains \\\"set\\\" or type contains \\\"manager\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Elastic Expansion Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isElasticVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Elastic Expansion\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Regional Delivery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRegional delivery technologies enable the deployment of agency services across geographically diverse locations.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)\\r\\n\\r\\n### Implementation \\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) <br>\\r\\n💡 [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/#overview) <br>\\r\\n💡 [Regions and availability zones](https://docs.microsoft.com/azure/availability-zones/az-overview) <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"disaster\\\" or RecommendationDisplayName contains \\\"region\\\" or RecommendationDisplayName contains \\\"redundant\\\" or RecommendationDisplayName contains \\\"geo\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRegionalVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Regional Delivery\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resiliency Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nDNS measures including DNS blackholing, DNSSEC for clients, and DNSSEC for domains. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Capability Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 111\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNS Sinkholing\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Sink\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNSSEC for Agency Clients\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Clients\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNSSEC for Agency Domains\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Domains\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSinkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Sink\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"aaf5f338-70e7-4910-8b24-0256c3e819ab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isClientsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Clients\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDomainsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Domains\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b454a300-8718-4f34-a5e9-722b582dc95d\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS Sinkholing](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS sinkholing protections are a form of denylisting that protect clients from accessing malicious domains by responding to DNS queries for those domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)<br>\\r\\n💡 [How to protect DNS zones and records](https://docs.microsoft.com/azure/dns/dns-protect-zones-recordsets)<br>\\r\\n💡 [Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Azure Firewall DNS settings](https://docs.microsoft.com/azure/firewall/dns-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br> 🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"domain\\\" or type contains \\\"dns\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: DNS\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSinkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Sinkholing\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Clients](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that domain name lookups from agency clients, whether for internal or external domains, are validated.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy](https://techcommunity.microsoft.com/t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331)<br>\\r\\n💡 [DANE Support](https://docs.microsoft.com/windows-server/networking/dns/what-s-new-in-dns-server#dane-support)<br>\\r\\n💡 [Support of DANE and DNSSEC in Office 365 Exchange Online](https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DNS zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Request_Type\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: DNS Proxy Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isClientsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Clients\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Domains](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that all agency domain names are secured using DNSSEC, enabling external entities to validate their resolution the domain names.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)<br>\\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDomainsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Domains\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Detection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nIntrusion Detection measures including endpoint detection & response, intrusion protection systems, adaptive access control, deception platforms, and certificate transparency log monitoring.\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Detection Capability Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 112\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Endpoint Detection and Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Endpoint\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Intrusion Protection Systems (IPS)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Adaptive Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Adaptive\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Deception Platforms\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Deception\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Certificate Transparency Log Monitoring\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Certificate\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEndpointVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Endpoint\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"f683c8d4-894a-4863-a2c6-03d36d6d7819\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAdaptiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Adaptive\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"27dcffa8-43ca-4d68-b69d-11dbd33dcbcb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDeceptionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Deception\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b4f96879-69b4-45b3-b6a6-384a91e9569c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCertificateVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Certificate\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"51c9fd25-2fa3-4cca-bc9f-bf8b5d0a0e07\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Endpoint Detection and Response](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEndpoint detection and response tools combine endpoint and network event data to aid in the detection of malicious activity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Overview of Endpoint Detection and Response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where AdditionalData contains \\\"Microsoft Defender for Endpoint\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Endpoint Detection & Response\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEndpointVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Endpoint Detection and Response\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Protection Systems (IPS)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIntrusion protection systems detect malicious activity, attempt to stop the activity, and report the activity.\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Premium: IPS](https://docs.microsoft.com/azure/firewall/premium-features#idps)<br>\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"IPS\\\" or Title contains \\\"IDS\\\" or Title contains \\\"intrusion\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Intrusion Protection System\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with * \\\"TCP request from \\\" Source \\\" to \\\" Destination \\\". Action: \\\" ActionTaken \\\". Rule: \\\" IDPSSig \\\". IDS: \\\" IDSMessage \\\". Priority: \\\" Priority \\\". Classification: \\\" Classification\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by OperationName\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: IDPS Alerts over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"microsoft.network/firewallpolicies\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"IPS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Protection Systems (IPS)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Adaptive Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAdaptive access control technologies factor in additional context, like security risk, operational needs, and other heuristics, when evaluating access control decisions.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Improve your network security posture with adaptive network hardening](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"adaptive\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = SigninLogs\\r\\n    | where AppDisplayName in ('*') or '*' in ('*')\\r\\n    | where UserDisplayName in ('*') or '*' in ('*')\\r\\n    | extend CAStatus = case(ConditionalAccessStatus == \\\"success\\\", \\\"Successful\\\",\\r\\n        ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\",                                     \\r\\n        ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\",                                     \\r\\n        isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n        \\\"Disabled\\\")\\r\\n    | mvexpand ConditionalAccessPolicies\\r\\n    | extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n    | extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n        CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n        CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n        CAGrantControlName contains \\\"endpoint\\\", \\\"Require endpoint Compliant\\\", \\r\\n        CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined endpoint\\\", \\r\\n        CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n        \\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range(ago(14d), now(), 6h) by CAStatus\\r\\n    )\\r\\n    on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Status\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAdaptiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Adaptive Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Deception Platforms](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeception platform technologies provide decoy environments, from individual machines to entire networks, that can be used to deflect attacks away from the operational systems supporting agency missions/business functions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br> \\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Microsoft Sentinel Deception Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-microsoft-sentinel-deception-solution/ba-p/2904945)<br>\\r\\n💡 [Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/monitor-key-vault-honeytokens?tabs=deploy-at-scale)<br>\\r\\n💡 [Manage Sensitive or Honeytoken Accounts](https://docs.microsoft.com/defender-for-identity/manage-sensitive-honeytoken-accounts)<br>\\r\\n\\r\\n### Microsoft Portal\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Identity](https://portal.atp.azure.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where id contains \\\"deception\\\" or id contains \\\"honey\\\" or id contains \\\"HTDK\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Deception Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"honeytoken\\\" or Title contains \\\"deception\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Deception\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"honey\\\" or RecommendationDisplayName contains \\\"deception\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDeceptionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Deception Platforms\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Transparency Log Monitoring](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate transparency log monitoring allows agencies to discover when new certificates are issued for agency domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Started with Key Vault Certificates](https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios)<br>\\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"cert\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"certificate\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Certificates\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCertificateVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Transparency Log Monitoring\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Detection Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEnterprise-based controls including security orchestration automation & response, shadow IT detection, and virtual private networks. \"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 113\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Orchestration, Automation, and Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SOAR\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Shadow IT Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Shadow\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Virtual Private Network (VPN)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"VPN\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSOARVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SOAR\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isShadowVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Shadow\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"750b4451-0f5d-4e58-95c2-c4b4c8991335\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isVPNVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"VPN\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a2f3d34f-7824-4733-bddc-00efb62da0f2\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Orchestration, Automation, and Response (SOAR)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nSecurity Orchestration, Automation, and Response (SOAR) tools define, prioritize, and automate the response to security incidents.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Tutorial: Setup Automated Threat Responses in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.logic/workflows\\\"\\r\\n| extend Connection = parse_json(properties)[\\\"parameters\\\"][\\\"$connections\\\"][\\\"value\\\"]\\r\\n| where Connection has \\\"managedApis/azuresentinel\\\"\\r\\n| project id, type, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"SOAR Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"playbook\\\" or RecommendationDisplayName contains \\\"automation\\\" or RecommendationDisplayName contains \\\"logic\\\" or RecommendationDisplayName contains \\\"notification\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue startswith \\\"Microsoft.Logic\\\"\\r\\n| where ActivityStatusValue == \\\"Success\\\" or ActivityStatusValue == \\\"Succeeded\\\"\\r\\n| extend scope_ = tostring(Authorization_d.scope)\\r\\n| parse-where scope_ with * 'workflows/' PlaybookName '/' *\\r\\n| where PlaybookName contains \\\"notify\\\" or PlaybookName contains \\\"email\\\" or PlaybookName contains \\\"teams\\\" or PlaybookName contains \\\"ticket\\\" or PlaybookName contains \\\"post\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by PlaybookName\\r\\n| render timechart \",\"size\":0,\"showAnnotations\":true,\"showAnalytics\":true,\"title\":\"Notification SOAR Playbooks (Triggered over Time)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSOARVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Orchestration, Automation, and Response (SOAR)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Shadow IT Detection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nShadow IT detection systems detect the presence of unauthorized software and systems in use by an agency.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Tutorial: Discover and Manage Shadow IT in Your Network](https://docs.microsoft.com/cloud-app-security/tutorial-shadow-it)<br>\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Endpoint Discovery - Navigating Your Way Through Unmanaged Devices](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909)<br>\\r\\n💡 [Device Discovery Overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery)<br>\\r\\n💡 [Welcome to Microsoft Defender for IoT](https://docs.microsoft.com/azure/defender-for-iot/overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for IoT](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started)<br>  \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP, PR.MA, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"shadow\\\" or Description contains \\\"unauth\\\" or Description contains \\\"rogue\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Shadow IT\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"safe\\\" or RecommendationDisplayName contains \\\"authorized\\\" or RecommendationDisplayName contains \\\"endpoint protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isShadowVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Shadow IT Detection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Virtual Private Network (VPN)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVirtual private network (VPN) solutions provide a secure communications mechanism between networks that may traverse across unprotected or public networks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/)<br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [What is VPN Gateway?](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.MA, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"private\\\" or RecommendationDisplayName contains \\\"vpn\\\" or RecommendationDisplayName contains \\\"network gateway\\\" or RecommendationDisplayName contains \\\"express\\\" or RecommendationDisplayName contains \\\"VPC\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"gate\\\" or type contains \\\"bastion\\\" or type contains \\\"route\\\" or type contains \\\"privateend\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"VPN Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isVPNVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Virtual Private Network (VPN)\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Unified Communications & Collaboration](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nUCC measures including identity verification, encrypted communications, connection terminations, and data loss prevention. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Unified Communications & Collaboration Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 114\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Identity Verification\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Identity\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Encrypted Communication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Encrypted\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Connection Termination\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Connection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIdentityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Identity\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEncryptedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Encrypted\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9b640df5-5ec5-41bc-8e78-086304ed742a\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isConnectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Connection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"893f0857-1ccf-4c35-8432-abe89d1fcf15\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"767d26fb-524c-448c-9240-40f069a8db45\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Identity Verification](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentity verification ensures that access to the virtual meeting is limited to appropriate individuals. Waiting room features, where the meeting host authorizes vetted individuals to join the meeting can also be utilized.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\\r\\n💡 [Identity Models and Authentication for Microsoft Teams](https://docs.microsoft.com/microsoftteams/identify-models-authentication)<br>\\r\\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\\r\\n💡 [Microsoft Teams Meeting Attendance Report](https://docs.microsoft.com/microsoftteams/teams-analytics-and-reports/meeting-attendance-report)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where AppDisplayName has_any (\\\"teams\\\", \\\"webex\\\", \\\"slack\\\", \\\"zoom\\\", \\\"meet\\\", \\\"chat\\\", \\\"goto\\\")\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId, AppDisplayName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, AppDisplayName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"UCC Authentications\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIdentityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Identity Verification\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Encrypted Communication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCommunication between virtual meeting participants and any data exchanged is encrypted at rest and in transit. Some UCC offerings support end-to-end encryption, where encryption is performed on the clients and can only be decrypted by the other authenticated participants and cannot be decrypted by the UCC vendor.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\\r\\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\\r\\n💡 [Trustworthy by Default](https://docs.microsoft.com/microsoftteams/teams-security-guide#trustworthy-by-default)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| extend TeamsMembers = strcat(Members)\\r\\n| distinct Operation, UserId, TeamsMembers, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"web apps\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEncryptedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Encrypted Communication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Connection Termination](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms that ensure the meeting host can positively control participation. These can include inactivity timeouts, on-demand prompts, unique access codes for each meeting, host participant eviction, and even meeting duration limits.\\r\\n\\r\\n### Implementation \\r\\n💡 [Manage Meeting Policies in Teams](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams)<br>\\r\\n💡 [Manage Microsoft Teams Rooms](https://docs.microsoft.com/microsoftteams/rooms/rooms-manage)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Teams Admin Center](https://admin.teams.microsoft.com/)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.AT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Leverage Microsoft Teams for UCC Connection Termination Controls via Meeting Policies](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams?WT.mc_id=Portal-fx)\\r\\n![Image Name](https://docs.microsoft.com/microsoftteams/media/designated-presenter-role.png) \\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isConnectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Connection Termination\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms for controlling the sharing of information between UCC participants, intentional or incidental. This may be integrated into additional agency data loss prevention technologies and can include keyword matching, attachment file type or existence prohibitions, attachment size limitations, or even audio/visual filters.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Data Loss Prevention and Microsoft Teams](https://docs.microsoft.com/microsoft-365/compliance/dlp-microsoft-teams)<br>\\r\\n💡[Communication Compliance in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by ApplicationName_s, LabelName_s\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Data Actions by Application\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Protection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nData protection measures including access control, protections for data at rest, protections for data in transit, data loss prevention, and data access & use telemetry. \"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 115\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protections for Data at Rest\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Rest\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protections for Data in Transit\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Transit\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Access and Use Telemetry\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Use\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRestVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Rest\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b91d3f98-d0d1-4e31-a63c-d949e61ec08b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTransitVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Transit\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a34338fa-6463-4b8f-866f-2d79396eceb7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9a520097-2a54-41dd-bf84-7ca039dd1939\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Use\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"22c31b63-743c-4b33-924e-26a70aa0fefb\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies concerning the allowable activities of users and entities to data and resources.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [How Access Management in Azure AD works](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups#how-access-management-in-azure-ad-works)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId, AppDisplayName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, AppDisplayName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Access by Application\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":2500,\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\\r\\n| where Location <> \\\"\\\"\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":10,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"showPin\":false,\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data at Rest](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection at rest aims to secure data stored on any endpoint or storage medium.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Data Encryption at Rest](https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRestVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data at Rest\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data in Transit](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection in transit, or data in motion, aims to secure data that is actively moving from one location to another, such as across the internet or through a private enterprise network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Data Encryption in Transit](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Encryption for Data in Transit](https://docs.microsoft.com/compliance/assurance/assurance-encryption-in-transit)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName has_any(\\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isTransitVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data in Transit\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Hunt for Threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)<br>\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br> \\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"data\\\" or Title contains \\\"data\\\" or Description contains \\\"loss\\\" or Title contains \\\"loss\\\" or Description contains \\\"exfil\\\" or Title contains \\\"exfil\\\" or Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, LabelName_s, Operation_s, Activity_s, IPv4_s, ProtectionOwner_s, ApplicationName_s, ProcessName_s, Platform_s, ContentId_g, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Scan/Monitor for Sensitive Data with Azure Information Protection\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Access and Use Telemetry](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentify agency sensitive data stored, processed, or transmitted, including those located at a service provider. Enforce detailed logging for access or changes to sensitive data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\\r\\n💡 [Tutorial: Discovering Your Sensitive Content with the Azure Information Protection (AIP) scanner](https://docs.microsoft.com/azure/information-protection/tutorial-scan-networks-and-content)<br>\\r\\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)<br>\\r\\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)<br>\\r\\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Active Directory](https://portal.azure.com#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \\r\\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)  <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by UserId_s, LabelName_s, ApplicationName_s_s, Operation_s_s, Platform_s_s, Activity_s_s, IPv4_s_s\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data Access and Use Telemetry\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"sortBy\":\"[variables('TemplateEmptyArray')]\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"yellow\"}]}}},\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Access and Use Telemetry\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Group\"}],\"fromTemplateId\":\"sentinel-ZeroTrust(TIC3.0)\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"id\":\"6539479a-3e0d-42c6-bcbe-2d1f11bb9896\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/0xxx6arkaS)\"},\"name\":\"Survey\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Zero Trust (TIC 3.0) control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security and partner offerings, while only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \\r\\n\\r\\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\\r\\n| <strong> Roles </strong> | <strong> Rights </strong> | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Automation Contributor| Deploy/Modify Playbooks & Automation Rules |\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments)<br>\\r\\n2️⃣  [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\\r\\n3️⃣  [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n4️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n5️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\\r\\n6️⃣ [Implement CLAW Aggregator](https://github.com/Azure/trusted-internet-connection)<br>\\r\\n7️⃣ [Configure Auto Provisioning of Microsoft Defender for Cloud Agents](https://docs.microsoft.com/azure/defender-for-cloud/enable-data-collection)<br>\\r\\n8️⃣ [Review Microsoft Service Trust Portal Documentation/Audit/Resources](https://servicetrust.microsoft.com/)<br>\\r\\n\\r\\n### Recommended Enrichments\\r\\n✳️[Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n✳️[Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n✳️[Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall)<br>\\r\\n✳️[Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\\r\\n✳️[Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)<br>\\r\\n✳️[Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)<br>\\r\\n✳️[Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n✳️[Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)<br>\\r\\n✳️[Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)<br>\\r\\n✳️[Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\\r\\n✳️[Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)<br>\\r\\n✳️[Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)<br>\\r\\n\\r\\n### Print/Export Report\\r\\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply<br>\\r\\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content<br>\\r\\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print<br>\\r\\n\\r\\n### Important\\r\\nThis solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. Each control is associated with one or more 💡[Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview) definitions. These policies may help you 💡[assess compliance](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data) with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. \",\"style\":\"info\"},\"name\":\"Help\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Microsoft Zero Trust Deployment Center](https://docs.microsoft.com/security/zero-trust)\\r\\n![Image Name](https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4KvMM?ver=13f6&q=0&m=6&h=600&w=1600&b=%23FFFFFFFF&u=t&l=f&f=jpg&o=t&aim=true  \\\"Security Policy Enforcement\\\")\\r\\n\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Zero Trust Model\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 109\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Trusted Internet Connections 3.0](https://www.cisa.gov/trusted-internet-connections)\\r\\n\\r\\n| <em> Security Objectives </em> |\\r\\n| : | : | \\r\\n| <strong> Manage Traffic </strong>| Observe, validate, and filter data connections to align with authorized activities; least privilege and default deny |\\r\\n| <strong> Protect Traffic Confidentiality </strong>| Ensure only authorized parties can discern the contents of data in transit; sender and receiver identification and enforcement |\\r\\n| <strong> Protect Traffic Integrity </strong>| Prevent alteration of data in transit; detect altered data in transit |\\r\\n| <strong> Ensure Service Resiliency </strong>| Promote resilient application and security services for continuous operation as the technology and threat landscape evolve |\\r\\n| <strong> Ensure Effective Response </strong>| Promote timely reaction and adapt future response to discovered threats; policies defined and implemented; simplified adoption of new countermeasures |\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Trusted Internet Connections 3.0\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\n---\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡[Microsoft Zero Trust Model](https://www.microsoft.com/security/business/zero-trust) 💡[Trusted Internet Connections](https://www.cisa.gov/trusted-internet-connections)\"},\"name\":\"Workbook Overview\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"79\",\"name\":\"group - 22\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"21\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Data Connectors\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Content\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"GC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Azure Lighthouse\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AL\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Files\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Files\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Email\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 107\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cec6c07e-2856-4c77-8b48-98935f2c1218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isControlsCrosswalkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"20f1daf6-59a0-4673-b1bf-cc388d52debf\"},{\"id\":\"2919b971-fb14-440c-ab42-50304df3ceab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isGCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"GC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"fa7b0ee3-8d6e-4ff7-bb64-cf2241f30f98\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAzureLighthouseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AL\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9944cda7-77aa-4189-8061-afc260130b84\"},{\"id\":\"eab3e5a8-66c3-4304-8c2b-43264e858ba8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUniversalSecurityCapabilitiesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Universal Security Capabilities\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isFilesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Files\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"67de7a24-1840-4fc5-94d5-a6b5d7520a7c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEmailVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Email\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ec480379-6561-4a30-b005-7533da78ed14\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Web\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Web\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Networking\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Networking\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Resiliency\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resiliency\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"DNS\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Enterprise\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Data Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data Protection\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 109\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"740b611b-8155-4e96-bbcc-bbdba0541143\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isWebVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Web\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"62d67234-8fb2-43e6-b5d2-945692493431\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Networking\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResiliencyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resiliency\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4f04758a-2908-474e-bfe0-13d072241fd2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9cb339a8-c8b4-43ad-b2e5-76f61b87d8c1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionDetectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion Detection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4b799471-726e-432c-b577-2f45474d883c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"584fbe21-b31b-49cb-bd65-62ef850a8310\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUnifiedCommunicationsCollaborationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Unified Communications & Collaboration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"78d61c25-823a-4232-8a32-1a7e7018e596\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataProtectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data Protection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4da988d5-15f9-4ea8-bbd5-2153bfcae0a0\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)\\r\\n---\\r\\nThis section provides a mechanism to find, fix, and resolve Zero Trust (TIC 3.0) recommendations. A selector provides capability to filter by all, specific, or groups of TIC 3.0 control families. Upon selection, subordinate panels will summarize recommendations by control family, status over time, recommendations, and resources identified. These panels are helpful for identifying the controls of interest, status over time, and impacted resources. The recommendation details pane provides a mechanism to identify specific recommendation details with deep-links to pivot to Microsoft Defender for Cloud for remediation. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ControlFamily\",\"label\":\"Control Family\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Universal Security Capabilities\\\", \\\"label\\\": \\\"Universal Security Capabilities\\\"},\\r\\n    {\\\"value\\\": \\\"Files\\\", \\\"label\\\": \\\"Files\\\"},\\r\\n    {\\\"value\\\": \\\"Email\\\", \\\"label\\\": \\\"Email\\\"},\\r\\n    {\\\"value\\\": \\\"Web\\\", \\\"label\\\": \\\"Web\\\"},\\r\\n    {\\\"value\\\": \\\"Networking\\\", \\\"label\\\": \\\"Networking\\\"},\\r\\n    {\\\"value\\\": \\\"Resiliency\\\", \\\"label\\\": \\\"Resiliency\\\"},\\r\\n    {\\\"value\\\": \\\"DNS\\\", \\\"label\\\": \\\"DNS\\\"},\\r\\n    {\\\"value\\\": \\\"Intrusion Detection\\\", \\\"label\\\": \\\"Intrusion Detection\\\"},\\r\\n    {\\\"value\\\": \\\"Enterprise\\\", \\\"label\\\": \\\"Enterprise\\\"},\\r\\n    {\\\"value\\\": \\\"Unified Communications & Collaboration\\\", \\\"label\\\": \\\"Unified Communications & Collaboration\\\"},\\r\\n    {\\\"value\\\": \\\"Data Protection\\\", \\\"label\\\": \\\"Data Protection\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by ControlFamily\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project ControlFamily, Total, PassedControls, Passed, Failed\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Control Family\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by AssessedResourceId\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project AssessedResourceId, Total, PassedControls, Passed, Failed\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by ControlFamily\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"No Current Zero Trust(TIC 3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Microsoft Defender for Cloud: Regulatory Compliance Blade.\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| project ResourceID=AssessedResourceId, RecommendationName=RecommendationDisplayName, ControlFamily, Severity=RecommendationSeverity, CurrentState=RecommendationState, RecommendationLink, DiscoveredTimeUTC, assessmentKey\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendation Details\",\"noDataMessage\":\"No Current Zero Trust (TIC 3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Microsoft Defender for Cloud: Regulatory Compliance Blade.\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Rank\",\"formatter\":5},{\"columnMatch\":\"RecommendationSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Controls Crosswalk](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n---\\r\\nControls crosswalk provides a mapping of Zero Trust (TIC 3.0) controls across additional compliance frameworks. This provides free-text search capabilities mapping Zero Trust pillars, TIC 3.0 controls, Microsoft offering overlays, and the NIST Cybersecurity Framework.\"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Control Name\\\"]: string, [\\\"Zero Trust Pillars\\\"]: string, [\\\"TIC 3.0 Control Family\\\"]: string, [\\\"NIST Cybersecurity Framework\\\"]: string, [\\\"Microsoft Offerings\\\"]: string) [\\r\\n\\\"Backup & Recovery\\\", \\\"Data, Infrastructure\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.IP, PR.DS, RS.MI, RC.RP\\\", \\\"Backup Vaults, Recovery Services Vaults, Microsoft Defender for Cloud\\\",\\r\\n\\\"Central Log Management with Analysis\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.PT, DE.AE, RS.AN\\\", \\\"Microsoft Defender for Cloud, Azure Monitor, Azure Lighthouse\\\",\\r\\n\\\"Configuration Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.DS, PR.IP, PR.MA\\\", \\\"Automation Accounts, Azure Active Directory, Microsoft Defender for Cloud\\\",\\r\\n\\\"Incident Response Plan & Incident Handling\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Inventory\\\", \\\"Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.DS, PR.IP\\\", \\\"Azure Resource Graph Explorer, Azure Active Directory, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Least Privilege\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.IP, PR.PT, DE.CM\\\", \\\"Azure Active Directory, Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Secure Administration\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"PR.MA\\\", \\\"Azure Active Directory, Privileged Identity Management, Microsoft Defender for Cloud\\\",\\r\\n\\\"Strong Authentication\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"PR.AC\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud, Microsoft Sentinel, Key Vault\\\",\\r\\n\\\"Time Synchronization\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"PR.IP\\\", \\\"Azure Portal, Virtual Machines, Microsoft Defender for Cloud\\\",\\r\\n\\\"Vulnerability Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, PR.IP, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Patch Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.IP, PR.MA\\\", \\\"Automation Accounts, Microsoft Defender for Cloud\\\",\\r\\n\\\"Auditing & Accounting\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.SC, PR.AC, PR.PT\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"Resilience\\\", \\\"Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.PT\\\", \\\"DDoS Protection Plans, Availability Sets, Load Balancing, Virtual Machine Scale Sets\\\",\\r\\n\\\"Enterprise Threat Intelligence\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Sentinel, Microsoft Defender Security Intelligence Portal, MSTICpy\\\",\\r\\n\\\"Situational Awareness\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Dynamic Threat Discovery\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Policy Enforcement Parity\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"PR.DS, PR.IP, PR.MA\\\", \\\"Azure Policy, Microsoft Defender for Cloud\\\",\\r\\n\\\"Effective Use of Shared Services\\\", \\\"Data, Apps\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO\\\", \\\"Azure Lighthouse, Customer Lockbox, Azure Active Directory\\\",\\r\\n\\\"Integrated Desktop, Mobile, & Remote Policies\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.DS, PR.IP, PR.MA\\\", \\\"Azure Active Directory, Microsoft Endpoint Manager\\\",\\r\\n\\\"Anti-Malware\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Files\\\", \\\"PR.DS, PR.PT, DE.CM, DE.DP, RS.MI\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Identity, Microsoft 365 Defender, Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Content Disarm & Reconstruction\\\", \\\"Data, Apps\\\", \\\"Files\\\", \\\"PR.PT, DE.CM, DE.DP\\\", \\\"Microsoft 365 Defender, Microsoft Endpoint Manager Admin Center, Microsoft Sentinel\\\",\\r\\n\\\"Detonation Chamber\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Files\\\", \\\"DE.CM, DE.DP, RS.AN, RS.MI\\\", \\\"Microsoft 365 Defender, Microsoft Endpoint Manager, Microsoft Sentinel\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Files\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft Sentinel, Office 365 Security & Compliance Center\\\",\\r\\n\\\"Anti-Phishing Protections\\\", \\\"Identity, Endpoints, Data\\\", \\\"Email\\\", \\\"PR.AT, PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender\\\",\\r\\n\\\"Anti-SPAM Protections\\\", \\\"Identity, Endpoints, Data\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender\\\",\\r\\n\\\"Authenticated Received Chain\\\", \\\"Authenticated Received Chain\\\", \\\"Email\\\", \\\"PR.AC\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Email\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft 365 Defender\\\",\\r\\n\\\"DMARC for Incoming Email\\\", \\\"Identities, Data\\\", \\\"Email\\\", \\\"PR.PT, PR.IP\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"DMARC for Outgoing Email\\\", \\\"Identities, Data\\\", \\\"Email\\\", \\\"PR.PT, PR.IP\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"Encryption for Email Transmission\\\", \\\"Data\\\", \\\"Email\\\", \\\"PR.PT, PR.DS\\\", \\\"Microsoft 365 Admin Center, Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Malicious URL Protections\\\", \\\"Network\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender, Microsoft Sentinel\\\",\\r\\n\\\"URL Click-Through Protection\\\", \\\"Network\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender, Microsoft Sentinel\\\",\\r\\n\\\"Break & Inspect\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Firewall Policies, Network Watcher\\\",\\r\\n\\\"Active Content Mitigation\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Web Application Firewall Policies, Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Certificate Denylisting\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Defender for Cloud, Firewall Policies, Key Vault\\\",\\r\\n\\\"Content Filtering\\\", \\\"Endpoints, Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM, DE.DP\\\", \\\"Firewalls, Firewall Policies, Microsoft 365 Defender\\\",\\r\\n\\\"Authenticated Proxy\\\", \\\"Identities, Network\\\", \\\"Web\\\", \\\"PR.AC\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Web\\\", \\\"PR.DS\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Identity Portal, Microsoft 365 Defender, Microsoft Defender for Cloud Apps, Office 365 Security & Compliance Center, Azure Information Protection\\\",\\r\\n\\\"DNS-over-HTTPS Filtering\\\", \\\"Endpoints, Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Defender for Cloud, Azure Firewall, Microsoft 365 Defender\\\",\\r\\n\\\"RFC Compliance Enforcement\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Web Application Firewall, Azure Firewall\\\",\\r\\n\\\"Domain Category Filtering\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.AC, PR.IP\\\", \\\"Azure Firewall\\\",\\r\\n\\\"Domain Reputation Filter\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Azure Firewall, Microsoft Sentinel\\\",\\r\\n\\\"Bandwidth Control\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Azure Firewall\\\",\\r\\n\\\"Malicious Content Filtering\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.DS, PR.PT, PR.CM\\\", \\\"Microsoft Defender for Cloud, Microsoft Sentinel, Azure Firewall, Web Application Firewall\\\",\\r\\n\\\"Access Control\\\", \\\"Identities, Network\\\", \\\"Web\\\", \\\"PR.AC\\\", \\\"Microsoft Defender for Cloud, Privileged Identity Management\\\",\\r\\n\\\"Access Control\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.IP, DE.CM\\\", \\\"Microsoft Defender for Cloud, Network Security Groups, Azure Firewall, Web Application Firewall, Virtual Network Gateways, ExpressRoute Circuits\\\",\\r\\n\\\"IP Denylisting\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Sentinel, Azure Firewall\\\",\\r\\n\\\"Host Containment\\\", \\\"Endpoints, Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.IP, PR.PT\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Network Segmentation\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC\\\", \\\"Virtual Networks, Microsoft Defender for Cloud\\\",\\r\\n\\\"Microsegmentation\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.DS, PR.IP, PR.PT\\\", \\\"Application Security Groups, Network Security Groups, Microsoft Defender for Cloud\\\",\\r\\n\\\"DDoS Protections\\\", \\\"Data, Apps, Infrastructure, Network\\\", \\\"Resiliency\\\", \\\"PR.PT\\\", \\\"DDoS Protection Plans, Microsoft Sentinel\\\",\\r\\n\\\"Elastic Expansion\\\", \\\"Infrastructure\\\", \\\"Resiliency\\\", \\\"ID.AM, PR.DS\\\", \\\"Virtual Machine Scale Sets, Azure SQL, Load Balancer, Traffic Manager Profiles, Microsoft Defender for Cloud\\\",\\r\\n\\\"Regional Delivery\\\", \\\"Infrastructure\\\", \\\"Resiliency\\\", \\\"ID.AM, PR.AC, PR.DS\\\", \\\"Availability Sets, Azure Active Directory, Microsoft Defender for Cloud\\\",\\r\\n\\\"DNS Sinkholing\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Azure Firewall, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"DNSSEC for Agency Clients\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Azure Firewall, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"DNSSEC for Agency Domains\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Endpoint Detection & Response\\\", \\\"Endpoints, Infrastructure\\\", \\\"Intrusion Detection\\\", \\\"DE.AE, DE.CM, RS.AN\\\", \\\"Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Intrusion Protection Systems (IPS)\\\", \\\"Network\\\", \\\"Intrusion Detection\\\", \\\"DE.AE, DE.CM, DE.DP, RS.AN\\\", \\\"Azure Firewall, Microsoft Sentinel\\\",\\r\\n\\\"Adaptive Access Control\\\", \\\"Identities\\\", \\\"Intrusion Detection\\\", \\\"PR.AC, DE.CM\\\", \\\"Microsoft Defender for Cloud, Azure Active Directory\\\",\\r\\n\\\"Deception Platforms\\\", \\\"Identities\\\", \\\"Intrusion Detection\\\", \\\"PR.PT, DE.AE, RS.AN\\\", \\\"Microsoft Sentinel, Microsoft Defender for Identity\\\",\\r\\n\\\"Certificate Transparency Log Monitoring\\\", \\\"Infrastructure, Apps\\\", \\\"Intrusion Detection\\\", \\\"DE.CM\\\", \\\"Key Vault, Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Security Orchestration, Automation, & Response (SOAR)\\\", \\\"Visibility & Automation\\\", \\\"Enterprise\\\", \\\"DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Shadow IT Detection\\\", \\\"Endpoints, Infrastructure, Apps\\\", \\\"Enterprise\\\", \\\"PR.IP, PR.MA, DE.CM\\\", \\\"Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft 365 Defender, Microsoft Defender for IoT\\\",\\r\\n\\\"Virtual Private Network (VPN)\\\", \\\"Network\\\", \\\"Enterprise\\\", \\\"PR.AC, PR.DS, PR.IP, PR.MA, PR.PT\\\", \\\"Virtual Network Gateways, Microsoft Defender for Cloud\\\",\\r\\n\\\"UCC Identity Verification\\\", \\\"Identities\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.AC\\\", \\\"Microsoft 365 Admin Center, Azure Active Directory\\\",\\r\\n\\\"UCC Encrypted Communication\\\", \\\"Data\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.PT, PR.DS\\\", \\\"Microsoft 365 Admin Center\\\",\\r\\n\\\"UCC Connection Termination\\\", \\\"Identities\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.AC, PR.IP, PR.AT\\\", \\\"Microsoft Teams\\\",\\r\\n\\\"UCC Data Loss Prevention\\\", \\\"Data\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.DS\\\", \\\"Microsoft 365 Defender, Microsoft 365 Compliance Center\\\",\\r\\n\\\"Access Control\\\", \\\"Identities\\\", \\\"Data Protection\\\", \\\"PR.AC, PR.IP, DE.CM\\\", \\\"Azure Active Directory\\\",\\r\\n\\\"Protections for Data at Rest\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Microsoft Defender for Cloud, Key Vault\\\",\\r\\n\\\"Protections for Data in Transit\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Microsoft Defender for Cloud, Key Vault\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft Sentinel, Office 365 Security & Compliance Center\\\",\\r\\n\\\"Data Access & Use Telemetry\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM\\\", \\\"Azure Active Directory, Azure Information Protection, Microsoft 365 Compliance Center\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Control Name\\\"],[\\\"Zero Trust Pillars\\\"],[\\\"TIC 3.0 Control Family\\\"],[\\\"NIST Cybersecurity Framework\\\"],[\\\"Microsoft Offerings\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TIC 3.0 Control Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Microsoft Offerings\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isControlsCrosswalkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\n\\r\\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"b1cd1f8a-e807-4deb-93f4-7812e5ed014a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Data Connectors >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorsBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"20\",\"name\":\"EL0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/best-practices\",\"linkTarget\":\"Url\",\"linkLabel\":\"Best Practices\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-all-in-one-accelerator/ba-p/1807933\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel All-In-One Accelerator\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://docs.microsoft.com/learn/browse/?wt.mc_id=resilience_skilling_webpage_gdc&terms=sentinel\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel Training\",\"style\":\"link\"}]},\"customWidth\":\"40\",\"name\":\"links - 29\"}],\"exportParameters\":true},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Foundational Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Activity Connector](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"909d0019-23cb-43ad-8285-9f1dca1cd1be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"58cc25ab-a9af-4516-99e1-fa22e0637a76\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActivity\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"33\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"23ba579d-c894-43be-9fe1-d1b04bc34d7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SignInLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"SigninLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Active Directory\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"7c97e893-29f3-4d4c-a379-f220bb82518c\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectory\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory (AAD) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Office 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-office-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"68bd12c8-e473-45d1-8bbc-2dd9f326ea69\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"OfficeActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Office365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Office 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-cloud)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"1673e4cf-354f-4a42-bed2-2374be47779e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDfC\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Azure Security Center\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"56600b70-0e55-433a-be86-b7c561bced8b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSecurityCenter\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for Cloud Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Network Security Groups (NSG) Connector](https://docs.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b17ce357-e8d5-4c7c-a4f0-765598462a1c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NSG\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"NetworkSecurityGroupEvent\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"935bb630-1fce-4021-b7b4-c010b9e05973\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureNSG\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Network Security Groups (NSG) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Security Events (AMA) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"d9af27d9-8c90-4c85-a57f-f329257d9956\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AMA\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d002eb41-c632-429b-8504-846b69314620\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsSecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Security Events (AMA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Security Events via Legacy Agent Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CLAA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b2737fbc-c0e2-4584-9fba-ee7d057d7db0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityEvent\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9a8b0649-e79b-4a30-be25-4a5486f302ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"SecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Security Events via Legacy Agent Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [DNS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-dns-server-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNS\",\"label\":\"Status\",\"type\":1,\"query\":\"DnsEvents\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DNS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"DNS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Storage Accounts Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-storage-account)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4f291c03-8d98-47b6-ba82-1282322bb7a5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"StorageLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"StorageBlobLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureStorageAccount\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Storage Logs Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Common Event Format (CEF) Connector](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4fcf795c-75b8-4010-bd24-1d66511ff6e8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CommonSecurityLog\",\"label\":\"Status\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"452e02e1-b0c4-4b9b-8a54-bc9295db22b9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"CEF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Common Event Format (CEF) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Syslog Connector](https://docs.microsoft.com/azure/sentinel/connect-syslog)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"fa63a08f-dd08-4e11-bcb6-c075a6d6c15c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Syslog\",\"label\":\"Status\",\"type\":1,\"query\":\"Syslog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"021644a3-bd51-4b09-8117-017a89c71d58\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Syslog\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Syslog Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"18ed59f0-c497-44b1-94b7-8700051cf189\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWS\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSCloudTrail\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"393c465e-4398-428b-8da2-87ac07d8a987\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AWS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) S3 Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWSS3\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSVPCFlow\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AwsS3\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Google Cloud Platform IAM Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#google-workspace-g-suite-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GCP\",\"label\":\"Status\",\"type\":1,\"query\":\"GCP_IAM_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"1f2ba663-dd7a-49b6-87ba-0b8adf6d2d34\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector - Copy\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Basic Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft 365 Defender Connector](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"M365Defender\",\"label\":\"Status\",\"type\":1,\"query\":\"AlertEvidence\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Endpoint Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-endpoint)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDE\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftDefenderAdvancedThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WindowsFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"WindowsFirewall\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Web Application Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-web-application-firewall-waf)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureWAF\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType in (\\\"APPLICATIONGATEWAYS\\\", \\\"FRONTDOORS\\\", \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"PROFILES\\\")\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WAF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Web Application Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure SQL Databases Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-sql-databases)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SQL\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where Category contains \\\"SQL\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSql\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"SQL Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Key Vault Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-key-vault)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureKeyVault\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceProvider == \\\"MICROSOFT.KEYVAULT\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKeyVault\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Key Vault Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure DDoS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DDoS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType == \\\"PUBLICIPADDRESSES\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DDOS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure DDoS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [VMware ESXi Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#vmware-esxi-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VMwareESXi\",\"label\":\"Status\",\"type\":1,\"query\":\"VMwareESXi\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"VMwareESXi\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"VMware ESXi Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud: Continuous Export](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export?tabs=azure-portal)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityRecommendation\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityRecommendation\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Continuous Export Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Intermediate Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Information Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-information-protection-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InformationProtectionLogs_CL\",\"type\":1,\"query\":\"InformationProtectionLogs_CL​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Status\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureInformationProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Information Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Dynamics 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dynamics-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dynamics365Activity\",\"label\":\"Status\",\"type\":1,\"query\":\"Dynamics365Activity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Dynamics365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Dynamics 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Kubernetes Service (AKS) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-kubernetes-service-aks)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AKS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"kube-audit\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKubernetes\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Kubernetes Service (AKS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Qualys Vulnerability Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-vm-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Qualys\",\"label\":\"Status\",\"type\":1,\"query\":\"QualysHostDetection_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"QualysVulnerabilityManagement\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Qualys Vulnerability Management Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Advanced Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Entity Behavior (UEBA)](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"BehaviorAnalytics\",\"label\":\"Status\",\"type\":1,\"query\":\"BehaviorAnalytics​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"EntitySearchBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Entity Behavior (UEBA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AADIP\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Active Directory Identity Protection\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectoryIdentityProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory Identity Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence TAXII Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-taxii)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TAXII\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem !in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence TAXII Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence Platform Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-tip)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatIntelligence\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligence\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence Platform Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for IoT Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-iot)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MD4IOT\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Security Center for IoT\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"IoT\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for IoT Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview: Insider Risk Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-insider-risk-management-irm-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IRM\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProductName == \\\"Microsoft 365 Insider Risk Management\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"OfficeIRM\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Purview: Insider Risk Management Connector\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 6\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"isDCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Data Connectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Content](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog)\\r\\n---\\r\\n\\r\\nThe following content packages provide utility for regulated industries use cases.\"},\"name\":\"NS Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions\",\"linkTarget\":\"Url\",\"linkLabel\":\"About Microsoft Sentinel Content & Solutions\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog\",\"linkTarget\":\"Url\",\"linkLabel\":\"Content Hub Catalog\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"40\",\"name\":\"group - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"76c7831e-386d-4289-8145-486f52cba8ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Content Hub >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ContentHub.ReactView\",\"extensionName\":\"Microsoft_Azure_SentinelUS\"}}]},\"customWidth\":\"40\",\"name\":\"EL0\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/331934iC71A9ECE39F53E71/image-size/large?v=v2&px=999)\\r\\n\\r\\n\"},\"customWidth\":\"80\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)\"},\"customWidth\":\"90\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\n\\r\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/366916iE9E6352466301203/image-size/large?v=v2&px=999)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Security Benchmark v3](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nEnables Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673\",\"linkTarget\":\"Url\",\"linkLabel\":\"Announce Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/v57gWjvcY4o\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"cc5f4830-f090-4f5e-afb2-47adba6be532\",\"cellValue\":\"https://youtu.be/qVJjwOipHDA\",\"linkTarget\":\"Url\",\"linkLabel\":\"ASC in the Field\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Azure%20Security%20Benchmark%20v3\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/356031i1852A90B40FA85CF/image-size/large?v=v2&px=999)\"},\"customWidth\":\"86\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Insider Risk Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786)\\r\\n---\\r\\n\\r\\nInsider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional). This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftPurviewInsiderRiskManagement\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/326371i9E5EA3A8269A3D54/image-size/large?v=v2&px=999)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)\\r\\n---\\r\\n\\r\\nThis solution provides the foundation for building a SOC for monitoring IoT/ OT and includes (1) workbook for visibility/reporting, (14) analytics rules for monitoring, and (4) playbooks for response. The workbook leverages Microsoft Sentinel telemetry to create visualization to understand, analyze, and respond to IoT/OT threats. Understanding alerts over time provides unprecedented insights into security posture and where teams need to focus to harden against threats. Deep links directly to Microsoft Defender for IoT alerts empower analysts to focus on remediating threats rather than pivoting between tools. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"8f7dce97-a41c-42b3-b62f-a21fbf5a1420\",\"cellValue\":\"https://youtu.be/hZS2aplJoy8\",\"linkTarget\":\"Url\",\"linkLabel\":\"YouTube Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/339516iD1FE1014CDCB1E04/image-size/large?v=v2&px=999)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maturity Model for Event Log Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident.\\\"Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.\\\" For more information, see 💡[OMB's M-21-31 Memorandum](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/quV_80ts__k\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MaturityModelForEventLogManagementM2131\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342601i34E2E96C5959D837/image-dimensions/799x468?v=v2)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\\r\\n---\\r\\n\\r\\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis%26Response/Workbooks/Images/ThreatAnalysis%26ResponseWhite1.png?raw=true)\"},\"customWidth\":\" 100\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence Workbook](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nThe most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. <br>\\r\\n\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265\",\"linkTarget\":\"Url\",\"linkLabel\":\"Workbook Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/SjEG7iVVBbI\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/ThreatIntelligence.json\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/318165iE3D0AFA0BD5DF73C/image-size/large?v=v2&px=999)\"},\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isGCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Content\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n---\\r\\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Microsoft Entra ID tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"1cf637a7-121d-4722-b511-b0c460625e31\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Access Azure Lighthouse\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"LighthouseBlade\",\"extensionName\":\"Microsoft_Azure_CustomerHub\"}}]},\"customWidth\":\"50\",\"name\":\"links - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend ManageeTenantId = tostring(properties.registrationDefinition.properties.manageeTenantId)\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManageeTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"CreatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1}],\"filter\":true}},\"name\":\"query - 21 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAzureLighthouseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Universal Security Capabilities](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\n---\\r\\nUniversal capabilities are enterprise-level capabilities that outline guiding principles for TIC use cases. Universal capabilities are selected to be broadly applicable; the same list of capabilities apply to every use case. However, certain use cases may provide unique guidance on specific capabilities where necessary. Agencies have significant discretion regarding how to meet the individual security capability requirements and address their particular needs. Agencies are free to determine the level of rigor necessary for applying universal capabilities based on federal guidelines and risk tolerance. While it is expected that agencies may often be able to employ a common solution to fulfill multiple roles or serve multiple purposes, the selection of an appropriate set of solutions is left to each agency.\"},\"customWidth\":\"40\",\"name\":\"text - 105\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 105\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Backup and Recovery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Backup\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Central Log Management with Analysis\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Central\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Configuration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Response Plan and Incident Handling\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Incident\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Inventory\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Inventory\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Privilege\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Least\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Secure Administration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Secure\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Strong Authentication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Strong\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Time Synchronization\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Time\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Vulnerability\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2adea420-fa6e-4073-8a78-1aeada742e2c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBackupVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Backup\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCentralVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Central\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"04e846bb-6bca-4981-863b-76f4e8ea5667\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isConfigurationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Configuration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7498b0e3-e4dd-44c9-868d-d5baef71ba17\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIncidentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Incident\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7010b3e9-27e4-40b0-8d4b-fdd05f940d92\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isInventoryVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Inventory\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c9285caf-952f-458a-ac89-3fdb2871151f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isLeastVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Least\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"356132e1-e5e8-4fd4-8a56-95bd91bc9470\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSecureVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Secure\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8d5eb913-9e91-4f61-930b-26335aaad1cf\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isStrongVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Strong\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"232d115f-5a82-4a70-aa2d-12fb00993230\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTimeVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Time\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"da3d19be-b7ed-4449-83ea-c9a001f54315\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isVulnerabilityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Vulnerability\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5e32dd42-2359-4ed6-a5e9-303873a50442\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Patch Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Patch\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Auditing and Accounting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Auditing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Resilience\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resilience\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Enterprise Threat Intelligence\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Situational Awareness\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Situational\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Dynamic Threat Discovery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Dynamic\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Policy Enforcement Parity\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Policy\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Effective Use of Shared Services\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Effective\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Integrated Desktop, Mobile, and Remote Policies\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Integrated\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2dc83cdc-c5e9-4ea7-a986-0294effc2e8e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPatchVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Patch\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuditingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Auditing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"be23e804-75f9-486d-8478-8af0ed3b0b6d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResilienceVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resilience\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"41d2063e-0f2b-47dc-9c7c-2cdcdafb80ec\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2752897-08eb-4f06-adae-d7e0b278acef\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSituationalVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Situational\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0531d0e3-8eb9-4c7f-bedb-d29aed642c1b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDynamicVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Dynamic\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ee837eb2-25bb-4a51-bdd7-5d58640fb780\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPolicyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Policy\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"683d9906-de4f-400f-b92e-8f6d5f346db7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEffectiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Effective\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6e5570df-f9fa-4ce9-b79c-74068100c9c6\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntegratedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Integrated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e7db70e6-eafa-4cb0-ac08-58719fad7c33\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Backup and Recovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nKeeping copies of configuration and data, as needed, to allow for the quick restoration of service in the event of malicious incidents, system failures, or corruption.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Backup](https://azure.microsoft.com/services/backup/)\\r\\n\\r\\n### Implementation \\r\\n💡 [What is the Azure Backup Service?](https://docs.microsoft.com/azure/backup/backup-overview)<br>\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Configure Recovery Service Vaults](https://docs.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Backup Vaults](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview) <br>\\r\\n🔀 [Recovery Services Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.RecoveryServices%2Fvaults) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.IP, PR.DS, RS.MI, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"recover\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"recover\\\" or type contains \\\"restore\\\" or type contains \\\"back\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Backup & Recovery Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBackupVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Backup and Recovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Central Log Management & Analysis](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCollecting, storing, and analyzing telemetry, where the collection and storage are designed to facilitate data fusion and the security analysis aids in discovery and response to malicious activity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [What is Azure Lighthouse?](https://docs.microsoft.com/azure/lighthouse/overview)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) <br>\\r\\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade)<br> \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"log\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Logging Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate  = sumif(_BilledSize, _IsBillable==true)  by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\\r\\n          ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\\r\\n| order by ['Table Size']  desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCentralVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Central Log Management with Analysis\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nImplementing a formal plan for documenting, managing changes to the environment, and monitoring for deviations, preferably automated.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\\r\\n💡 [Ensure Your Endpoints Are Configured Properly](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines)<br>\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"config\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| summarize count() by OperationName\\r\\n| where OperationName <> \\\"Other\\\"\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Audit Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isConfigurationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response Plan and Incident Handling](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDocumenting and implementing a set of instructions, procedures, or technical capabilities to sense and detect, respond to, limit consequences of malicious cyber attacks, and restore the integrity of the network and associated systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Quickstart: Tutorial: Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Incidents\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"High\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"High\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Medium\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Medium \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Low\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Low\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"yellow\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where dayofyear(TimeGenerated) == dayofyear(now())\\n| summarize count()\\n\\n\\n\",\"size\":4,\"title\":\"New Today\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"blueDark\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"}]},\"customWidth\":\"50\",\"name\":\"Incidents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber\\r\\n| where Status == \\\"Closed\\\"\\r\\n| extend TimeToRespond =  (CreatedTime - FirstActivityTime)/1h \\r\\n| extend TimeToResolve =  (ClosedTime - CreatedTime)/1h\\r\\n| extend AssignedAnalyst = tostring(Owner.assignedTo)\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| project IncidentName=Title, IncidentNumber, Severity, IncidentUrl, [\\\"MITRE ATT&CK Tactics\\\"], AssignedAnalyst, Classification, ClassificationComment, ClassificationReason, Description, TimeToRespond, TimeToResolve, IncidentStartTime=CreatedTime, IncidentClosedTime=ClosedTime, IncidentBlade\\r\\n| sort by IncidentClosedTime desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Closure Reports\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"TimeToRespond\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"TimeToResolve\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIncidentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Plan and Incident Handling\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Inventory](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeveloping, documenting, and maintaining a current inventory of all systems, networks, and components so that only authorized endpoints are given access, and unauthorized and un-managed endpoints are found and prevented from gaining access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\\r\\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br>\\r\\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Resource Graph Explorer](https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"Implemented\"},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"04JUL76\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"Asset Inventory Implemented, Plan of Action & Milestones Documented, System Security Plan (SSP) Updated\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where  type contains \\\"microsoft\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Count by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"ResourceFlat\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| summarize count() by ResourceDisplayName\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Application Inventory & Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceRegistryEvents  \\r\\n| summarize arg_max(TimeGenerated, *) by InitiatingProcessFileName, DeviceName\\r\\n| summarize count() by InitiatingProcessFileName\\r\\n| where InitiatingProcessFileName <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Software Inventory by Initiating Process\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isInventoryVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Inventory\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDesigning the security architecture such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Administrator roles by admin task in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/delegate-by-task)<br>\\r\\n💡 [Overview of role-based access control in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\\r\\n💡 [Microsoft Entra ID Sign-In Activity](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.IP, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"identity\\\" or RecommendationDisplayName contains \\\"privilege\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Valid Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles_ = strcat(AssignedRoles)\\r\\n| extend UserPrincipalName = MailAddress\\r\\n| where MailAddress <> \\\"\\\"\\r\\n| distinct UserPrincipalName, GroupMemberships, AssignedRoles_\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Assigned Roles & Group Memberships\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isLeastVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Least Privilege\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Secure Administration](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nPerforming administrative tasks in a secure manner, using secure protocols.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Delegate Administration in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/concept-delegation)<br>\\r\\n💡 [Start Using Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started#)<br> \\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"admin\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n| distinct OperationName, Identity, AADOperationType, InitiatedBy, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InitiatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSecureVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Secure Administration\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Strong Authentication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVerifying the identity of users, endpoints, or other entities through rigorous means (e.g. multi-factor authentication) before granting access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Plan an Azure AD Multi-Factor Authentication Deployment](https://docs.microsoft.com/azure/active-directory/authentication/howto)<br>\\r\\n💡 [How it works: Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\\r\\n💡 [Remediate recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations)<br>\\r\\n💡 [SecretManagement and Accessing Linux VMs in Azure](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\\r\\n💡 [Eliminate Password-Based Attacks on Azure Linux VMs](https://techcommunity.microsoft.com/t5/azure-security-center/eliminate-password-based-attacks-on-azure-linux-vms/ba-p/2271139)<br>\\r\\n💡 [Quickstart: Create a Key Vault Using the Azure Portal](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"authentication\\\" or RecommendationDisplayName contains \\\"JIT\\\" or RecommendationDisplayName contains \\\"password\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Title contains \\\"auth\\\" or Title contains \\\"password\\\" or Title contains \\\"login\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Authentication Attacks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isStrongVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\" Strong Authentication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Time Synchronization](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCoordinating clocks on all systems (e.g. servers, workstations, network endpoints) to enable accurate comparison of timestamps between systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Time Sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Portal](https://portal.azure.com/) <br>\\r\\n🔀 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"runtime\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isTimeVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nProactively working to discover vulnerabilities, including the use of both active and passive means of discovery, and taking action to mitigate discovered vulnerabilities.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br>\\r\\n💡 [Microsoft Defender for Cloud's Integrated Vulnerability Assessment Solution for Azure and Hybrid Machine](https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment)<br>\\r\\n💡 [Threat and Vulnerability Management Walk-Through](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft 365 Defender: Threat & Vulnerability Management](https://security.microsoft.com/tvm_dashboard)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, PR.IP, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"vuln\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ResourceId, CceId\\r\\n|project CceId, RuleSeverity, Description, ResourceId\\r\\n|limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Resource, CceId\\r\\n| summarize count() by ResourceId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Count by Asset\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isVulnerabilityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Vulnerability Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Patch Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentifying, acquiring, installing, and verifying patches for products and systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Update Management Overview](https://docs.microsoft.com/azure/automation/update-management/overview)<br>\\r\\n💡 [Enable Update Management From the Azure Portal](https://docs.microsoft.com/azure/automation/update-management/enable-from-portal)<br>\\r\\n💡 [Handling Planned Maintenance Notifications Using the Azure Portal](https://docs.microsoft.com/azure/virtual-machines/maintenance-notifications-portal)<br>\\r\\n💡 [Managing Platform Updates with Maintenance Control](https://docs.microsoft.com/azure/virtual-machines/maintenance-control?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json)<br>\\r\\n💡 [Scheduling Maintenance Updates with Maintenance Control and Azure Functions](https://github.com/Azure/azure-docs-powershell-samples/tree/master/maintenance-auto-scheduler)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br> \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"update\\\" or RecommendationDisplayName contains \\\"upgrade\\\" or RecommendationDisplayName contains \\\"version\\\" or RecommendationDisplayName contains \\\"patch\\\" or RecommendationDisplayName contains \\\"java\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isPatchVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Patch Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Auditing and Accounting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCapturing business records, including logs and other telemetry, and making them available for auditing and accounting as required. Design of the auditing system should take insider threat into consideration, including separation of duties violation tracking, such that insider abuse or misuse can be detected.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\\r\\n💡 [Tutorial: Grant a User Access to Azure Resources Using the Azure Portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Auditing Microsoft Sentinel Activities](https://techcommunity.microsoft.com/t5/azure-sentinel/auditing-azure-sentinel-activities/ba-p/1718328)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br> \\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> \\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br> \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.SC, PR.AC, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"audit\\\" or RecommendationDisplayName contains \\\"account\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"rowLimit\":100}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuditingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Auditing and Accounting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resilience](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEnsuring that systems, services, and protections maintain acceptable performance under adverse conditions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans) <br>\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\\r\\n🔀 [Load Balancing](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br> \\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability)<br> \\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)<br>\\r\\n💡 [What are virtual machine scale sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview)<br> \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.BE, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"balance\\\" or RecommendationDisplayName contains \\\"denial\\\" or RecommendationDisplayName contains \\\"recover\\\" or RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"scale\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"dos\\\"or type contains \\\"balance\\\" or type contains \\\"recover\\\" or type contains \\\"back\\\" or type contains \\\"scale\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Resilience Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"DDoSMitigationReports\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| extend TopAttackVector = tostring(parse_json(AttackVectors_s)[0]) \\r\\n| extend Total_packets_ = tostring(parse_json(TrafficOverview_s).Total_packets) \\r\\n| extend Total_packets_dropped_ = todouble(parse_json(TrafficOverview_s).Total_packets_dropped)\\r\\n| extend TotalPackets =todouble(Total_packets_)\\r\\n| where TotalPackets > 0\\r\\n| where TopAttackVector <> \\\"\\\"\\r\\n| project TopAttackVector, TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , SourceIP=IPAddress, Resource, TimeGenerated\\r\\n| sort by TotalPacketsDropped desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Denial of Service Attacks Observed\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TopAttackVector\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TotalPackets\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"TotalPacketsDropped\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Resource\",\"formatter\":5},{\"columnMatch\":\"Total_packets_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Total_packets_dropped_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isResilienceVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resilience\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise Threat Intelligence](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nObtaining threat intelligence from private and government sources and implementing mitigation for the identified risks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) 🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n💡 [Microsoft Security Intelligence Portal](https://www.microsoft.com/wdsi)<br>\\r\\n💡 [Microsoft Graph Security tiIndicators API](https://docs.microsoft.com/graph/api/resources/tiindicator)<br>\\r\\n💡 [MSTIC Jupyter and Python Security Tools](https://github.com/Microsoft/msticpy)<br>\\r\\n💡 [Use Jupyter Notebook to Hunt for Security Threats](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender Security Intelligence Portal](https://microsoft.com/wdsi)<br>\\r\\n🔀 [MSTICpy](https://github.com/Microsoft/msticpy) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cyber Threat Intelligence Indicator Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"intel\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Threat Intelligence\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where Tactics <> \\\"\\\"\\r\\n| where Tactics <> \\\"Unknown\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n| summarize count() by Tactics\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts by MITRE ATT&CK Tactics Observed\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Tactics\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Threat Intelligence\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Situational Awareness](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMaintaining effective awareness, both current and historical, across all components.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Visibility Into Alerts](https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts By Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by ProductName\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts Over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSituationalVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Situational Awareness\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Dynamic Threat Discovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nUsing dynamic approaches (e.g. heuristics, baselining, etc.) to discover new malicious activity\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Advanced Multistage Attack Detection in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/fusion)<br>\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)<br>\\r\\n💡 [Heuristic Detections in Microsoft Defender for Cloud](https://azure.microsoft.com/blog/heuristic-dns-detections-in-azure-security-center/)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"defender\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Sign-in\\\"\\r\\n    | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n        ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n        or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n    | join (\\r\\n        SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indication from AAD\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n    | where TimeGenerated > ago(28d)\\r\\n    | where OperationName == \\\"Add member to role\\\"\\r\\n    | mv-expand TargetResources\\r\\n    | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n    | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n    | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n    | where isnotempty(RoleName)\\r\\n    | extend TargetId = tostring(TargetResources.id)\\r\\n    | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n    | join kind=inner (\\r\\n        BehaviorAnalytics\\r\\n        | where ActionType == \\\"Add member to role\\\"\\r\\n        | where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n        )\\r\\n        on $left._ItemId == $right.SourceRecordId\\r\\n    | extend AnomalyName = \\\"Anomalous Role Assignment\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Account Manipulation\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access.  The query below generates an output of all high Blast Radius users performing Add member to privileged role, or ones that add users for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n    BehaviorAnalytics\\r\\n    | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n    | where ActionType == \\\"ResourceAccess\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n        Tactic = \\\"Lateral Movement\\\",\\r\\n        Technique = \\\"\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n    | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n        Tactic = \\\"Lateral Movement\\\",\\r\\n        Technique = \\\"\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n    | where ActionType == \\\"InteractiveLogon\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n    | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n        Tactic = \\\"Privilege Escalation\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administrator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Reset user password\\\"\\r\\n    | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n    | join (\\r\\n        AuditLogs\\r\\n        | where OperationName == \\\"Reset user password\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | mv-expand TargetResources\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n        Tactic = \\\"Impact\\\",\\r\\n        Technique = \\\"Account Access Removal\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n    | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Sign-in\\\"\\r\\n    | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n    | join (\\r\\n        SigninLogs\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n        Tactic = \\\"Initial Access\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n    | where ActivityType == \\\"LogOn\\\"\\r\\n    | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n    | join (\\r\\n        SigninLogs  \\r\\n        | where Status.errorCode == 50126\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n        Tactic = \\\"Credential Access\\\",\\r\\n        Technique = \\\"Brute Force\\\",\\r\\n        SubTechnique = \\\"Password Guessing\\\",\\r\\n        Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n    | where OperationName == \\\"Update user\\\"\\r\\n    | mv-expand AdditionalDetails\\r\\n    | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n    | mv-expand TargetResources\\r\\n    | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n    | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n    | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n    | where isnotempty(RoleName)\\r\\n    | extend TargetId = tostring(TargetResources.id)\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | join kind=inner ( \\r\\n        BehaviorAnalytics\\r\\n        | where ActionType == \\\"Update user\\\"\\r\\n        | where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n        )\\r\\n        on $left._ItemId == $right.SourceRecordId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n    | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Account Manipulation\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to privileged role, or ones that changed users for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Add user\\\"\\r\\n    | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n    | join(\\r\\n        AuditLogs\\r\\n        | where OperationName == \\\"Add user\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | mv-expand TargetResources\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n        UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Create Account\\\",\\r\\n        SubTechnique = \\\"Cloud Account\\\",\\r\\n        Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n    | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n    | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n    | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n    | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n    | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n    | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n    | mv-expand AlertIds\\r\\n    | extend AlertId = tostring(AlertIds)\\r\\n    | join kind= innerunique ( \\r\\n        SecurityAlert \\r\\n        )\\r\\n        on $left.AlertId == $right.SystemAlertId\\r\\n    | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n    | mv-expand todynamic(Entities)\\r\\n    | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n    | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n        Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n    | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n    | union TopUsersByAnomalies\\r\\n    | extend \\r\\n        AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n        SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n        UPNExists = iff(isempty(UPN), false, true),\\r\\n        NameExists = iff(isempty(Name), false, true),\\r\\n        SidExists = iff(isempty(Sid), false, true),\\r\\n        AADExists = iff(isempty(AadUserId), false, true)\\r\\n    | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n    | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n    | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n    | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where UserPrincipalName !contains \\\"[\\\"\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by AlertCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Entity Behavior Analytics Alerts\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"fusion\\\" or Title contains \\\"dynamic\\\" or Title contains \\\"anomal\\\" or Title contains \\\"behavior\\\" or Title contains \\\"learning\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Dynamic Threat Discovery\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDynamicVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Dynamic Threat Discovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Policy Enforcement Parity](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nConsistently applying security protections and other policies, independent of the communication mechanism, forwarding path, or endpoints used.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure Policy?](https://docs.microsoft.com/azure/governance/policy/overview)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview) <Br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPolicyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Policy Enforcement Parity\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Effective Use of Shared Services](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmploying shared services, where applicable, that can be individually tailored, measured to independently validate service conformance, and offer effective protections for tenants against malicious actors, both external as well as internal to the service provider.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Started with Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)<br>\\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)<br>\\r\\n💡 [What are External Identities in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/external-identities/compare-with-b2c)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade) <br>\\r\\n🔀 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"guest\\\" or RecommendationDisplayName contains \\\"shared\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| where UserType == \\\"Guest\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, UserType, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Guest Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"not shared\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEffectiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Effective Use of Shared Services\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Integrated Desktop, Mobile, and Remote Policies](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDefining polices such that they apply to a given agency entity no matter its location.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [What are Common Ways to Use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://devicemanagement.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| extend DeviceOS = tostring(DeviceDetail.operatingSystem)\\r\\n| summarize count() by DeviceOS\\r\\n| where DeviceOS <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Application by Operating System\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| mv-expand ConditionalAccessPolicies\\r\\n| extend ConditionalAccessPolicy = tostring(ConditionalAccessPolicies.displayName)\\r\\n| summarize count() by ConditionalAccessPolicy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntegratedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Integrated Desktop, Mobile, and Remote Policies\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UniversalSecurityCapabilities\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Files](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nFile-based protections including anti-malware, malicious code removal, content disarm & reconstruction, and detonation chambers.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Files Capabilities Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Malware\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malware\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content Disarm & Reconstruction\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Content\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Detonation Chamber\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Detonation\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMalwareVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malware\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isContentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Content\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1f176b0f-1f2f-4e12-afb0-3f10c834ef24\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDetonationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Detonation\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b17f2902-5d29-45b2-8712-bff5b7dd1487\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"793ffbca-13bc-4fac-9535-048cbd9efc54\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Malware](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-malware protections detect the presence of malicious code and facilitate its quarantine or removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/azure-defender/)\\r\\n✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) ✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)\\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Antimalware Extension for Windows](https://docs.microsoft.com/azure/virtual-machines/extensions/iaas-antimalware-windows)<br>\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Microsoft Defender for Cloud Apps: Malware Detection](https://docs.microsoft.com/cloud-app-security/anomaly-detection-policy#malware-detection)<br>\\r\\n💡 [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Defender for Identity](https://portal.atp.azure.com/) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, DE.CM, DE.DP, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"malware\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"malware\\\" or Title contains \\\"malware\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Malware\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where AlertName contains \\\"mal\\\"\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detected by Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMalwareVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Malware\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Disarm & Reconstruction](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent disarm and reconstruction technology detects the presence of unapproved active content and facilitates its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [EmailAttachmentInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailattachmentinfo) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)\\r\\n\\r\\n### Implementation \\r\\n💡 [Setup Safe Attachments Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies)<br>\\r\\n💡 [Threat and Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)<br>\\r\\n💡 [Microsoft Defender Application Guard overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)<br>\\r\\n💡 [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"exploit\\\" or Title contains \\\"exploit\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Exploits\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailAttachmentInfo\\r\\n| extend Detection = strcat(DetectionMethods)\\r\\n| where ThreatTypes <> \\\"\\\"\\r\\n| project RecipientEmailAddress, FileName, ThreatTypes, ThreatNames, Detection, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Safe Attachments: Attachment Mitigation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isContentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Disarm & Reconstruction\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Detonation Chamber](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDetonation chambers facilitate the detection of malicious code through the use of protected and isolated execution environments to analyze the files.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Submit File for Deep Analysis](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#submit-files-for-deep-analysis)<br>\\r\\n💡 [Using the Built-in URL Detonation in Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-new-built-in-url-detonation-in-azure-sentinel/ba-p/996229)<br>\\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n💡 [Safe Attachments in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-attachments)<br>\\r\\n💡 [Microsoft Defender Application Guard overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)<br>\\r\\n💡 [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy)<br>\\r\\n\\r\\n### Microsoft Portals \\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM, DE.DP, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"detonation\\\" or Title contains \\\"detonation\\\" or Description contains \\\"sand\\\" or Title contains \\\"sand\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Detonation\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods <>\\\"\\\"\\r\\n| project RecipientEmailAddress, DeliveryAction, DeliveryLocation, EmailDirection, EmailAction, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Detonation: SafeLinks, SafeAttachments, SafeFiles\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailDirection\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Outbound\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"left\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DetectionMethods\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDetonationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Detonation Chamber\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Hunt for Threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)<br>\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br> \\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"data\\\" or Title contains \\\"data\\\" or Description contains \\\"loss\\\" or Title contains \\\"loss\\\" or Description contains \\\"exfil\\\" or Title contains \\\"exfil\\\" or Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, LabelName_s, Operation_s, Activity_s, IPv4_s, ProtectionOwner_s, ApplicationName_s, ProcessName_s, Platform_s, ContentId_g, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Scan/Monitor for Sensitive Data with Azure Information Protection\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"FilesGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Email](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEmail-based protections including anti-phishing, anti-spam, authenticated received chain, data loss prevention, DMARC for incoming/outgoing mail, email encryption, and malicious URL protections.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Email Capabilities Help\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 107\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Phishing Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Phishing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Spam Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Spam\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticated Received Chain\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Authenticated\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DMARC for Incoming Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Incoming\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPhishingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Phishing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSpamVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Spam\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5e162b71-5dff-4440-8bd9-111c1ec62efb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuthenticatedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Authenticated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"37272499-cf34-4fd3-8f26-5929ea74e783\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2086488a-60de-43a5-a31f-0ae0eca9abd3\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIncomingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Incoming\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e35e9dbc-8e1d-4749-9fe3-6e1b7cc19f2c\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DMARC for Outgoing Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Outgoing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Encryption for Email Transmission\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Encryption\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious URL Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malicious\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"URL Click-Through Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Url\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2477e9e4-bcad-49d6-a4b6-df6672debb7b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isOutgoingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Outgoing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEncryptionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Encryption\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1fa8afad-de60-4eb0-8a40-a43bde323bdb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMaliciousVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malicious\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"125bc4a9-0a88-4bef-80c9-2707fa0e5f74\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUrlVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Url\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e62d359a-891b-4663-9384-b7891d8dc461\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Phishing Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-phishing protections detect instances of phishing and prevent users from accessing them.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Anti-Phishing Protection in Microsoft 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-phishing-protection)<br>\\r\\n💡 [Configure Anti-Phishing Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-atp-anti-phishing-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AT, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"email\\\" or Title contains \\\"phish\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Phishing\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPhishingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Phishing Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-SPAM Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-SPAM protections detect and quarantine instances of SPAM.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Anti-Spam protection in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-protection)<br>\\r\\n💡 [Configure Anti-Spam Policies in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam <> \\\"Skipped\\\"\\r\\n| where Spam <> \\\"Not spam\\\"\\r\\n| where Spam <> \\\"\\\"\\r\\n| project Spam, RecipientEmailAddress, DeliveryAction, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Email Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSpamVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-SPAM Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Received Chain](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated Received Chain allows for an intermediary, like a mailing list or forwarding service, to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How Microsoft 365 Utilizes Authenticated Received Chain (ARC)](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-utilizes-authenticated-received-chain-arc)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Alerts for DMARC, SPF, DKIM Validations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_AlertName_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_AlertName_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuthenticatedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Received Chain\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n💡 [How DLP Works Between the Security & Compliance Center and Exchange Admin Centers](https://docs.microsoft.com/microsoft-365/compliance/how-dlp-works-between-admin-centers)<br>\\r\\n💡 [Email Entity Page](https://docs.microsoft.com/microsoft-365/security/office-365-security/mdo-email-entity-page)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| where Title contains \\\"email\\\" or Title contains \\\"phish\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Email Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Incoming Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections authenticate incoming email according to the DMARC email authentication protocol defined in RFC 7489.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)<br>\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)<Br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"inbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIncomingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Incoming Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Outgoing Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections facilitate the authentication of outgoing email by signing the emails and ensuring that external parties may validate the email signatures. The DMARC email authentication protocol is defined in RFC7489.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)<br>\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)<Br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"outbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Outbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isOutgoingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Outgoing Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Encryption for Email Transmission](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmail services are configured to use encrypted connections, when possible, for communications between clients and other email servers.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Email Encryption](https://docs.microsoft.com/microsoft-365/compliance/ome)<br>\\r\\n💡 [How Exchange Online Uses TLS to Secure Email Connections](https://docs.microsoft.com/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections)<br>\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)<br>\\r\\n💡 [Setup New Message Encryption Capabilities](https://docs.microsoft.com/microsoft-365/compliance/set-up-new-message-encryption-capabilities)<br>\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)<br>\\r\\n💡 [Manage Office 365 Message Encryption](https://docs.microsoft.com/microsoft-365/compliance/manage-office-365-message-encryption)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br> 🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>  🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"encrypt\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information.\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEncryptionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Encryption for Email Transmission\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious URL Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious URL protections detect malicious URLs in emails and prevent users from accessing them.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods contains \\\"url\\\"\\r\\n| join (EmailUrlInfo) on NetworkMessageId\\r\\n| project RecipientEmailAddress, DeliveryAction, Url, UrlDomain, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"SafeLinks Email Protections\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMaliciousVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious URL Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [URL Click-Through Protection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nURL click-through protections ensure that when a URL from an email is clicked, the requester is directed to a protection that verifies the security of the URL destination before permitting access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"url\\\" or Title contains \\\"url\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Urls\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUrlVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"URL Click-Through Protection\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Email Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Web](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nWeb-based protections including break/inspect, active content mitigation, certificate blacklisting/consensus, content filtering, authenticated proxy, data loss prevention, DNS-over-HTTPS filtering, RFC compliance enforcement, domain category filtering, domain reputation filtering, bandwidth control, malicious content filtering, and access control.\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Web Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 108\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Break and Inspect\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Break\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Active Content Mitigation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Active\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Certificate Denylisting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Certificate\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Content\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticated Proxy\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Authenticated\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNS-over-HTTPS Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a30d01d0-38f1-4a91-9cf6-cdb181d676b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBreakVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Break\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isActiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Active\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2b0b9d3-128b-4ec7-a1e8-287df84633da\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCertificateVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Certificate\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"508474da-365f-43db-9c42-4331e8648144\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isContentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Content\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"68f6fab3-9f4c-4ea8-ac17-064809f6740e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuthenticatedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Authenticated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a539291a-2744-47ef-9558-f15986ecf508\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"bd2ce9fe-9e44-4bcf-9f00-83a04c86e456\"},{\"id\":\"5cb17a08-31fb-4eee-87d8-abef7ecbb7e2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"RFC Compliance Enforcement\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RFC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Domain Category Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Category\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Domain Reputation Filter\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Reputation\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Bandwidth Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Bandwidth\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious Content Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malicious\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0114faf6-043c-452c-9249-34899d8965a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRFCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RFC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCategoryVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Category\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"35f239a8-a4dc-4e7f-8b70-dd4c876151db\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isReputationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Reputation\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"57218915-069e-4559-94ff-29144252c397\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBandwidthVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Bandwidth\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d77f49a8-0e58-46c3-b705-5a61736b41ea\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMaliciousVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malicious\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a11bbfd4-4c45-4527-b1d2-6cab517590cb\"},{\"id\":\"a1bdb4f4-7f9d-48f8-8deb-e979a7e203a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Break and Inspect](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBreak-and-Inspect systems, or encryption proxies, terminate encrypted traffic, logging or performing policy enforcement against the plaintext, and re-encrypting the traffic, if applicable, before transmitting to the final destination.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall/) ✳️ [Network Watcher](https://azure.microsoft.com/services/network-watcher/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features) <br>\\r\\n💡 [Inspect Traffic with Azure Firewall](https://docs.microsoft.com/azure/private-link/inspect-traffic-with-azure-firewall) <br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal) <br>\\r\\n💡 [Create an Azure Network Watcher instance](https://docs.microsoft.com/azure/network-watcher/network-watcher-create) <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)  <br>\\r\\n🔀 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)  <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"protected by Azure Firewall\\\" or RecommendationDisplayName contains \\\"watcher\\\" or RecommendationDisplayName contains \\\"proxy\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"azurefirewalls\\\" or type contains \\\"firewallpolicies\\\" or type contains \\\"networkwatchers\\\" or type contains \\\"webapplicationfirewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Break & Inspect Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBreakVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Break and Inspect\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Active Content Mitigation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nActive content mitigation protections detect the presence of unapproved active content and facilitate its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n\\r\\n### Implementation \\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡[Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)<br>\\r\\n💡[Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)  <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"Web Application Firewall\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"webapplicationfirewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Content Mitigation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message: string, ruleName_s: string, clientIp_s: string, clientIP_s: string, action_s: string, transactionId_s: string, trackingReference_s: string) [\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\"]);\\r\\nFakeData\\r\\n| union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"Application Gateway\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"Application Gateway\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"Application Gateway\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"Application Gateway\\\" contains \\\"cdn\\\")) and (\\\"SOC-NS-AG-WAFV2 - 1129440\\\" == \\\"All\\\" or Resource in ('SOC-NS-AG-WAFV2'))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '*' == Action or '*' == \\\"*\\\" \\r\\n| where '*' == requestUri_s or '*' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule contains \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\", 1), \\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule contains \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule, \\\"):\\\", 1)), \\\"\\\"), Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure WAF Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Rule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redDark\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isActiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Active Content Mitigation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate denylisting protections prevent communication with entities that use a set of known bad certificates.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Certificates Used by Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-certificates)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Quickstart: Create a Key Vault using the Azure Portal](https://docs.microsoft.com/azure/key-vault/general/quick-create-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"certificate\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\" \\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCertificateVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent filtering protections detect the presence of unapproved content and facilitate its removal or denial of access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Firewall Web Categories](https://docs.microsoft.com/azure/firewall/web-categories)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-content-filtering)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n    materialize(\\r\\n    AzureDiagnostics\\r\\n    | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n    | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n    | where msg_s has \\\" Reason:\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n        and msg_s !has \\\"No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | where msg_s has \\\"Rule Collection Group\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    )\\r\\n| summarize Count = count(), last_log = datetime_diff(\\\"second\\\", now(), max(TimeGenerated)) by RuleCollection, Rule, WebCategory\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Firewall: Content Enforcement\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isContentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Proxy](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated proxies require entities to authenticate with the proxy before making use of it, enabling user, group, and location-aware security controls.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Plan an Azure AD Application Proxy Deployment](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-deployment-plan)<br>\\r\\n💡 [Configure Real-Time Application Access Monitoring with Microsoft Defender for Cloud Apps and Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security)<br>\\r\\n💡 [Protect Apps with Microsoft Defender for Cloud Apps Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| mv-expand ConditionalAccessPolicies\\r\\n| extend ConditionalAccessPolicy = tostring(ConditionalAccessPolicies.displayName)\\r\\n| summarize count() by ConditionalAccessPolicy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuthenticatedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Proxy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for Cloud Apps: File Policies](https://docs.microsoft.com/cloud-app-security/data-protection-policies)<br>\\r\\n💡 [Content Inspection for Protected Files](https://docs.microsoft.com/cloud-app-security/content-inspection)<br>\\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Defender for Identity Portal](https://portal.atp.azure.com/) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Exfiltration\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_W\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS-over-HTTPS Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS-over-HTTPS filtering prevents entities from using the DNS-over-HTTPS protocol, possibly evading DNS-based protections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Azure Firewall DNS settings](https://docs.microsoft.com/azure/firewall/dns-settings)<br>\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [Azure Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS-over-HTTPS Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [RFC Compliance Enforcement](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRFC compliant enforcement technologies ensure that traffic complies with protocol definitions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation\\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡[Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) <br> \\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\r\\n| where details_file_s contains \\\"rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\\\"\\r\\n| summarize count() by ResourceId, Message\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protocol Enforcement Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRFCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RFC Compliance Enforcement\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Category Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain category filtering technologies allow for classes of domains (e.g. banking, medical) to receive a different set of security protections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall: Web Categories](https://docs.microsoft.com/azure/firewall/premium-deploy#web-categories-testing) <br> \\r\\n💡 [Use FQDN Filtering in Network Rules](https://docs.microsoft.com/azure/firewall/fqdn-filtering-network-rules) <br> \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features) <br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br> \\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)\\t<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n    materialize(\\r\\n    AzureDiagnostics\\r\\n    | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n    | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n    | where msg_s has \\\" Reason:\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n        and msg_s !has \\\"No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | where msg_s has \\\"Rule Collection Group\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    )\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '*' == SourceIP or '*' == \\\"*\\\"  \\r\\n| summarize count() by FQDN\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Domain & Category Filtering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FQDN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCategoryVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Category Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Reputation Filter](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain reputation filtering protections are a form of domain denylisting based on a domain’s reputation, as defined by either the agency or an external entity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Threat Intelligence-Based Filtering](https://docs.microsoft.com/azure/firewall/threat-intel)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where msg_s <> \\\" request from  to . Action: . ThreatIntel: \\\"\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url: \\\" Url \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n)\\r\\n| summarize by ThreatIntelMsg, Url, FQDN, Action, Protocol, SourceIP, SourcePort, DestinationPort,  TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: Threat Intelligence URL Blocks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"FQDN\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"FQDN\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isReputationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Reputation Filter\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Bandwidth Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBandwidth control technologies allow for limiting the amount of bandwidth used by different classes of domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Metrics](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Monitor Metrics Overview](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics)<br>\\r\\n💡 [Monitor Azure Firewall Logs and Metrics](https://docs.microsoft.com/azure/firewall/firewall-diagnostics)  \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"Bandwidth Control\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"40\",\"name\":\"Control Smartcard\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5084e141-6c56-4d7f-bd8a-09f7ef9af1bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Resource\",\"label\":\"Azure Firewalls\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| project id, name\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"parameters - 1\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":604800000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--Throughput\",\"aggregation\":4,\"columnName\":\"All Firewall Throughput Average\"}],\"title\":\"Average Throughput of Firewall Traffic\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"metric - 25\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBandwidthVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bandwidth Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious content filtering protections detect the presence of malicious content and facilitate its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)  ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for Cloud's enhanced security features](https://docs.microsoft.com/azure/defender-for-cloud/enhanced-security-features-overview)<br>\\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡 [Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)<br>\\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)  <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, PR.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"firewall\\\" or RecommendationDisplayName contains \\\"defender\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"mal\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Malicious Content\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| project Category, ResourceType, OperationName);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n    | summarize Volume=count() by OperationName\\r\\n    | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n    | summarize Volume=count() by OperationName\\r\\n    | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n    | where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n    | summarize Volume=count() by Category\\r\\n)\\r\\n| sort by Volume desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protections by Rule Category\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"SelectedCategory\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Volume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMaliciousVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies limiting what actions may be performed by connected users and entities.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Overview of Role-Based Access Control in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\\r\\n💡 [What is Azure AD Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Secure Your Management Ports With Just-In-Time Access](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"Just\\\" or RecommendationDisplayName contains \\\"privilege\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Web Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Networking](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nNetwork-based protections including network access controls, IP denylisting, host containment, network segmentation, and microsegmentation. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Networking Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 109\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"IP Denylisting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Host Containment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Host\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Network Segmentation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Network\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Microsegmentation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Micro\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"50ab20f8-9e71-4938-a67c-fc3cddda9d3e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isHostVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Host\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"297ab54c-7fb4-4d69-b331-d06b5848b0c2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Network\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4c49d950-1bd2-45c1-8a98-4f17abff2088\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMicroVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Micro\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"cf2d16a5-def7-4887-87ff-188258574464\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control protections prevent the ingest, egress, or transiting of unauthorized network traffic.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)<br>\\r\\n💡 [Tutorial: Create and Manage a VPN Gateway using Azure Portal]( https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)<br>\\r\\n💡 [What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> 🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)<br> 🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) <br>🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br> 🔀 [ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)  \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"network access\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Networking Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where OperationName == \\\"NetworkSecurityGroupEvents\\\"\\r\\n| extend NetworkMap=strcat(\\\"NetworkMap\\\")\\r\\n| summarize count() by ruleName_s, NetworkMap\\r\\n| project NetworkSecurityGroupRule=ruleName_s, FlowCount=count_, NetworkMap\\r\\n| sort by FlowCount desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Map & Flow Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"NetworkSecurityGroupRule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Lateral_Movement\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FlowCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"NetworkMap\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Network  Map >>\",\"bladeOpenContext\":{\"bladeName\":\"NetworkMapBlade\",\"extensionName\":\"Microsoft_Azure_Security_R3\"}}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IP Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIP denylisting protections prevent the ingest or transiting of traffic received from or destined to a denylisted IP address.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n💡 [Azure Firewall Threat Intelligence Configuration](https://docs.microsoft.com/azure/firewall-Manager/threat-intelligence-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n\\t    iff(isnotempty(Url), \\\"URL\\\",\\r\\n\\t    iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n\\t    iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n\\t    iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n\\t    \\\"Other\\\")))))\\r\\n| where IndicatorType == \\\"IP\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by IndicatorType\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Sentinel: Threat Intelligence IP Indicators Ingested\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VMConnection\\r\\n| extend NetworkSourceIP=RemoteIp\\r\\n| where NetworkSourceIP <> \\\"\\\"\\r\\n| extend FirewallManager=strcat(\\\"FirewallManager\\\")\\r\\n| join (ThreatIntelligenceIndicator) on NetworkSourceIP\\r\\n| extend Indicator = strcat(NetworkSourceIP, FileHashValue, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName)\\r\\n| extend Source=SourceSystem1\\r\\n| summarize count () by ThreatType, Action, Indicator, Direction, _ResourceId, FirewallManager, RemoteCountry, RemoteIp, Source\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence: IP Denylisting\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FirewallManager\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Firewall Manager >>\",\"bladeOpenContext\":{\"bladeName\":\"FirewallManagerMenuBlade\",\"extensionName\":\"Microsoft_Azure_HybridNetworking\"}}},{\"columnMatch\":\"RemoteCountry\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"RiskIQ_Lookup\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"RiskIQ Lookup >\"}},{\"columnMatch\":\"VirusTotalURL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"VirusTotal Lookup >\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"RemoteCountry\",\"latitude\":\"RemoteLatitude\",\"longitude\":\"RemoteLongitude\",\"sizeSettings\":\"RemoteCountry\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"RemoteCountry\",\"legendMetric\":\"RemoteCountry\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"RemoteIp\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Threat Intelligence: IP Denylisting\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IP Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Host Containment](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nHost containment protections enable a network to revoke or quarantine a host’s access to the network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/automation-in-azure-sentinel)<br>\\r\\n💡 [How to Isolate an Azure VM Using Microsoft Defender for Cloud’s Workflow Automation](https://techcommunity.microsoft.com/t5/azure-security-center/how-to-isolate-an-azure-vm-using-azure-security-center-s/ba-p/1250985)<br>\\r\\n💡 [Isolate Endpoints from the Network](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-endpoints-from-the-network)<br>\\r\\n\\r\\n### Microsoft Portals \\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"logic\\\"\\r\\n| where id contains \\\"block\\\" or id contains \\\"isolate\\\" or id contains \\\"lock\\\" or id contains \\\"revoke\\\" or id contains \\\"quarantine\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Containment Automations Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isHostVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Host Containment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Segmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nNetwork segmentation separates a given network into subnetworks, facilitating security controls between the subnetworks, and decreasing the attack surface of the network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Implement Network Segmentation Patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)<br>\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"segment\\\" or RecommendationDisplayName contains \\\"network security group\\\" or RecommendationDisplayName contains \\\"subnet\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"networksecuritygroups\\\" or type contains \\\"virtualnetworks\\\" or type contains \\\"tables\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Segmentation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Network Segmentation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsegmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMicrosegmentation divides the network, either physically or virtually, according to the communication needs of application and data workflows, facilitating security controls to protect the data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Network Security & Containment](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n💡 [Implement network segmentation patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)<br>\\r\\n💡 [Application Security Groups](https://docs.microsoft.com/azure/virtual-network/application-security-groups)<br>\\r\\n💡 [Tutorial: Filter Network Traffic with a Network Security Group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Application Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) <br>\\r\\n🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"application gateway\\\" or RecommendationDisplayName contains \\\"security group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"applicationgateway\\\" or type contains \\\"securitygroup\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsegementation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMicroVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Microsegmentation\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Networking Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resiliency](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nResiliency measures including DDoS protections, elastic expansion, and regional delivery.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resiliency Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 110\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DDoS Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DDoS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Elastic Expansion\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Elastic\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Regional Delivery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Regional\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDDoSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DDoS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isElasticVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Elastic\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c6997d7f-b3e5-431c-b747-ea5a75b533e0\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRegionalVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Regional\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"250d293f-5d5f-4944-8cd4-5ec0183b9053\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DDoS Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDDoS protections mitigate the effects of distributed denial of service attacks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dos\\\" or Title contains \\\"denial\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: DDoS\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type contains \\\"microsoft.network/ddosprotectionplans\\\"\\r\\n| extend RG = substring(id, 0, indexof(id, '/providers'))\\r\\n| extend virtualNetworks = properties.virtualNetworks\\r\\n| mvexpand bagexpansion=array virtualNetworks\\r\\n| extend VNETid = virtualNetworks.id\\r\\n| project-away kind, managedBy, sku, plan, identity, zones, extendedLocation, name, tenantId, properties, tags, virtualNetworks, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Protection Plans\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"location\",\"formatter\":17},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"VNETid\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"id\",\"label\":\"Name\"},{\"columnId\":\"type\",\"label\":\"Type\"},{\"columnId\":\"location\",\"label\":\"Region\"},{\"columnId\":\"subscriptionId\",\"label\":\"Subscription\"},{\"columnId\":\"VNETid\",\"label\":\"Virtual Networks\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoSPlans\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"DDoSMitigationReports\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| extend TopAttackVector = tostring(parse_json(AttackVectors_s)[0]) \\r\\n| extend Total_packets_ = tostring(parse_json(TrafficOverview_s).Total_packets) \\r\\n| extend Total_packets_dropped_ = todouble(parse_json(TrafficOverview_s).Total_packets_dropped)\\r\\n| extend TotalPackets =todouble(Total_packets_)\\r\\n| where TotalPackets > 0\\r\\n| where TopAttackVector <> \\\"\\\"\\r\\n| project TopAttackVector, TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , SourceIP=IPAddress, Resource, TimeGenerated\\r\\n| sort by TotalPacketsDropped desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Mitigation Activity\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TopAttackVector\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TotalPackets\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"TotalPacketsDropped\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Resource\",\"formatter\":5},{\"columnMatch\":\"Total_packets_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Total_packets_dropped_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDDoSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoS Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Elastic Expansion](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nElastic expansion enables agencies to dynamically expand the resources available for services as conditions require.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/) ✳️ [Traffic Manager]( https://azure.microsoft.com/services/traffic-manager/) ✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) ✳️ [Azure Availability Zones]( https://azure.microsoft.com/global-infrastructure/availability-zones/)\\r\\n\\r\\n### Implementation \\r\\n💡 [What are Virtual Machine Scale Sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview) <br>\\r\\n💡 [Elastic Pools Help You Manage and Scale Multiple Databases in Azure SQL Database](https://www.cisa.gov/trusted-internet-connections)<br>\\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)<br>\\r\\n💡 [What is Traffic Manager?](https://docs.microsoft.com/azure/traffic-Manager/traffic-Manager-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)<br> 🔀 [Azure SQL](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fazuresql)<br> 🔀 [Load Balancer](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br> 🔀 [Traffic Manager Profiles](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2Ftrafficmanagerprofiles)<br> 🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"load\\\" or Description contains \\\"scale\\\" or Description contains \\\"front\\\" or Description contains \\\"traffic manager\\\" or Description contains \\\"pool\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"scale\\\" or type contains \\\"traffic\\\" or type contains \\\"load\\\" or type contains \\\"balance\\\" or type contains \\\"pool\\\" or type contains \\\"set\\\" or type contains \\\"manager\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Elastic Expansion Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isElasticVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Elastic Expansion\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Regional Delivery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRegional delivery technologies enable the deployment of agency services across geographically diverse locations.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)\\r\\n\\r\\n### Implementation \\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) <br>\\r\\n💡 [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/#overview) <br>\\r\\n💡 [Regions and availability zones](https://docs.microsoft.com/azure/availability-zones/az-overview) <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"disaster\\\" or RecommendationDisplayName contains \\\"region\\\" or RecommendationDisplayName contains \\\"redundant\\\" or RecommendationDisplayName contains \\\"geo\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRegionalVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Regional Delivery\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resiliency Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nDNS measures including DNS blackholing, DNSSEC for clients, and DNSSEC for domains. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Capability Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 111\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNS Sinkholing\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Sink\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNSSEC for Agency Clients\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Clients\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNSSEC for Agency Domains\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Domains\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSinkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Sink\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"aaf5f338-70e7-4910-8b24-0256c3e819ab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isClientsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Clients\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDomainsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Domains\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b454a300-8718-4f34-a5e9-722b582dc95d\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS Sinkholing](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS sinkholing protections are a form of denylisting that protect clients from accessing malicious domains by responding to DNS queries for those domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)<br>\\r\\n💡 [How to protect DNS zones and records](https://docs.microsoft.com/azure/dns/dns-protect-zones-recordsets)<br>\\r\\n💡 [Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Azure Firewall DNS settings](https://docs.microsoft.com/azure/firewall/dns-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br> 🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"domain\\\" or type contains \\\"dns\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: DNS\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSinkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Sinkholing\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Clients](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that domain name lookups from agency clients, whether for internal or external domains, are validated.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy](https://techcommunity.microsoft.com/t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331)<br>\\r\\n💡 [DANE Support](https://docs.microsoft.com/windows-server/networking/dns/what-s-new-in-dns-server#dane-support)<br>\\r\\n💡 [Support of DANE and DNSSEC in Office 365 Exchange Online](https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DNS zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Request_Type\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: DNS Proxy Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isClientsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Clients\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Domains](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that all agency domain names are secured using DNSSEC, enabling external entities to validate their resolution the domain names.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)<br>\\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDomainsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Domains\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Detection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nIntrusion Detection measures including endpoint detection & response, intrusion protection systems, adaptive access control, deception platforms, and certificate transparency log monitoring.\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Detection Capability Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 112\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Endpoint Detection and Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Endpoint\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Intrusion Protection Systems (IPS)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Adaptive Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Adaptive\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Deception Platforms\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Deception\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Certificate Transparency Log Monitoring\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Certificate\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEndpointVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Endpoint\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"f683c8d4-894a-4863-a2c6-03d36d6d7819\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAdaptiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Adaptive\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"27dcffa8-43ca-4d68-b69d-11dbd33dcbcb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDeceptionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Deception\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b4f96879-69b4-45b3-b6a6-384a91e9569c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCertificateVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Certificate\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"51c9fd25-2fa3-4cca-bc9f-bf8b5d0a0e07\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Endpoint Detection and Response](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEndpoint detection and response tools combine endpoint and network event data to aid in the detection of malicious activity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Overview of Endpoint Detection and Response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where AdditionalData contains \\\"Microsoft Defender for Endpoint\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Endpoint Detection & Response\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEndpointVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Endpoint Detection and Response\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Protection Systems (IPS)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIntrusion protection systems detect malicious activity, attempt to stop the activity, and report the activity.\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Premium: IPS](https://docs.microsoft.com/azure/firewall/premium-features#idps)<br>\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"IPS\\\" or Title contains \\\"IDS\\\" or Title contains \\\"intrusion\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Intrusion Protection System\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with * \\\"TCP request from \\\" Source \\\" to \\\" Destination \\\". Action: \\\" ActionTaken \\\". Rule: \\\" IDPSSig \\\". IDS: \\\" IDSMessage \\\". Priority: \\\" Priority \\\". Classification: \\\" Classification\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by OperationName\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: IDPS Alerts over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"microsoft.network/firewallpolicies\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"IPS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Protection Systems (IPS)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Adaptive Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAdaptive access control technologies factor in additional context, like security risk, operational needs, and other heuristics, when evaluating access control decisions.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Improve your network security posture with adaptive network hardening](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"adaptive\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = SigninLogs\\r\\n    | where AppDisplayName in ('*') or '*' in ('*')\\r\\n    | where UserDisplayName in ('*') or '*' in ('*')\\r\\n    | extend CAStatus = case(ConditionalAccessStatus == \\\"success\\\", \\\"Successful\\\",\\r\\n        ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\",                                     \\r\\n        ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\",                                     \\r\\n        isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n        \\\"Disabled\\\")\\r\\n    | mvexpand ConditionalAccessPolicies\\r\\n    | extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n    | extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n        CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n        CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n        CAGrantControlName contains \\\"endpoint\\\", \\\"Require endpoint Compliant\\\", \\r\\n        CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined endpoint\\\", \\r\\n        CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n        \\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range(ago(14d), now(), 6h) by CAStatus\\r\\n    )\\r\\n    on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Status\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAdaptiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Adaptive Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Deception Platforms](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeception platform technologies provide decoy environments, from individual machines to entire networks, that can be used to deflect attacks away from the operational systems supporting agency missions/business functions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br> \\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Microsoft Sentinel Deception Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-microsoft-sentinel-deception-solution/ba-p/2904945)<br>\\r\\n💡 [Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/monitor-key-vault-honeytokens?tabs=deploy-at-scale)<br>\\r\\n💡 [Manage Sensitive or Honeytoken Accounts](https://docs.microsoft.com/defender-for-identity/manage-sensitive-honeytoken-accounts)<br>\\r\\n\\r\\n### Microsoft Portal\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Identity](https://portal.atp.azure.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where id contains \\\"deception\\\" or id contains \\\"honey\\\" or id contains \\\"HTDK\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Deception Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"honeytoken\\\" or Title contains \\\"deception\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Deception\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"honey\\\" or RecommendationDisplayName contains \\\"deception\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDeceptionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Deception Platforms\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Transparency Log Monitoring](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate transparency log monitoring allows agencies to discover when new certificates are issued for agency domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Started with Key Vault Certificates](https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios)<br>\\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"cert\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"certificate\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Certificates\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCertificateVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Transparency Log Monitoring\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Detection Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEnterprise-based controls including security orchestration automation & response, shadow IT detection, and virtual private networks. \"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 113\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Orchestration, Automation, and Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SOAR\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Shadow IT Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Shadow\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Virtual Private Network (VPN)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"VPN\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSOARVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SOAR\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isShadowVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Shadow\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"750b4451-0f5d-4e58-95c2-c4b4c8991335\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isVPNVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"VPN\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a2f3d34f-7824-4733-bddc-00efb62da0f2\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Orchestration, Automation, and Response (SOAR)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nSecurity Orchestration, Automation, and Response (SOAR) tools define, prioritize, and automate the response to security incidents.