Fix for the workbooks logs not loading ICM
This commit is contained in:
v-rucdu
Родитель
a63a585db1
Коммит
2e6a57b918
|
|
@ -277,7 +277,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize count() by bin(CreatedTime, 1h)\n\n\n\n",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by bin(CreatedTime, 1h)\n\n\n\n",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -322,7 +322,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\n| where Status == 'Closed'\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| extend feedback =strcat(Classification,\" \",ClassificationReason)\n| summarize dcount(IncidentNumber) by feedback\n",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\n| where Status == 'Closed'\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| extend feedback =strcat(Classification,\" \",ClassificationReason)\n| summarize dcount(IncidentNumber) by feedback\n",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -342,7 +342,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated,Status, Severity, Owner, AdditionalData) by IncidentNumber\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize dcount(IncidentNumber) by Severity",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated,Status, Severity, Owner, AdditionalData) by IncidentNumber\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize dcount(IncidentNumber) by Severity",
|
||||
"size": 1,
|
||||
"title": "Incidents created by severity",
|
||||
"timeContext": {
|
||||
|
|
@ -404,7 +404,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize count() by case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner))\n\n",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner))\n\n",
|
||||
"size": 1,
|
||||
"title": "Incidents created by owner",
|
||||
"timeContext": {
|
||||
|
|
@ -446,7 +446,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize count() by Status\n",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by Status\n",
|
||||
"size": 1,
|
||||
"title": "Incidents created by status",
|
||||
"timeContext": {
|
||||
|
|
@ -522,7 +522,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize 50th_Percentile=percentile(TimeToTriage, 50) \n",
|
||||
"query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize 50th_Percentile=percentile(TimeToTriage, 50) \n",
|
||||
"size": 1,
|
||||
"title": "Mean time to triage",
|
||||
"timeContext": {
|
||||
|
|
@ -565,7 +565,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\n| summarize 50th_Percentile=percentile(TimeToClosure, 50)",
|
||||
"query": "SecurityIncident\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\n| summarize 50th_Percentile=percentile(TimeToClosure, 50)",
|
||||
"size": 1,
|
||||
"title": "Mean time to closure ",
|
||||
"timeContext": {
|
||||
|
|
@ -635,7 +635,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize Incidents=dcount(IncidentNumber) by Severity, bin(CreatedTime, 1d)",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize Incidents=dcount(IncidentNumber) by Severity, bin(CreatedTime, 1d)",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -671,7 +671,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize Incidents=dcount(IncidentNumber) by case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner)), bin(CreatedTime, 1d)\n",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize Incidents=dcount(IncidentNumber) by case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner)), bin(CreatedTime, 1d)\n",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -707,7 +707,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize Incidents=dcount(IncidentNumber) by Status, bin(CreatedTime, 1d)",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize Incidents=dcount(IncidentNumber) by Status, bin(CreatedTime, 1d)",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -750,7 +750,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize Incidents=dcount(IncidentNumber) by tostring(Product), bin(CreatedTime, 1d)",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize Incidents=dcount(IncidentNumber) by tostring(Product), bin(CreatedTime, 1d)",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -793,7 +793,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| mvexpand Tactics to typeof(string)\n| summarize Incidents=dcount(IncidentNumber) by Tactics, bin(CreatedTime, 1d)",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| mvexpand Tactics to typeof(string)\n| summarize Incidents=dcount(IncidentNumber) by Tactics, bin(CreatedTime, 1d)",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -829,7 +829,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| extend Tags = extract_all('labelName\":\"(.*?)\"',tostring(Labels))\n| mvexpand Tags to typeof(string)\n| summarize Incidents=dcount(IncidentNumber) by Tags, bin(CreatedTime, 1d)",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| extend Tags = extract_all('labelName\":\"(.*?)\"',tostring(Labels))\n| mvexpand Tags to typeof(string)\n| summarize Incidents=dcount(IncidentNumber) by Tags, bin(CreatedTime, 1d)",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -865,7 +865,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber, Title\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize count() by bin(CreatedTime, 1h), Title\n| order by count_ desc",
|
||||
"query": "SecurityIncident \n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber, Title\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by bin(CreatedTime, 1h), Title\n| order by count_ desc",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -926,7 +926,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50), 90th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99) by bin(FirstModifiedTime, 1d)\n",
|
||||
"query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50), 90th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99) by bin(FirstModifiedTime, 1d)\n",
|
||||
"size": 1,
|
||||
"aggregation": 3,
|
||||
"timeContext": {
|
||||
|
|
@ -989,7 +989,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\n| summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50), 90th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99) by bin(ClosedTime, 1d)\n",
|
||||
"query": "SecurityIncident\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\n| summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50), 90th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99) by bin(ClosedTime, 1d)\n",
|
||||
"size": 1,
|
||||
"aggregation": 3,
|
||||
"timeContext": {
|
||||
|
|
@ -1070,7 +1070,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n|where Status == 'Closed' \n| extend Ownerr = case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner))\n| summarize arg_min(LastModifiedTime,*) by IncidentNumber, Owner = Ownerr\n| extend TimeToTriage = LastModifiedTime - CreatedTime, Owner\n| summarize avg(TimeToTriage/1h) by Owner\n",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n|where Status == 'Closed' \n| extend Ownerr = case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner))\n| summarize arg_min(LastModifiedTime,*) by IncidentNumber, Owner = Ownerr\n| extend TimeToTriage = LastModifiedTime - CreatedTime, Owner\n| summarize avg(TimeToTriage/1h) by Owner\n",
|
||||
"size": 4,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -1150,7 +1150,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize arg_max(FirstModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = FirstModifiedTime - CreatedTime\n| extend MinToTriage = TimeToTriage/1h\n| summarize avg(TimeToTriage/1h) by owner=case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner))\n\n",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(FirstModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = FirstModifiedTime - CreatedTime\n| extend MinToTriage = TimeToTriage/1h\n| summarize avg(TimeToTriage/1h) by owner=case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner))\n\n",
|
||||
"size": 4,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -1229,7 +1229,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\n| where ModifiedBy !in(\"Alert Grouping\",\"Fusion\",\"Incident created from alert\")\n| where ModifiedBy !contains(\"Automation rule\")\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize count() by ModifiedBy\n",
|
||||
"query": "SecurityIncident\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\n| where ModifiedBy !in(\"Alert Grouping\",\"Fusion\",\"Incident created from alert\")\n| where ModifiedBy !contains(\"Automation rule\")\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize count() by ModifiedBy\n",
|
||||
"size": 4,
|
||||
"timeContext": {
|
||||
"durationMs": 2592000000
|
||||
|
|
@ -1303,7 +1303,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| order by LastModifiedTime \n| project LastModifiedTime,IncidentNumber, Title, Product, IncidentUrl, ModifiedBy,Status, Severity, Owner\n| take 250\n\n\n",
|
||||
"query": "SecurityIncident\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| order by LastModifiedTime \n| project LastModifiedTime,IncidentNumber, Title, Product, IncidentUrl, ModifiedBy,Status, Severity, Owner\n| take 250\n\n\n",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
|
|
@ -1415,7 +1415,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SecurityIncident\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| where Status == 'Closed'\n| order by LastModifiedTime \n| project LastModifiedTime,IncidentNumber, Title, Classification, ClassificationReason,ClassificationComment, Product, IncidentUrl, ModifiedBy,Status, Severity,Owner\n| take 250\n\n\n",
|
||||
"query": "SecurityIncident\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| where Status == 'Closed'\n| order by LastModifiedTime \n| project LastModifiedTime,IncidentNumber, Title, Classification, ClassificationReason,ClassificationComment, Product, IncidentUrl, ModifiedBy,Status, Severity,Owner\n| take 250\n\n\n",
|
||||
"size": 1,
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче