fix workbook

2021-12-22 12:35:10 +02:00 · 2021-12-22 12:35:10 +02:00 · 17b0d9ceae
--- a/Solutions/SentinelOne/Workbooks/SentinelOne.json
+++ b/Solutions/SentinelOne/Workbooks/SentinelOne.json
@ -134,7 +134,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "let usr1 = SentinelOne\n| where isnotempty(SrcUserName)\n| project usr=SrcUserName;\nlet usr2 = SentinelOne\n| where isnotempty(DataSrcUserName)\n| project usr=DataSrcUserName;\nlet all_usr =\nunion isfuzzy=true usr1, usr2\n| summarize cnt = dcount(usr)\n| extend title = 'Users';\nlet agnt = SentinelOne\n| where isnotempty(AgentId)\n| summarize cnt = dcount(AgentId)\n| extend title = 'Agents';\nlet alerts = SentinelOne\n| where ActivityType == 3608\n| summarize cnt = count()\n| extend title = 'Alerts';\nunion isfuzzy=true all_usr, agnt, alerts",
+        "query": "let usr1 = SentinelOne\n| where isnotempty(SrcUserName)\n| project usr=SrcUserName;\nlet usr2 = SentinelOne\n| where isnotempty(DataUserName)\n| project usr=DataUserName;\nlet all_usr =\nunion isfuzzy=true usr1, usr2\n| summarize cnt = dcount(usr)\n| extend title = 'Users';\nlet agnt = SentinelOne\n| where isnotempty(AgentId)\n| summarize cnt = dcount(AgentId)\n| extend title = 'Agents';\nlet alerts = SentinelOne\n| where ActivityType == 3608\n| summarize cnt = count()\n| extend title = 'Alerts';\nunion isfuzzy=true all_usr, agnt, alerts",
        "size": 3,
        "title": "SentinelOne Summary",
        "timeContext": {
@ -196,7 +196,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "SentinelOne\r\n| where isnotempty(DataRole)\r\n| where DataRole =~ 'Admin'\r\n| order by EventCreationTime\r\n| limit 100\r\n| project EventCreationTime, User=case(isnotempty(SrcUserName), SrcUserName, DataSrcUserName), Action=EventOriginalMessage",
+        "query": "SentinelOne\r\n| where isnotempty(DataRole)\r\n| where DataRole =~ 'Admin'\r\n| order by EventCreationTime\r\n| limit 100\r\n| project EventCreationTime, User=case(isnotempty(SrcUserName), SrcUserName, DataUserName), Action=EventOriginalMessage",
        "size": 1,
        "title": "Admin activities",
        "timeContext": {