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Tutorial: Setup Automated Threat Responses in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.logic/workflows\\\"\\r\\n| extend Connection = parse_json(properties)[\\\"parameters\\\"][\\\"$connections\\\"][\\\"value\\\"]\\r\\n| where Connection has \\\"managedApis/azuresentinel\\\"\\r\\n| project id, type, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"SOAR Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"playbook\\\" or RecommendationDisplayName contains \\\"automation\\\" or RecommendationDisplayName contains \\\"logic\\\" or RecommendationDisplayName contains \\\"notification\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue startswith \\\"Microsoft.Logic\\\"\\r\\n| where ActivityStatusValue == \\\"Success\\\" or ActivityStatusValue == \\\"Succeeded\\\"\\r\\n| extend scope_ = tostring(Authorization_d.scope)\\r\\n| parse-where scope_ with * 'workflows/' PlaybookName '/' *\\r\\n| where PlaybookName contains \\\"notify\\\" or PlaybookName contains \\\"email\\\" or PlaybookName contains \\\"teams\\\" or PlaybookName contains \\\"ticket\\\" or PlaybookName contains \\\"post\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by PlaybookName\\r\\n| render timechart \",\"size\":0,\"showAnnotations\":true,\"showAnalytics\":true,\"title\":\"Notification SOAR Playbooks (Triggered over Time)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSOARVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Orchestration, Automation, and Response (SOAR)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Shadow IT Detection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nShadow IT detection systems detect the presence of unauthorized software and systems in use by an agency.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Tutorial: Discover and Manage Shadow IT in Your Network](https://docs.microsoft.com/cloud-app-security/tutorial-shadow-it)<br>\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Endpoint Discovery - Navigating Your Way Through Unmanaged Devices](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909)<br>\\r\\n💡 [Device Discovery Overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery)<br>\\r\\n💡 [Welcome to Microsoft Defender for IoT](https://docs.microsoft.com/azure/defender-for-iot/overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for IoT](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started)<br>  \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP, PR.MA, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"shadow\\\" or Description contains \\\"unauth\\\" or Description contains \\\"rogue\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Shadow IT\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"safe\\\" or RecommendationDisplayName contains \\\"authorized\\\" or RecommendationDisplayName contains \\\"endpoint protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isShadowVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Shadow IT Detection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Virtual Private Network (VPN)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVirtual private network (VPN) solutions provide a secure communications mechanism between networks that may traverse across unprotected or public networks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/)<br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [What is VPN Gateway?](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.MA, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"private\\\" or RecommendationDisplayName contains \\\"vpn\\\" or RecommendationDisplayName contains \\\"network gateway\\\" or RecommendationDisplayName contains \\\"express\\\" or RecommendationDisplayName contains \\\"VPC\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"gate\\\" or type contains \\\"bastion\\\" or type contains \\\"route\\\" or type contains \\\"privateend\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"VPN Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isVPNVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Virtual Private Network (VPN)\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Unified Communications & Collaboration](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nUCC measures including identity verification, encrypted communications, connection terminations, and data loss prevention. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Unified Communications & Collaboration Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 114\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Identity Verification\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Identity\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Encrypted Communication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Encrypted\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Connection Termination\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Connection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIdentityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Identity\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEncryptedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Encrypted\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9b640df5-5ec5-41bc-8e78-086304ed742a\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isConnectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Connection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"893f0857-1ccf-4c35-8432-abe89d1fcf15\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"767d26fb-524c-448c-9240-40f069a8db45\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Identity Verification](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentity verification ensures that access to the virtual meeting is limited to appropriate individuals. Waiting room features, where the meeting host authorizes vetted individuals to join the meeting can also be utilized.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\\r\\n💡 [Identity Models and Authentication for Microsoft Teams](https://docs.microsoft.com/microsoftteams/identify-models-authentication)<br>\\r\\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\\r\\n💡 [Microsoft Teams Meeting Attendance Report](https://docs.microsoft.com/microsoftteams/teams-analytics-and-reports/meeting-attendance-report)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where AppDisplayName has_any (\\\"teams\\\", \\\"webex\\\", \\\"slack\\\", \\\"zoom\\\", \\\"meet\\\", \\\"chat\\\", \\\"goto\\\")\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId, AppDisplayName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, AppDisplayName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"UCC Authentications\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIdentityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Identity Verification\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Encrypted Communication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCommunication between virtual meeting participants and any data exchanged is encrypted at rest and in transit. Some UCC offerings support end-to-end encryption, where encryption is performed on the clients and can only be decrypted by the other authenticated participants and cannot be decrypted by the UCC vendor.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\\r\\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\\r\\n💡 [Trustworthy by Default](https://docs.microsoft.com/microsoftteams/teams-security-guide#trustworthy-by-default)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| extend TeamsMembers = strcat(Members)\\r\\n| distinct Operation, UserId, TeamsMembers, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"web apps\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEncryptedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Encrypted Communication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Connection Termination](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms that ensure the meeting host can positively control participation. These can include inactivity timeouts, on-demand prompts, unique access codes for each meeting, host participant eviction, and even meeting duration limits.\\r\\n\\r\\n### Implementation \\r\\n💡 [Manage Meeting Policies in Teams](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams)<br>\\r\\n💡 [Manage Microsoft Teams Rooms](https://docs.microsoft.com/microsoftteams/rooms/rooms-manage)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Teams Admin Center](https://admin.teams.microsoft.com/)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.AT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Leverage Microsoft Teams for UCC Connection Termination Controls via Meeting Policies](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams?WT.mc_id=Portal-fx)\\r\\n![Image Name](https://docs.microsoft.com/microsoftteams/media/designated-presenter-role.png) \\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isConnectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Connection Termination\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms for controlling the sharing of information between UCC participants, intentional or incidental. This may be integrated into additional agency data loss prevention technologies and can include keyword matching, attachment file type or existence prohibitions, attachment size limitations, or even audio/visual filters.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Data Loss Prevention and Microsoft Teams](https://docs.microsoft.com/microsoft-365/compliance/dlp-microsoft-teams)<br>\\r\\n💡[Communication Compliance in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by ApplicationName_s, LabelName_s\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Data Actions by Application\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Protection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nData protection measures including access control, protections for data at rest, protections for data in transit, data loss prevention, and data access & use telemetry. \"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 115\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protections for Data at Rest\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Rest\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protections for Data in Transit\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Transit\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Access and Use Telemetry\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Use\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRestVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Rest\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b91d3f98-d0d1-4e31-a63c-d949e61ec08b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTransitVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Transit\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a34338fa-6463-4b8f-866f-2d79396eceb7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9a520097-2a54-41dd-bf84-7ca039dd1939\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Use\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"22c31b63-743c-4b33-924e-26a70aa0fefb\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies concerning the allowable activities of users and entities to data and resources.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [How Access Management in Azure AD works](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups#how-access-management-in-azure-ad-works)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId, AppDisplayName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, AppDisplayName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Access by Application\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":2500,\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\\r\\n| where Location <> \\\"\\\"\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":10,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"showPin\":false,\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data at Rest](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection at rest aims to secure data stored on any endpoint or storage medium.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Data Encryption at Rest](https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRestVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data at Rest\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data in Transit](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection in transit, or data in motion, aims to secure data that is actively moving from one location to another, such as across the internet or through a private enterprise network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Data Encryption in Transit](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Encryption for Data in Transit](https://docs.microsoft.com/compliance/assurance/assurance-encryption-in-transit)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName has_any(\\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isTransitVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data in Transit\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Hunt for Threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)<br>\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br> \\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"data\\\" or Title contains \\\"data\\\" or Description contains \\\"loss\\\" or Title contains \\\"loss\\\" or Description contains \\\"exfil\\\" or Title contains \\\"exfil\\\" or Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, LabelName_s, Operation_s, Activity_s, IPv4_s, ProtectionOwner_s, ApplicationName_s, ProcessName_s, Platform_s, ContentId_g, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Scan/Monitor for Sensitive Data with Azure Information Protection\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Access and Use Telemetry](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentify agency sensitive data stored, processed, or transmitted, including those located at a service provider. Enforce detailed logging for access or changes to sensitive data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\\r\\n💡 [Tutorial: Discovering Your Sensitive Content with the Azure Information Protection (AIP) scanner](https://docs.microsoft.com/azure/information-protection/tutorial-scan-networks-and-content)<br>\\r\\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)<br>\\r\\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)<br>\\r\\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \\r\\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)  <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by UserId_s, LabelName_s, ApplicationName_s_s, Operation_s_s, Platform_s_s, Activity_s_s, IPv4_s_s\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data Access and Use Telemetry\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Access and Use Telemetry\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Group\"}],\"fromTemplateId\":\"sentinel-ZeroTrust(TIC3.0)\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -166,37 +155,30 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_workbookContentId1')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook1-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId1')]",
+        "id": "[variables('_workbookcontentProductId1')]",
+        "version": "[variables('workbookVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('analyticRuleTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "ZeroTrust(TIC3.0) Analytics Rule 1 with template",
-        "displayName": "ZeroTrust(TIC3.0) Analytics Rule template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Zero_Trust_TIC3.0_ControlAssessmentPostureChange_AnalyticalRules Analytics Rule with template version 2.0.6",
+        "description": "Zero_Trust_TIC3.0_ControlAssessmentPostureChange_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleVersion1')]",
@@ -205,7 +187,7 @@
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId1')]",
+              "name": "[variables('analyticRulecontentId1')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
@@ -233,8 +215,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "URLCustomEntity",
-                        "identifier": "Url"
+                        "identifier": "Url",
+                        "columnName": "URLCustomEntity"
                       }
                     ],
                     "entityType": "URL"
@@ -270,37 +252,30 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId1')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "ZeroTrust(TIC3.0) Control Assessment Posture Change",
+        "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+        "id": "[variables('_analyticRulecontentProductId1')]",
+        "version": "[variables('analyticRuleVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('playbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Playbook"
-      },
-      "properties": {
-        "description": "Notify-GovernanceComplianceTeam-ZeroTrust playbook",
-        "displayName": "Notify-GovernanceComplianceTeam-ZeroTrust playbook"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Playbook"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Notify-GovernanceComplianceTeam-ZeroTrust Playbook with template version 2.0.6",
+        "description": "Notify-GovernanceComplianceTeam-ZeroTrust Playbook with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -541,37 +516,30 @@
               }
             ]
           }
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_playbookContentId1')]",
+        "contentKind": "Playbook",
+        "displayName": "Notify-GovernanceComplianceTeam-ZeroTrust",
+        "contentProductId": "[variables('_playbookcontentProductId1')]",
+        "id": "[variables('_playbookcontentProductId1')]",
+        "version": "[variables('playbookVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('playbookTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Playbook"
-      },
-      "properties": {
-        "description": "Create-AzureDevOpsTask-ZeroTrust playbook",
-        "displayName": "Create-AzureDevOpsTask-ZeroTrust playbook"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('playbookTemplateSpecName2'),'/',variables('playbookVersion2'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Playbook"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Create-AzureDevOpsTask-ZeroTrust Playbook with template version 2.0.6",
+        "description": "Create-AzureDevOpsTask-ZeroTrust Playbook with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -772,37 +740,30 @@
               }
             ]
           }
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_playbookContentId2')]",
+        "contentKind": "Playbook",
+        "displayName": "Create-AzureDevOpsTask-ZeroTrust",
+        "contentProductId": "[variables('_playbookcontentProductId2')]",
+        "id": "[variables('_playbookcontentProductId2')]",
+        "version": "[variables('playbookVersion2')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('playbookTemplateSpecName3')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Playbook"
-      },
-      "properties": {
-        "description": "CreateJiraIssue-ZeroTrust playbook",
-        "displayName": "CreateJiraIssue-ZeroTrust playbook"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('playbookTemplateSpecName3'),'/',variables('playbookVersion3'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Playbook"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName3'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CreateJiraIssue-ZeroTrust Playbook with template version 2.0.6",
+        "description": "CreateJiraIssue-ZeroTrust Playbook with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -994,17 +955,35 @@
               }
             ]
           }
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_playbookContentId3')]",
+        "contentKind": "Playbook",
+        "displayName": "CreateJiraIssue-ZeroTrust",
+        "contentProductId": "[variables('_playbookcontentProductId3')]",
+        "id": "[variables('_playbookcontentProductId3')]",
+        "version": "[variables('playbookVersion3')]"
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+      "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "2.0.6",
+        "version": "3.0.0",
         "kind": "Solution",
-        "contentSchemaVersion": "2.0.0",
+        "contentSchemaVersion": "3.0.0",
+        "displayName": "ZeroTrust(TIC3.0)",
+        "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The Microsoft Sentinel Zero Trust (TIC 3.0) solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across 25+ Microsoft and 3rd party products. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡<a href=\"https://www.microsoft.com/en-in/security/business/zero-trust?rtc=1\">Microsoft Zero Trust Model</a> 💡<a href=\"https://www.cisa.gov/tic\">Trusted Internet Connections: Core Guidance Documents</a></p>\n<p>Microsoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.</p>\n<p><strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 1, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "contentKind": "Solution",
+        "contentProductId": "[variables('_solutioncontentProductId')]",
+        "id": "[variables('_solutioncontentProductId')]",
+        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
         "contentId": "[variables('_solutionId')]",
         "parentId": "[variables('_solutionId')]",
         "source": {
diff --git a/Solutions/ZeroTrust(TIC3.0)/ReleaseNotes.md b/Solutions/ZeroTrust(TIC3.0)/ReleaseNotes.md
new file mode 100644
index 0000000000..df2069c8bd
--- /dev/null
+++ b/Solutions/ZeroTrust(TIC3.0)/ReleaseNotes.md
@@ -0,0 +1,6 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                            |
+|-------------|--------------------------------|-----------------------------------------------------------------------------------------------|
+| 3.0.0       | 09-11-2023                     |	Changes for rebranding from Azure Active Directory Identity Protection to Microsoft Entra ID Protection |
+                                	  
+         
+                                                                                                                 
diff --git a/Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json b/Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json
index a322c10051..7e4fd005d3 100644
--- a/Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json
+++ b/Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json
@@ -131,7 +131,7 @@
           {
             "type": 1,
             "content": {
-              "json": "## Getting Started\r\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Zero Trust (TIC 3.0) control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security and partner offerings, while only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \r\n\r\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\r\n| <strong> Roles </strong> | <strong> Rights </strong> | \r\n|:--|:--|\r\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\r\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\r\n|Automation Contributor| Deploy/Modify Playbooks & Automation Rules |\r\n\r\n### Onboarding Prerequisites \r\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments)<br>\r\n2️⃣  [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\r\n3️⃣  [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\r\n4️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\r\n5️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\r\n6️⃣ [Implement CLAW Aggregator](https://github.com/Azure/trusted-internet-connection)<br>\r\n7️⃣ [Configure Auto Provisioning of Microsoft Defender for Cloud Agents](https://docs.microsoft.com/azure/defender-for-cloud/enable-data-collection)<br>\r\n8️⃣ [Review Microsoft Service Trust Portal Documentation/Audit/Resources](https://servicetrust.microsoft.com/)<br>\r\n\r\n### Recommended Enrichments\r\n✳️[Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n✳️[Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\r\n✳️[Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall)<br>\r\n✳️[Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\r\n✳️[Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)<br>\r\n✳️[Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)<br>\r\n✳️[Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\r\n✳️[Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)<br>\r\n✳️[Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)<br>\r\n✳️[Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\r\n✳️[Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)<br>\r\n✳️[Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)<br>\r\n\r\n### Print/Export Report\r\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply<br>\r\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content<br>\r\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print<br>\r\n\r\n### Important\r\nThis solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. Each control is associated with one or more 💡[Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview) definitions. These policies may help you 💡[assess compliance](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data) with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. ",
+              "json": "## Getting Started\r\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Zero Trust (TIC 3.0) control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security and partner offerings, while only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \r\n\r\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\r\n| <strong> Roles </strong> | <strong> Rights </strong> | \r\n|:--|:--|\r\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\r\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\r\n|Automation Contributor| Deploy/Modify Playbooks & Automation Rules |\r\n\r\n### Onboarding Prerequisites \r\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments)<br>\r\n2️⃣  [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\r\n3️⃣  [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\r\n4️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\r\n5️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\r\n6️⃣ [Implement CLAW Aggregator](https://github.com/Azure/trusted-internet-connection)<br>\r\n7️⃣ [Configure Auto Provisioning of Microsoft Defender for Cloud Agents](https://docs.microsoft.com/azure/defender-for-cloud/enable-data-collection)<br>\r\n8️⃣ [Review Microsoft Service Trust Portal Documentation/Audit/Resources](https://servicetrust.microsoft.com/)<br>\r\n\r\n### Recommended Enrichments\r\n✳️[Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n✳️[Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\r\n✳️[Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall)<br>\r\n✳️[Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\r\n✳️[Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)<br>\r\n✳️[Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)<br>\r\n✳️[Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\r\n✳️[Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)<br>\r\n✳️[Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)<br>\r\n✳️[Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\r\n✳️[Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)<br>\r\n✳️[Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)<br>\r\n\r\n### Print/Export Report\r\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply<br>\r\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content<br>\r\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print<br>\r\n\r\n### Important\r\nThis solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. Each control is associated with one or more 💡[Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview) definitions. These policies may help you 💡[assess compliance](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data) with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. ",
               "style": "info"
             },
             "name": "Help"
@@ -1579,7 +1579,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\r\n---\r\n\r\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel."
+                    "json": "# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\r\n---\r\n\r\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel."
                   },
                   "customWidth": "40",
                   "name": "NS Guide"
@@ -1760,7 +1760,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "### [Azure Active Directory (AAD) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)"
+                          "json": "### [Microsoft Entra ID Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)"
                         },
                         "customWidth": "33",
                         "name": "text - 2"
@@ -4168,7 +4168,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "### [Azure Active Directory Identity Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection)"
+                          "json": "### [Microsoft Entra ID Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection)"
                         },
                         "customWidth": "33",
                         "name": "text - 2"
@@ -5196,7 +5196,7 @@
           {
             "type": 1,
             "content": {
-              "json": "# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\r\n---\r\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Azure Active Directory (Azure AD) tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. "
+              "json": "# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\r\n---\r\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Microsoft Entra ID tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. "
             },
             "customWidth": "40",
             "name": "text - 5"
@@ -6844,7 +6844,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Configuration Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nImplementing a formal plan for documenting, managing changes to the environment, and monitoring for deviations, preferably automated.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\r\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\r\n💡 [Ensure Your Endpoints Are Configured Properly](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines)<br>\r\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.BE, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Configuration Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nImplementing a formal plan for documenting, managing changes to the environment, and monitoring for deviations, preferably automated.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\r\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\r\n💡 [Ensure Your Endpoints Are Configured Properly](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines)<br>\r\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.BE, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "conditionalVisibility": {
                           "parameterName": "isUniversalSecurityCapabilitiesVisible",
@@ -7984,7 +7984,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Inventory](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nDeveloping, documenting, and maintaining a current inventory of all systems, networks, and components so that only authorized endpoints are given access, and unauthorized and un-managed endpoints are found and prevented from gaining access.\r\n\r\n### Recommended Logs\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\r\n\r\n### Implementation \r\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\r\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br>\r\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \r\n\t\r\n### Microsoft Portals\r\n🔀 [Azure Resource Graph Explorer](https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade) <br>\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\r\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.DS, PR.IP](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Inventory](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nDeveloping, documenting, and maintaining a current inventory of all systems, networks, and components so that only authorized endpoints are given access, and unauthorized and un-managed endpoints are found and prevented from gaining access.\r\n\r\n### Recommended Logs\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\r\n\r\n### Implementation \r\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\r\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br>\r\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \r\n\t\r\n### Microsoft Portals\r\n🔀 [Azure Resource Graph Explorer](https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade) <br>\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\r\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.DS, PR.IP](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "conditionalVisibility": {
                           "parameterName": "isUniversalSecurityCapabilitiesVisible",
@@ -8492,7 +8492,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Least Privilege](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nDesigning the security architecture such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.\r\n\r\n### Recommended Logs\r\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\r\n\r\n### Implementation \r\n💡 [Administrator roles by admin task in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/delegate-by-task)<br>\r\n💡 [Overview of role-based access control in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\r\n💡 [Azure Active Directory Sign-In Activity](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\r\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.IP, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Least Privilege](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nDesigning the security architecture such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.\r\n\r\n### Recommended Logs\r\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\r\n\r\n### Implementation \r\n💡 [Administrator roles by admin task in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/delegate-by-task)<br>\r\n💡 [Overview of role-based access control in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\r\n💡 [Microsoft Entra ID Sign-In Activity](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\r\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.IP, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "conditionalVisibility": {
                           "parameterName": "isUniversalSecurityCapabilitiesVisible",
@@ -8892,7 +8892,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Secure Administration](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nPerforming administrative tasks in a secure manner, using secure protocols.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation\r\n💡 [Delegate Administration in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/concept-delegation)<br>\r\n💡 [Start Using Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started#)<br> \r\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\r\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.MA](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Secure Administration](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nPerforming administrative tasks in a secure manner, using secure protocols.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation\r\n💡 [Delegate Administration in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/concept-delegation)<br>\r\n💡 [Start Using Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started#)<br> \r\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\r\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.MA](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -9424,7 +9424,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Strong Authentication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nVerifying the identity of users, endpoints, or other entities through rigorous means (e.g. multi-factor authentication) before granting access.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n\r\n### Implementation \r\n💡 [Plan an Azure AD Multi-Factor Authentication Deployment](https://docs.microsoft.com/azure/active-directory/authentication/howto)<br>\r\n💡 [How it works: Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\r\n💡 [Remediate recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations)<br>\r\n💡 [SecretManagement and Accessing Linux VMs in Azure](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\r\n💡 [Eliminate Password-Based Attacks on Azure Linux VMs](https://techcommunity.microsoft.com/t5/azure-security-center/eliminate-password-based-attacks-on-azure-linux-vms/ba-p/2271139)<br>\r\n💡 [Quickstart: Create a Key Vault Using the Azure Portal](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\r\n\t\r\n### Microsoft Portals\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\r\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\r\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Strong Authentication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nVerifying the identity of users, endpoints, or other entities through rigorous means (e.g. multi-factor authentication) before granting access.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n\r\n### Implementation \r\n💡 [Plan an Azure AD Multi-Factor Authentication Deployment](https://docs.microsoft.com/azure/active-directory/authentication/howto)<br>\r\n💡 [How it works: Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\r\n💡 [Remediate recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations)<br>\r\n💡 [SecretManagement and Accessing Linux VMs in Azure](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\r\n💡 [Eliminate Password-Based Attacks on Azure Linux VMs](https://techcommunity.microsoft.com/t5/azure-security-center/eliminate-password-based-attacks-on-azure-linux-vms/ba-p/2271139)<br>\r\n💡 [Quickstart: Create a Key Vault Using the Azure Portal](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\r\n\t\r\n### Microsoft Portals\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\r\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\r\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "conditionalVisibility": {
                           "parameterName": "isUniversalSecurityCapabilitiesVisible",
@@ -10749,7 +10749,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Auditing and Accounting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nCapturing business records, including logs and other telemetry, and making them available for auditing and accounting as required. Design of the auditing system should take insider threat into consideration, including separation of duties violation tracking, such that insider abuse or misuse can be detected.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\r\n\r\n### Implementation \r\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\r\n💡 [Tutorial: Grant a User Access to Azure Resources Using the Azure Portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)<br>\r\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\r\n💡 [Auditing Microsoft Sentinel Activities](https://techcommunity.microsoft.com/t5/azure-sentinel/auditing-azure-sentinel-activities/ba-p/1718328)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br> \r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> \r\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br> \r\n\r\n### NIST CSF Mapping\r\n[ID.SC, PR.AC, PR.PT](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Auditing and Accounting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nCapturing business records, including logs and other telemetry, and making them available for auditing and accounting as required. Design of the auditing system should take insider threat into consideration, including separation of duties violation tracking, such that insider abuse or misuse can be detected.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\r\n\r\n### Implementation \r\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\r\n💡 [Tutorial: Grant a User Access to Azure Resources Using the Azure Portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)<br>\r\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\r\n💡 [Auditing Microsoft Sentinel Activities](https://techcommunity.microsoft.com/t5/azure-sentinel/auditing-azure-sentinel-activities/ba-p/1718328)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br> \r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> \r\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br> \r\n\r\n### NIST CSF Mapping\r\n[ID.SC, PR.AC, PR.PT](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -13002,7 +13002,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Effective Use of Shared Services](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nEmploying shared services, where applicable, that can be individually tailored, measured to independently validate service conformance, and offer effective protections for tenants against malicious actors, both external as well as internal to the service provider.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [Get Started with Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)<br>\r\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)<br>\r\n💡 [What are External Identities in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/external-identities/compare-with-b2c)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade) <br>\r\n🔀 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) <br>\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Effective Use of Shared Services](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nEmploying shared services, where applicable, that can be individually tailored, measured to independently validate service conformance, and offer effective protections for tenants against malicious actors, both external as well as internal to the service provider.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [Get Started with Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)<br>\r\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)<br>\r\n💡 [What are External Identities in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/external-identities/compare-with-b2c)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade) <br>\r\n🔀 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) <br>\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -13455,7 +13455,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Integrated Desktop, Mobile, and Remote Policies](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nDefining polices such that they apply to a given agency entity no matter its location.\r\n\r\n### Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\r\n💡 [What are Common Ways to Use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\r\n🔀 [Microsoft Endpoint Manager Admin Center](https://devicemanagement.microsoft.com/) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Integrated Desktop, Mobile, and Remote Policies](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nDefining polices such that they apply to a given agency entity no matter its location.\r\n\r\n### Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\r\n💡 [What are Common Ways to Use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\r\n🔀 [Microsoft Endpoint Manager Admin Center](https://devicemanagement.microsoft.com/) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -19710,7 +19710,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Authenticated Proxy](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAuthenticated proxies require entities to authenticate with the proxy before making use of it, enabling user, group, and location-aware security controls.\r\n\r\n### Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [Plan an Azure AD Application Proxy Deployment](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-deployment-plan)<br>\r\n💡 [Configure Real-Time Application Access Monitoring with Microsoft Defender for Cloud Apps and Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security)<br>\r\n💡 [Protect Apps with Microsoft Defender for Cloud Apps Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Authenticated Proxy](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAuthenticated proxies require entities to authenticate with the proxy before making use of it, enabling user, group, and location-aware security controls.\r\n\r\n### Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [Plan an Azure AD Application Proxy Deployment](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-deployment-plan)<br>\r\n💡 [Configure Real-Time Application Access Monitoring with Microsoft Defender for Cloud Apps and Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security)<br>\r\n💡 [Protect Apps with Microsoft Defender for Cloud Apps Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -21471,7 +21471,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAccess control technologies allow an agency to define policies limiting what actions may be performed by connected users and entities.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\r\n\r\n### Implementation \r\n💡 [Overview of Role-Based Access Control in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\r\n💡 [What is Azure AD Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\r\n💡 [Secure Your Management Ports With Just-In-Time Access](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\r\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAccess control technologies allow an agency to define policies limiting what actions may be performed by connected users and entities.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\r\n\r\n### Implementation \r\n💡 [Overview of Role-Based Access Control in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\r\n💡 [What is Azure AD Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\r\n💡 [Secure Your Management Ports With Just-In-Time Access](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\r\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -24085,7 +24085,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Regional Delivery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nRegional delivery technologies enable the deployment of agency services across geographically diverse locations.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)\r\n\r\n### Implementation \r\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \r\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) <br>\r\n💡 [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/#overview) <br>\r\n💡 [Regions and availability zones](https://docs.microsoft.com/azure/availability-zones/az-overview) <br>\r\n\r\n### Microsoft Portals\r\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.DS](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Regional Delivery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nRegional delivery technologies enable the deployment of agency services across geographically diverse locations.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)\r\n\r\n### Implementation \r\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \r\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) <br>\r\n💡 [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/#overview) <br>\r\n💡 [Regions and availability zones](https://docs.microsoft.com/azure/availability-zones/az-overview) <br>\r\n\r\n### Microsoft Portals\r\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.DS](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -26127,7 +26127,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Adaptive Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAdaptive access control technologies factor in additional context, like security risk, operational needs, and other heuristics, when evaluating access control decisions.\r\n\r\n### Microsoft Reference \r\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\r\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\r\n💡 [Improve your network security posture with adaptive network hardening](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Adaptive Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAdaptive access control technologies factor in additional context, like security risk, operational needs, and other heuristics, when evaluating access control decisions.\r\n\r\n### Microsoft Reference \r\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\r\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\r\n💡 [Improve your network security posture with adaptive network hardening](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -28500,7 +28500,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [UCC Identity Verification](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nIdentity verification ensures that access to the virtual meeting is limited to appropriate individuals. Waiting room features, where the meeting host authorizes vetted individuals to join the meeting can also be utilized.\r\n\r\n### Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\r\n💡 [Identity Models and Authentication for Microsoft Teams](https://docs.microsoft.com/microsoftteams/identify-models-authentication)<br>\r\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\r\n💡 [Microsoft Teams Meeting Attendance Report](https://docs.microsoft.com/microsoftteams/teams-analytics-and-reports/meeting-attendance-report)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [UCC Identity Verification](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nIdentity verification ensures that access to the virtual meeting is limited to appropriate individuals. Waiting room features, where the meeting host authorizes vetted individuals to join the meeting can also be utilized.\r\n\r\n### Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\r\n💡 [Identity Models and Authentication for Microsoft Teams](https://docs.microsoft.com/microsoftteams/identify-models-authentication)<br>\r\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\r\n💡 [Microsoft Teams Meeting Attendance Report](https://docs.microsoft.com/microsoftteams/teams-analytics-and-reports/meeting-attendance-report)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -29496,7 +29496,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAccess control technologies allow an agency to define policies concerning the allowable activities of users and entities to data and resources.\r\n\r\n### Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Implementation \r\n💡 [How Access Management in Azure AD works](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups#how-access-management-in-azure-ad-works)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAccess control technologies allow an agency to define policies concerning the allowable activities of users and entities to data and resources.\r\n\r\n### Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Implementation \r\n💡 [How Access Management in Azure AD works](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups#how-access-management-in-azure-ad-works)<br> \r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -30721,7 +30721,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Data Access and Use Telemetry](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nIdentify agency sensitive data stored, processed, or transmitted, including those located at a service provider. Enforce detailed logging for access or changes to sensitive data.\r\n\r\n### Recommended Logs\r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Microsoft Reference \r\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\r\n💡 [Tutorial: Discovering Your Sensitive Content with the Azure Information Protection (AIP) scanner](https://docs.microsoft.com/azure/information-protection/tutorial-scan-networks-and-content)<br>\r\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)<br>\r\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)<br>\r\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Azure Active Directory](https://portal.azure.com#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \r\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)  <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Data Access and Use Telemetry](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nIdentify agency sensitive data stored, processed, or transmitted, including those located at a service provider. Enforce detailed logging for access or changes to sensitive data.\r\n\r\n### Recommended Logs\r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Microsoft Reference \r\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\r\n💡 [Tutorial: Discovering Your Sensitive Content with the Azure Information Protection (AIP) scanner](https://docs.microsoft.com/azure/information-protection/tutorial-scan-networks-and-content)<br>\r\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)<br>\r\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)<br>\r\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft Entra ID](https://portal.azure.com#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\r\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \r\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)  <br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },