From 47e22c57bf57b7e20abc7837b90787a370732ddf Mon Sep 17 00:00:00 2001
From: NikTripathi <v-ntripathi@microsoft.com>
Date: Mon, 23 May 2022 19:33:43 +0530
Subject: [PATCH] Infoblox CDC connectivity criteria change.

---
 .../InfobloxCloudDataConnector.json           |   2 +-
 .../Data/Solution_Infoblox.json               |   5 +-
 .../Package/2.0.1.zip                         | Bin 0 -> 22525 bytes
 .../Package/createUiDefinition.json           |  43 +++-
 .../Package/mainTemplate.json                 | 220 +++++++++++++++---
 .../input/Solution_Infoblox.json              |  23 ++
 ...TOTThreatMonitoringwithDefenderforIoT.json |  33 ---
 ...turityModelForEventLogManagementM2131.json |  34 ---
 .../Solution_ThreatAnalysis&Response.json     |  14 --
 .../input/Solution_ZeroTrust(TIC3.0).json     |  22 --
 10 files changed, 242 insertions(+), 154 deletions(-)
 create mode 100644 Solutions/Infoblox Cloud Data Connector/Package/2.0.1.zip
 create mode 100644 Tools/Create-Azure-Sentinel-Solution/input/Solution_Infoblox.json
 delete mode 100644 Tools/Create-Azure-Sentinel-Solution/input/Solution_IoTOTThreatMonitoringwithDefenderforIoT.json
 delete mode 100644 Tools/Create-Azure-Sentinel-Solution/input/Solution_MaturityModelForEventLogManagementM2131.json
 delete mode 100644 Tools/Create-Azure-Sentinel-Solution/input/Solution_ThreatAnalysis&Response.json
 delete mode 100644 Tools/Create-Azure-Sentinel-Solution/input/Solution_ZeroTrust(TIC3.0).json

diff --git a/Solutions/Infoblox Cloud Data Connector/Data Connectors/InfobloxCloudDataConnector.json b/Solutions/Infoblox Cloud Data Connector/Data Connectors/InfobloxCloudDataConnector.json
index c327fb4b31..9da6517d26 100644
--- a/Solutions/Infoblox Cloud Data Connector/Data Connectors/InfobloxCloudDataConnector.json	
+++ b/Solutions/Infoblox Cloud Data Connector/Data Connectors/InfobloxCloudDataConnector.json	
@@ -51,7 +51,7 @@
         {
             "type": "IsConnectedQuery",
             "value": [
-                "InfobloxCDC\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
+                "InfobloxCDC\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)"
             ]
         }
     ],
diff --git a/Solutions/Infoblox Cloud Data Connector/Data/Solution_Infoblox.json b/Solutions/Infoblox Cloud Data Connector/Data/Solution_Infoblox.json
index c4070826d5..ea20628f41 100644
--- a/Solutions/Infoblox Cloud Data Connector/Data/Solution_Infoblox.json	
+++ b/Solutions/Infoblox Cloud Data Connector/Data/Solution_Infoblox.json	
@@ -13,8 +13,11 @@
     "Data Connectors": [
         "Data Connectors/InfobloxCloudDataConnector.json"
     ],
+	"Parsers": [
+		"Parsers/InfobloxCDC.txt"
+	],
 	"Metadata": "SolutionMetadata.json",
 	"BasePath": "C:\\GitHub\\azure\\Solutions\\Infoblox Cloud Data Connector",
-    "Version": "1.1.0"
+    "Version": "2.0.1"
   }
   
diff --git a/Solutions/Infoblox Cloud Data Connector/Package/2.0.1.zip b/Solutions/Infoblox Cloud Data Connector/Package/2.0.1.zip
new file mode 100644
index 0000000000000000000000000000000000000000..d36246d5b4a4d542be1292fd48ee29850d4b772a
GIT binary patch
literal 22525
zcmV)NK)1h8O9KQH000080D+sgRL~L=50MK10B<V*02crN0Aq4xVRU6xX+&jaX>MtB
zX>V>WYIARH-CBEZ8#faF|A6}rgsy<4Kw8-jdXM1J!e{3a1F_?a-R7>gVNko2mNm89
zl3dA3&fooJhWpg6AIhUmFDTM1mz){S^Eb2l@W($e*89eWv6%DTGuDfpOYO7q*slb0
zp75ENi^K)|eP%=u>UsXoj<<uIV0V-nv5;ap-Zz3f@x$SPn94*tsgvL+Q%?Rk4}P{f
z`BQI5ykee2N*LsIBtxUEp1NR<XxAv@n-{`ZAcUJ6%<|VMH+(J}Y=Rvha0wPeolNDd
zT7V^K-^usfM6fvJ%8Ft6X2PuuZGAH=M#6?hrY`6FcR8OiYr^LjrFINo1~cj6Y?4`F
zfTKeVp>F6V{_oK#EXqWvF(?a!9KY5xZO1a1>WR`fR|*~jyO>?{*iuF=2Ks;bHobwz
zSjbuI%IEJcl8fZYlf!wcjpK=X_T&k>I*X-cr3P8Si=Aqfq2vr+hnX?3u2xJYEX^iL
zhAh`$z=*&UG!CNT=G5qgj6?*&xL9Y7aRzr=$WSmP7C@QLj38GSGO!_&Zp*SnJ7xr2
z9M<vdR2w7|Wg*G1)aF`g9@&8H3y>Ye$T?az$2$^%iC{KM@p3=`2>3TKUkC=Owa&mf
zcoXuJPox6Z5<u^txKX3%pieXB$ZrS|3wC}A#1u)&6+07VZke94AFLqpDxHy)*ojw&
zz3dm(^`1U2y_0<23piF{#??4i;>gxGjT~|s4}vRiu4C;)ZYcq5=6r=0J-<%$5{+Xs
zQD=D#v1Z3Mx1!CBXlb|KJYcC;p-g7XY39&=g|&wa<lt~aBc{Um*J2I~r(Q)C1XOU)
z3kMRh^TXT^D<PK4Wl(r0U3$PmrL&0nED*5+?l{}mNg_fAn(QC!572Ws0~x?BD+ZAx
zXJ{)BAk<31K6Y??%6`d&S&`R(<x{wqU=h;76)V6^@i4@Lr4=xEV(A)jz7NPnm{x!?
zumBa2xh=R&7&C5Z<3B*^H;Dkh#x%kpi3sGgk2e^y;<oJg@XaYmfyP8dqKgaTJ=(4;
z$dE5p#5p@Xd~wA3r-h)0mB-P!7Yi^OJ0c~SL4X>*Cos!M1H$OuT1mJg#vOPFT$G2u
zWD<<lK_X8yOv&q9F=1g0JEUNnXnk$*He9V7WHx^>o;f|wRR$rr(wU*%HsuiA81ESD
zpbiCOMXK})U7A7CN(1lAP0L&K>zyHc^5ldYP*?T*u8^Tz*~>*?Z!;xm`6-e-e=WF4
zd<63erknPCTj4>0S;WYI{g<_=lv=+3a2a5c4hOwqE&1DQQqTUix&SYM0O&3hC*Fco
zch2iOSiP#ffq?Z|KPt=Uxa3^tde=d&4ik&n(2h%c*>PHMA9JXrjud+jwFU_?&OMu<
zM#+$NPL*ETUVY<b^>ABPnbINeR2S4{j&8dC0%3rRB0=T#m5eYD3nJjhg3W}3`ogA0
z&ndPsEK8rRT(=?JZR1kCg|u>_L{akZ5WO(yOQW;2B|qd$y?k*aG2<Yja3-r0D*l=O
zqaa*?iqbXe=pq5gg7=0yzTSIRUZpOTTcx52kV>}>_RM@Ql@N-~Xw^KWwK|h{i=MCT
zQXw>AlU1cLOqGxv1>Ol$0V?-xt^-C&fb@rHTSN`okY^%U0HX650X5TCBAL0k-%w(I
z5a105!|lOkuc>ON0@igoNvsi?^<KU>YkDRCJQov3;1BN6uLmbElF@Lh77dRLpznDq
zM>({7zPr7<J=*^3XnSW11n#nKDN>gemya~yK0qWu#0N&F2T;-*yA_`Zh1<KmAyu#v
zYZZCad`k9#gnb9=H7|&OV}y`nDV2iC0e07ks<}kXBkYDQ;h~wcEt^u{i0DVIz~p4W
zIZylEA^Sc&`diHa*ct>2+&*Oaz5#pw9aTJFVf#+M28t$s2bLcUS+UmXe*@Uimrl%y
zPKtG^pL@~PhYPRsi{7(~-qw)eHaazATNl0IMUN!uetWwGq%YU}6nz_NcGS)hb&XXi
zslF+9w96uUVAXvvd0<wpYJaykt<~(tritQ_IFpW~xp$}V__kH)))RWSWIKS0Z(OV1
z+!-Hdup59}c-=apQ(rY(r3A?#kHX=r2FRmcTfxXuE@}iyNJtQI4crFoKRSb!BcWP!
z?^fnzFW@0mP|vMES{*>H488!#K)Z^K2qHC+aPSb1?bk%kLvxKcbR&we_0$nyt}DPp
zIg72H@aURyzy!O5P{;*f&YWob29D&o=L+MzeZtLq?b00dnpV24KQ>GC<2-3ZA#8qS
ze-a(;#C<j~K5_bHMPrkRngpN#MGpHE?*ahmJCv7T|Dfc1-!TI;_cm%R=l%dSTsX9E
zsG*@(zVm>VHj-0llMt$-0;tO+wuGCim$c?nq@`BMfbD^FG;(?b|6>50q1}U*R`5Bn
zvwmVwc4nYS2{wSc4OyJw9pE1_38CyJ2qPBQlg+AzsBH3V2p2F?Q(<ZA;qyBQ^tjhM
zU)nv8N!N>d@@+LHE!(cMr1PNfUTq2o-HBZrL{J-34hqHvSyKKepX03)zHKgi9yRZN
zm1@p~#Ezow_Mb=DIq?xv9u<@~Qg-!FHd7Dd%T~|UM2zj%0Fz(mJDRvGH3Bdh&Kq(l
zUsWGWUUxKzy;NJ*Ja?dzdiT|UIZbTQE#ao9qLl1c&i@b1Sc{ra$``Qm!nHZiQ~|!m
zf(n3Q!7afLa?g5Zr3Tl^d}f382(iz~bG?ya%m6`VT;<~{OOu<tg8O1j17bzR1Rw!|
zaID`n4&<q?MqoIavGQcqEDTgMIxdUCKrBq)!4DOQOqR&0Bme<*i9^6)MY(~tONs=j
z1?_;_FrGh8#JUW%%hf1X^a$Y$#qVZu`=}&YIKc)5=v2_4ymg>d$i2w3b?mON!arSl
zZ%N)6UbJ=d5Tj%FgqbIshuTYlEp4bY0xJcgFhD<qJ&U<6&XNCxbL8>c0$w1d9kPR0
z`zO`#cy0V!Vi>U~piutlqqs9pu+fX@`vrJ*EL55Y8dU3&y&qxwskKD}=rAfV^d9IV
z4h(>9>cHtbQ8D+fSdeIN5eH~3Dn_=6hPtjZ%fgr=reu17kW<cE&>H{Tt}orTjPW@8
z)5_-d*EgMqs$NvuRPhx%zKeV$raV)QCI%b(JyEC)J_>Gl8OpWw;?|Lx*uB$?a?e_q
z-$8~p&BP4~an48Yw?}{58~t?oVQ0Ae?VoSI>EaAW7G-HY0_@Faq<|CuJx5@E&4)eY
ztz@9bI6!mZvi`U^3@L}N-7sXY^YzEVkWOZw2t&Fh+!ThCl6|Exq>zsp{3h`5l*6~M
zt9;Ut4<GPUm{|vKfW9xVnMm?+>K$zy;tea-xfjC*KZfwbhDciE5kZNML@|A+Cj0(i
zG1Gwj`tbu46v&fX<Fdx&zQM`Y24W)Nu>EjU;_S#9>HBwQ!92W@(eo2Rf1^@eR|E>L
z>OZS^AWM7%=qc3tML^Gpy^^z-9cS|i7zzA=9`h3antqjlkU)Yx4@fu788uP;SWHx2
z>^H+i6!+8v2n_A|#DzTCLz?o-Z4BwLh*dn`7?u#ncDJ`#jC%8almD9I?a5DsX;63l
zyFgPcogE;%9iW~8m>~cL?LdYzCpcvByM+IE9>yZd@HYnjmnZ0&@;wIQ<M2vzp;@jr
za>Nbh5})9R$NxTfbF_DOOt7>7q+iercmE%}5OrlrU16O`bTXn(PXx{Z@=E^`h2N3C
zJ^h0I*2;8%ptWOURQx^8m-4o!zjtrj>BxA#gS#)+4Llx_{&#JYT+8650Qv#=qpE*<
z=d2zo?C$?jenQllOS5JpQ+=o&)qbwgJD*BpUH>D$&capupYVlt2>ldSwm3nbSPS;c
ziu2m1T>2ba+@bL)w%52>@z8H<sXm(Ho(^v7n`><`o}jO@{s0a6Kr!X6pt-;JH33-%
z{(}Gh2T)4`1QY-O00;mkoVQerf#N)FO8@}vC<6cy0001OVQFquWo>Y5VRU6KYIARH
z>^*67+qjb7w`%_b%CkFmQlc&Dw6dG2^^wChj^k&0X0|p?Wgrrg@Jx{kk2ro_?{D93
z03<<*lqg$H;(2r`wuqzA0QyD~y8YLGA!Os<0&BvibmIltn1tahc(Jo1OSY%frDHZ_
zZn#bV5&3M}@}{aT*l9J*fzj+3O>@U)GsnBZb{A|qb7;u6{~mbmPa6#}faSR%)cwx<
zfO{^EV{SL`pQ@j-klHjv3~sRiif9y0JRh5$@T&=T$c4{mG@Ni^kS~TCs;B>&a?AGu
zZxkYG5}X)tipT`m|J-w;5QZh8LXC_(pB%X(Z|Hbm$${fVHaUdR$${s(%nD&x1al{G
zn^B(vet^1$o#R<Flv7bfP#E6K7!DW!a_%_B1*gZ|W9E*-3DlZtvCT#_a>C!K6N!Ew
zd=_|-Z?QMN7tOYwZO5a0)M3pnm4X#mup|nnjT0{<QNZj58Ac&-8MB#9LXXU75D@B5
zjWE1|^$0@p=dl{ZIG=ctV;j)b*k{ID>f4qF-TvGr<PS!;8-$G72$h5rM*h6^{HtI_
zEoQ`M{z<MU+?o&`5S#h@3k*5(y{Tw^yhoA_8!_H@^21%cYx5wht#5uIS6;3UK%g+-
z*5(--3rg{bq-YYv#1rpLKn#Nf45<Ps3Fj9h3&jqQ4}98eq*SxD8P{(<d-iep+%r>N
zFtc)Mt2E_5;_-+JhzgcC_Qqt-rOr*rtpN6t`HY+c7jc(4xTygPqgm+$0K$}pA+s;|
zl%06j_uIM;QD{Nut<CY~v(?FdZ#HADB6VEQq32x@n+L%5HzzR704t{SN|5lBL@xgv
zEha~VU>e-M=WJYd{U+k}R(3AM;-K0Te-k(pZi_8L){4=rFb~}7`^{vrxLniRPGU-|
zG%cz~^#|V`)RuPS08vth`62P)^U^uB{(^IA|Appc#iaibp6U<jaMx<~jdp+7H9C}<
z25s8|qhof>9_=x^*EAIdVti$ge4#$4Lx<`1NX(uGhX?!S#o-@{cRnRd^rAwWcygbX
zw!}S2(Ae5s)?O3ki7+yxI^EE;Z{GajV7_eb%zW<)2YVved6$@a?`O;xDwR4%ZotQr
zFxW{HXt0x2ze$DAzsV$v5Ygt8tJbFwPuF-0BcDXmA@kpl@bksQXEZ!!Uzqc^2rM8L
z90Cp&=)_O4UZu`iB)4uYVCJ^$A;3y@^#LH4uG-0eAHILLcXV=ia(>2wndb)gShJOY
zEMBpdKvh|<RRET*R&K#>z(n5%qw<Q`mDlPXAc|M&9)K3D)9T>#Rno-pyg1q138G;l
z^ieA4&mdp)$0NJ3xswq<*dZ^GP}VorE0RjUoii))d3ck+LY0;nTzPmob(9r!#fzkE
z$XtUWLKJr2p^ijq{=KNyY+k=ChFPd$%Dd#XjPxYIk3*NhwQe%BvBJiY<;p};fS*pO
zAF%A2q@_hFR_jrsR8<Rof^wsd(4gAjs^xb4!LV%0h&|VIOudgjQe3{N+*4&|Bpxrc
z{~%$^8#(DZW)=@MXCgtMxiXSAKIGRj_OG(up633~cgaQwvK_CuE2bArsLyPzg3h=W
zeQGsZrqSFrz`jbG02=}+gj_eQM1|%+>NHe570G{KxDbQnXeaL>>m(!wf<5Nc;s0QQ
z!f~wI%Z)D*?aPf9ml)PzILwZ@-MrjrTyF4?O#`U<01a_V;G+q}D&7W9P>z8((fgO@
z&rjZ8yn6BcIk}jCKc9NYf=2@4xr8FdfCm}U08C*~@@o`;+x$9mtxyF=uqUAbVP9uL
zMiUUuXgPm){#+y5=g&WG#qmUXMYpHHPN2dGMmawl5`kxWFbP930REbX6Je|GVJtF@
zO~ettZLuanc;hfJVdRI)jXNmAT@ghg`x?T|4APe8ECeXyKrYsl`eQDat4W%q)tr4L
zu+(>VjVderlNMGyJRqRSzP@)EIXpZfKNG3y$RQgsumVVIC0}0pmzS>m{S*F>H!Orz
zw;T`m!NCoJZa2V-DZrC+BGlzhY*awIanK-#Zx2qzM?zgYKVqPC3IT2Fh6FXrHqnRA
zQU!eGI7t;xnJ{NYzVILt6q=y&8PO21kRV|1LgJ0YCM^sZY?DKuJC5yLyK-t00wA3Z
zA<%?Lg+5YeL)22&n^J%m5Nkr+F$1Cn1|cDE)V4mA^Jq5nd?d{nQHjO55NWtX1a~ud
zA)7zXuT^e!kG*k8L-qKYF<_v#JPh=<xbfwXuvTo?F{65o{B0P9dMu>i_Jb&Rj)Zk7
zbIjeVBM>Z!lu0=%q{BcIInX8+Jlqy_qn5>5BYS9=%?>p>o&Lxec3MNDXPf4rZPMmo
zG!lI+<~YI$7TvyZcAbE{0OVOH$`i?%R36hIb3`4||Ic#m-UH?d2(aih2&Ju(=^#{G
z-gFY3-mpW5R@Z2oy`j;u`dwppFzg#$Yh<=NcF!ITn`@dxY~n4NLP?ti6WBF-J+nLL
z813%BG&&>JGia}G8^hj!vTm0SN4@@<Ch$t|CmG%VGkoC|E5N_7$;@XLK*XZK(P^-B
zN}ZlXd(HOHVAO6JutT;n*o7&Xw%P3uTeRP6)AdgY<P5UWqA6)j7NFl^17L$*-)Q!&
zj?wA%2L`peLu1rw!=I*Ubxmtc=)dL;ni>UIXKM1ue#{6M!P+2U%-%yp%%HJA!u<N#
zIgO{0ku<5fbeWMYu;06knN6VO9?F*Xu0cn(ZL|jc-GSW)lIWQNK&4TVsiGlvhH69<
zE6h9akq2k&bHu@hgo4nI7=l(?16bLSbQ#_unr5fd#Gg9_BD+@dOb9J)v9<BMG7#FT
zf4+QBQf}^+RJ40#JrW%AHJx^=q-M8Q*2nC($}nhk2W9Yj%}!Y_v(+4wq2B74r67~h
z3hKJ%Zl|oS-|zQS-AC9pFkZdu1GI9dYP;`5dCDj=uvH}U2z%#3Qc4q^V=qY+0dpiC
zk(YXweBQH^YTXi}{=w~VB6_!T6q+&waAZ>nmgRORnvv(ij6}<b_(<a-(k+c@Fy~Ob
zNTVwXfLevcW`hSLEHbFaXNSQo$WaJ}x8sl@BXl-%xHJc0%@R{hOfrympJqXB6ZBW0
zjD~6uN*okP3ZE&x0mlIklt0Tbq8JzO^`cPuB-jaE4vf#ENeDv-YmvEMxbL|lF@c;h
zJF?`dv;@o*B3F#f04)o2D2C#<OU$dxPNzOYerx)<tx<+pzoL{h3k|W>A~6}edm{Xl
zNUt$ICFI6zE~Ja7TFD&*5}8xa*`+D*M!+lZ)bVgAtzSV$u;8B0VagO2A@(eUPXV5X
za2*rdK2U^ci(xS(ff4Y(VIN~!oO(e>CSXr*gXif(3AhM}#~{WV;_1Aw=8sMZwQb<U
zAnVV(!;{_sT}41Rz<B`C=Ir;F=3x~WNCEJBtt)JPd3m|9=Q#KW=jxIGyiaR_=nYwT
z&7cI&%W)rq?P3#sH_NW;)re-RKWJMf*x3C(GdgW^U<?MM9@u$cbhn%Kz#6f8XhfJ3
zPD!+q21a6B#M9MvWowD9yxcfD{hy>mPBTut>qB`Y1_dMP1PoUZ=@WfL(ffnkNQ{o$
ziY<|VFR}7c0*5~hBI+cnab0eo6H6L>G_k8N*h1joK1ks6uw(xlW!BFm3G7R-66!}e
zYmjCKxaVKho|kCYOv~54H%+$bGH0iJE5%f-fqL-&z?<D<|Fj;J&<D-IV9@Rv?LpTv
zI@AL5xzlSI%|V~_fB{&yY2Aa+wS$KuVpr57>Z=g^6sVY=3tKNO{2YM*7vMGp44XN8
z%HvIKNURm7d{7@>yZ|9}x$&`4#4;e|xZJlhwY%@-;YKk4X?yPJUImIYp|2j!d?!15
z_-7d#VHl`NyJPRVO0##M@S<szmUz4*+Er&r&3diQkz!-hlYLRG??lEIw0pzd9vc~*
zp}h;lJOam@^;^bnd(^jv?OwOL+r0-dWAv$rim`kR)QhWFO29(yh-WSIE0_F#m6gB)
z*Tdw?@MbG+vu`497*c;0w+*5xm`rHpfo7j?7dP{K8^hB@O$ZIF5@qw~oU@p))=E%~
zH4FQcJa<`Vw>KD2qi40isAvsa#?S&nHM`cxV%^S&b?kePrxd0K4h@0@vR2f8S8B~r
zpoa7u>1lO>=2Sgcuzv@nh}bOhQg7BEV!lvl(SU8~0A9Wn!VCXPTSE!fhTi{KP1pCK
z>(%IVPk1RsBr0njn>e4aEuhj|QX)<bX7MPJI;v>xvsZ^lXRi(}N+E%_4=WC<TLIYV
z-ud~(+q2(Ffr&Gh?{6YB(nFMP-)^@1)adptFc60Qp)qKKm9RVNwal(<S_7-KzzMLu
z6E8fA+&{o$eamf|xjGT9k++0}9~0p3Jm5p_fOjPqEHULzO5IA!n?frd$0B&}>T^V$
z3opY5%6nYZ9Z`R>PD#75*eS_Kgj7p7EF?il{ZPcwUXt5nS6_(YyZ?}+gYB4W&$oiY
zxXsQEdCg@^>%yA_B<%^0&}&M=I00a*)RscXZ<vew!)$G!yIeC(!El#s-R5=h-7`>U
zWOJ_kh2W68O;k&I5F`t}!1m(q|G_YcB`V>^?O-1Z8*HY})dtqwHho^HAD5k1T3!wO
zIiJoPKH`{uhLI^L_vJ{McF0a{-#qmkZr!NH6B>N70x^c(M<Ia462tkrCCEvXM9fa?
z*U@1-*5<9wV0W9P=C?flJ~}Nhx-Bnq!>wm%-o&lqMj?==*~J>s=o85sJPBBx((%9v
zX&r-gDo_`ClJfB+|J3n9LCtuQ?}xHuP4+d}uZ!$sq7>8E0=j#aP<>3d8LDc`(LKH?
zWCSwIcj1N9d6{sDQs*GGn|MHxB~S5I*qo+7>dz?#P%Uhx7mj_(-Me`nly(}h>7}$h
zLmn#KkE-K54ugwOK0;GE*72k%;>Tftg{Dn<6u6RQvqrlDb-#Y5B)Si&FC~PWLH?Kp
zt=E0wnO!R5HC~?sUERZCL{s-24J~<^bI5{F994jk>jv6Uew?L;;7nW!JOx__N(#mK
z&aI>%wakTe1S(&-12hWb3^kE3{#rDb?IM@sC$kT=o(^D2zw&7`J?CQ=c-EqBc*w^X
z)s|L{s($TL!D&fd>kfX9EO0TiYiOa+VDIsiMVvL^u-%4S+haBcQoW4NMH{+bUqX8;
z98w;D1i6xFhLX>bTk-ryV5!bzfN@51XF%e>QgoR+*AvWAAq&v#uf;~Jl~%2^9<H<&
zT4D_a5O*)uQ}6Z;_T;H&Lz~{YZ@oWPsm?LzByOe5H+&baT%)|@A^1<wFqgLVD9VF<
z#Wc;=oH=&lEGDWiZIFOS8u3{YyLcs<TzId(S|VJtet)-7q?giT_p#6ItUyilKzx{0
zQD?LpOI60$XUsiQ3LV{OFW@2Dr+yX#L8VEWou1KfAW#u`4XTT1(rNxXCMRHI!3U|2
z!6_*3HgV}j!kAB&Rsh$=OJ{gw=cktj(ZtEC$~LR@_`~#gx}D{@LuHJ-ELTNls?6o8
z)Y`Guj*qV$VSRIc+~zHxNq~t*m*`B-4`Z`4B_*NW7JGWynr0q8om-yIl9LzD9dUej
zjG_LWmotq5>dBni#1E(P)uNk5$x6rSJ$}l!($)TQV?dVt7D#PbW*q3{2lBNHC`IL{
z*PO5r6=8$yCC3e~zJdrq2*_pu%o<h()KQ_Iib6fPQY6(Msj;Cl&@eR-xB2l54aDS(
zjbMc)`%xHrT44OC+7KGu&MU3mMxoLQC%6KhV+U!miWEp3(*|#RaVCKy%ekpw!poQ0
zhUt+89$apSRhmH^Y-~Ewu}^Pgx7Z}PZQk9Qcgg{)H~{8|lnijgFp2l!Lx^;hk}(|I
z)qT<Op~I*&mXd)yKTS%1$S5KOreusHCbWEj<Z!SU(y)9*K1vH>0p&`G`z`602jmq7
z!>g03pzHZ%`K5H-cbjWi^>XmtQt+!0PWcGtW3yT53|8i`2M}kYx&!qAjTl|v!lOJc
zmb6{y3?<HLUQ(x#*?7Y=Hc5Jwx;ANdIXh&t1$>s8F>`EI!evw83!uUSCj>s3!VA<L
zo>}D29ESV!2K`ZmR<*T6zoHP`V{d#8YvgmqoZm<w+=EKT$)uMFiE`kjJT_0Vp!ar;
zR2Z}R0NqujM68fj8DO`vl#`0+dogciKFt&09HZTjOC_@`;8WqH&yjp*8FT6ksSvCd
zzd^rg|3<9=zBKYH%R1{>_e5ZZecr3^OiKoF)&!>HMVq1o6P~<4H!F(>&SjRIcwv%U
zB36IC>%-DhL^2Ne5T{~e;?PwRhM9A5et@9L0tfu?<op{r;7Ac)IC{jzj`er-b>kvf
zioYp8UN6e_!<(HBJR3^D%MU$Z?b=zco#o}qvv!s%4^unKwX?ir)oW+D(ijgQ&PH{6
zyLOgqXSsHkYiIdhT>5mJ<xHN+D(>;Jj!)Mi#&_mdb%^WNHR>dXf3hTpk`zFO!2-Kz
zx72H+MK$`{quTxz<t9AKBDg57Q<RK24=`>nUJz+6ctNB9m-<zan&oPiOIdCK*;IUe
zrJO&%=Zh=_SP8R7#y!#CN&}qOf?VKrud4((SB-8ycAPTv!b-v07D3@#6?vnt`(%v1
z^b{m9@ya%GN$TnBt4cnV|1Z~)fLhyxwSs!`3Q8x2``;l_RTmYSe;TC9cAq|aZSd9n
z^iRr9#ROQ%s4L*Q?`h5H=#-jqvXQ*dsW#{S0_NPZ4gDTwU9Apkb?|U?uvBzsgsq_b
zZ!T@qqtHdtR_^$dm$rz?LUB7*7Zl7N6we7_EE79-jKq^W&5|{Vw2aen1f69{(xa&`
z@;^r&515j<IS@$gIT$$r+If8ufH-5Pw11pXP}EsVk}2(<IY7_#Ptsq~=Hg^hq^0~d
z^;t2?)VitGO|@=Xs+)=zyIf7F_5JHBs0XQ`<i^UZ9LIYqv$9zw)f7qc<O<C!jO60X
z>N+90)-wxfUtH!nrz`e-T*6{V|0(XD`y~hHH}}f*uJainx|;n9DxVTY(ACb8OOq}p
zOn$EmaN}&EE=h_)F27kr#Lf2oD8MhP*j6_zVN}ibY5L_A;k8F*9>+us^?iL3Sp3y6
zEKSnzT<1o9i_0~4Z5RqWz#!XX|Ax3;NaWqJ7|)~bP2A|li-<*CLY+W?q>iJ5#W54s
zRWR_|*F#Z*p~d+xl#!B8{$6y`QxRp9UQSw#EDFCwvbGg!Tj6Qg3WXv4!gM^<VYN%6
z;%`HFM8*D8-#n>wLs7F)n7&x$#-^eiN$ZEZUaD7LFZIN)mui(8UF%b=g>vNEURbrx
zd;x5O4Mw;y(8`?Di3GKU@MBsCvVnG4c#-T|d~x_9dt&J&;)TQ2Ndq<SJQ?08qTuQ$
z{fn6Admj0h<5lhspc2cg@(0~bzN)i;O+^eOX_VL`Lo7~p{v)~#_08pLG)WtU!PeDo
zF3+2^yWhg3UCaxauwSdOz+zqb+kka;1d$Pc+i!}43I*N@j)>(d_T=;5BYaO|dUgFP
zba}2;Ab6LPwzX=mRdWT^JZGrtTC1I56U870$qS~7b<#aAS9xr$gNi07Q91M4<$EZN
zyGD`n%YL^+b}!c8*4L7#mP9Kc_ZX7szL#aq<5J&X%~!tFYw4w2Id7))I<8013H60r
zQaw!`@qUu}!mY}~)E91Lr0KV$-}=I><s;M=Zq*lV)faBn7j7*cpuTXc8katu3%810
z4}qC}i<Y^b+o=_pm4d?$OA~Eeu5xWwVfdC9WGn>9j~y{t;9b}EPbWn`%Kg)|!+Tph
zytTvo;8ALaw|02%HA3z1)(&s&@YW9R;sI)hw;GrJSPt*qH*+%O<;;z>IhpCj&8s`g
z_sF7JA%*E42;m!wt1PC%MEhp#qV$DKHHybaN%Sg6*IM)jDbbNjxP|DMo%n90_#oal
zeZxXRiRF0U<`M@mBis!=@Xl#Sz<e7r%*y^OQrztL9nA}TaWjyPE{Q!Y7ATiK0!RU&
z@CmATC|*>39r>8XM{J)vj_qB$BGDVMv^6Y+3rMzXnI4{fBlI1;VkC%skry5y(vG9f
zuVJPmaD*8^_htw@P_NAnsda_TwL}2K(Ivq(2YG-qi-`>Qj^G9a+qum~aR|)N%Wm>u
z(H{T$|LuKyR~t!|=l^@oeuo%prVNx4B=L5)YX$@E;*1MafV+3sczlw~6y#Va)ykAH
zTkG$>_r@bLGBWZdrI5hEOuImecij8CkGOH;pM%&uPPt!V$`l()h2-_hf!p2R*>w-B
zo9>olZSU<JSO=Y5*8+;~cfD<Ar|q!@D)kZ%J%c65eJU|shWKnwNVk4?;r(;sQ=uXZ
zbH$UzD`dl6V*$fMep-w$k71)}?T>6D3H<y?w}dr(jbC1~#^FCL7PrBMD!x<p`O<SH
zC^!hc7KXbDofS5Y@JJiawhdp!A)G&x3ojf2{Cm7v)+*CJi+v^gyW6#WB`leKe8qVL
zyulQy27MtZVonGUNt$DP`afN5%Km2Q-QL;V-STdBtxkKZZEbfuo@MX0ZEM%=AN05F
z{#O6sU<!JdRDT`Kb0SJigA%&G2V(Xw>DBdX$x9V*E#MVx!}SIz{`uavQi9|o|Mm52
zz$&m|S~||LV|U&K-{eFC(KNuW(gT<!sv#m9cH00C@=S<j+(h-`3gys;RG}Exhbxq%
zx-FKg&X?VtgQ=XD{OU!r%<@i9*5Jgv<J`DA&epcIwb$OVw)eMoEZg3?vATfi?d`2j
z+vzw{5OW;Pr%*9|-T?LDD&`V!g<}HgDp@wlOmmT}@QH!=I=Utr(&jhQ7r;5igw-fP
zwHn3zRz3#Fl)L5Z?%ixVyVkzb2g-H!cC7t9&$hO29D9Gu^}O!E?i7^EJt1)*tR9Bx
z_X{QD6md#}&QPWF9VJKQ^og!7d6SN;r1PC2`>Y}PW=Xyt2}=>h3iV3o$#bOJXRJYp
ztWww48Eu>X`IhFFx-OUXai*)hmg1aO6&j0EZ{;<HNw}^TuUNEVaNgT$A9VNJwq@@-
zp0&N(altxl-&lR`z;W%)p0mBbTVO%B!C4SpOosmebN4sjb<u@7hm+RYu9#{4TX7IY
z9a|>-pR`3YW!!{GAYtyeyx99KCO?E>4Z|8*)-dTGbm<>v$@(yj!?e|?@`4J6$?L$o
zS=zh~(kY>a@KPslt^9MbpMK)WQh|?b+RP)eFJ>d9BjhJWz&-uUQ56=VWVgY2gZ^8T
zqEtOS>TEZnd>Vmf1lsHZt+w_i0<oPc$wGhgBX+SLYfwJhl;CbIBEh2p#qWG?;FgDq
zu)=Y3aRoOi@?3+ID+!rtl9BE{r(~qtCK>57(h!pEOfolZDc;y(NO{@>qDBN85nMwA
z!}?|}JTXbb8r7PWs@zSJR)q^t(i)rmA(d`rHGHW`NjgPC8u_-*PYp8Hu4tpt-5jIT
z&9$q_-I!}v=Gs-ss+((9mHLp0GcJBz?_P$vRAnwznM+mXQq@#kx{Q~q6raIfn~%BP
zt8uP8-NNfi+Um1Kv(VU`YS*=5<6#M07&Y^I%-`HK`97|5PHl~WY7Eo@t$!M|))=Vu
zdNBs7F;J)K!5FB<Ks5$xIRqF36+bWrsxeR-G*DSOk@^Oz_Ns+>@%$-YJg-hM**L|$
zrEoBCp=x3zevBB2k|$TH`;T;Sja7X=dSA~}5s<8-kVPsXj698J<vF@fO!T0M9-LG3
z;QVD~F`qweSfaU>YIFdj1BeRJJys$Ai|?+AQle1lebu;Gb4S(i$+P7XLB-WCvZ{=-
z$jhtgvE=LHD4cR-b?OT1Ty%3RYF;aUNm?g-uesG4R(h4Zzzx`}c3P3@Q+~Q`t3dgz
zow>F!%D_BOZshI{D0k=gVEL5NY2JdT=)v+Q5DK^&S>cw>E0A9328?k7I|g=Y3~uSJ
z4`v5st`z#U13xRqZ7OC<Zp7vsu;0XE(nh1ZIR?0xc+AS(n0QPRk6E(nCLXg=A0{5t
z#A8k;u1q{;VFxB2vl^E!V?1UZkL$EylU1Jj=2jY-&fN3xBA@l1znN;T{TcJon2(hd
zLSsJGvjU9ySc`s*`B>hAF&~ZjXw1iQ2r%X&eqhYUAJKfQ@`!hy`8dmi-BSe^)d=dD
zVn{PQ+07@T8*J)p1jD%mK4}7&3ZLwL3nt+CP#l7j%qz#|FdDiZ)Z|M)-;H5j1Ac5y
zO(a5}?|uZEDzDv8wCmcDoqEzhSu_L@AglfKVm12|@Xk%w>+H9;E&IUUwYG2ecddPU
z*R#5NeYb7jw7Um443;bPl0?5H3Pi$%$sHWNB8h^*=Z17J#an*nDd5s_Kg3hOof~J*
z?(`2Vck9Nrw!L=Wy4kTkYuk19Z|r@$v%R}D1u@65Gzt~t=M7LVjY!EO;0mrq^AvES
z1l4NPN0uT_SV*_q*|&D~oVK;S<!xE^R(sd7_d2^<`|X?dj%VKcUEq7a%OxzHH_6u{
zVJT)$p<eb)19bZ$bp-R+?~G*6k=fhYy>Ygju647&1M0%wzGEHi?%!B@eY?MR;B-6A
z_Q7@jW510uPsJy8pW1?Y+5^%2!%j+!z5j#%Q5uv$--KpYZhlEavlC^(Wj8hA8@~)Z
zbvHIX41FLxa(WNEgha)!UsZsY?X9WMr9r-LT^C;7$eyK2KC>?Mnc+G9+egl{$iV;U
zrCCsQ>SKj-el4TJTtu_B(Yn@LGs)g#tbaX`5y9v9$|?3;_eu)$BC~^-qKhe+gce(A
zWhIx)78gHa;PMBDOLfuH5i-IE8hiJk34C@2K9c2ivuOLaLr#V+O9Dr0We*Ko&mM=D
z3*FesiiOVY)LExL{L(DMrT5n0oWZ#T;amo&bf=l+pv8S+r$g6w@NC!Uh}HDF=b$52
zONvnsQSa?rJm+r&R5i3`0M!8MvH)tvD_#LdX=!6<R|LT40HP8V%!-{f^z7IkH=~lO
z6lb9G<wED?=Cc7$r!1QcP0p5t6k!rtvI@-+)*Z)M1D<8Tx76V2%rjq389-K`Fawq^
z7c8^$N}(V30P>Sp>>vkIc|rLMcWSsh#G4gB4ZjfR_ZEI(L@C-fm{$$2UJ~XNDTz(s
zUpdJc5d6_W@U4i7DThHh!e(k1r2WODD4I0rR}Hy-0Q4Js?%Of0eG>?nOKk@DestiI
zgZRp^PmT$k8v8_-K#HP01ANs$>&F1TCLm8wWCrh+0Pp5#j%ERs7Zz8OrUor+KzN#2
z%T$=21(A@h2Er=A&&z`_^%`@ds#_JhGpM!%s5WOUZb^?jau@wyq|S~GuRhb(k!0kB
zFD;bQ;9;*<-k>NnHRPWKLyNs2Mc4y@Efc^vHz<_>6q<5>3mSpX%pMx7G+4Q8SgAun
zW!W`FrpC1+AkW)i{74MAEdbnDZZVp1YW904MH_06&LG_qBVDY+<s;q98r<OsR>z^R
zV8HIFz%IwHCvqyz4tKe`Y7oyL-jX2R(X^NCDk2+o0)6#ubH#4axW-obqM1{RoNYD0
zW`J#}fo<pqVKaDkc6xqkaBKlMcGHkCs_dkJE(2Xl4P9=3)C_VRzv~&`S^#jx>F1k+
zF1nRGL$XqHTg|kHHI0g9aBgupcW;03tk4_#UdTxJjleF#bKSuwZ33OA38@e8B2m-p
zFtW$dcM=8ihu+ZrPQu6=$sgX1ZGZSZ9~sj(jshTm+Vu;AM;mC!xq~&kUeO`Nu7VV~
zi(;U|K*xfhBctumbo{z(8N5OijL1$KOEKZi9)**Dpql~$Ooji_GpeK?rf5}DmQ+=!
zT85H&XjRp3oFX(K+@<H{AUk;H5s*2}C5k(s)wy<eRLv<v8#Iw>x_KbaTc2%0d-RQT
z@E`s^I#L6j20E7qIxj`KHVH1fMR2KFl%piU+G+0@1LloA=Bm+*sIjF(jnopQavrM~
z5WndnJ<*a1r@gN7zRHx)f{(e-1j=Of2)F<BAQ;}ZWPSmid+aNpeRkrqYvdzr&UKQY
zzSAP?1Eh2MNmqQrU-M{fi4T%@J6hY~GZ6;g+WEvubTY(w(BD_te+(cRK)jv;5IuYo
z*UeIL`UM8IDsR%aGFoIO#R6~MC<IKlHQx)0CtI2?V+J9>Asx+=Cr4sz33^M7XgHEJ
zk=N22_?vNg<);2$^3HN*&Fr+8K!{Gn1Q?Kf_;FqN-K6IzFK);7=#CG+zV<AwUsms3
z#G{K1JxROhmvvvxOT-O5+C0NskKZd9Z<MXGG~CtGa5lc`T#813I>X8RjW>QrYqBaJ
z@A0?JUJIutwUs<#;d+jLZ!=DsgdWw;fE%xqmk;mlZ~pz{{@vK7;^El8rSVtP_~+kU
z`nN-nQI0)~;;*;9=a`l)cEjsv?8AJ0`<?F%Tso8x7IzYI&|GOr7r{gs)c80^#`bHA
z<B0+z461O9pq5XMCsa#?s@`~-om|#U83wL*>Lx3n44*FL`Pi2zeT(m+^yyV_drN&J
z$&TU|&Kb0O$@Zs1?+;RhP45i$eS{w;-K#qwDdMx>aw!bd!IX;7Rj0`cfLo`zYEq(3
zi=~3CHfHj5r-yBK{#P&jU3h$U^ai2gRxeP78ZhCEF=ULP>nV&O`AqI=jCRoz9m*-@
z1QVJ%BSK~sHblnr&(V6op%l8CP*}b9Zs{b&J8*1w-s3(>g;AKWZ_W~g;h2{kT_#Yc
zlobLdDJsborK|w^q-+Y~mC_QHXOB>I6=Ly}6qlvaCoQ_}X&;hIQ%QY?8$w2oqfPsC
znE`79)=vo5+;gQ_b?&;-eIvgiD(yo{(+u|+v41gxv2=Ej_CRIp=2b#>lao^izK#OS
zc{t90{Wt5zsxS=cLDrn}i~>g$1A*3@L<}PQ$+r=hhgZSLH-|nI8bA0sXXz8ak*GNw
z7Pg;|EvlKQS!!%awi(+kt?|#G`-rwj0i5?to84*un>Ze=cs{(P?<JFw^Mdc96Wou2
z5DfOWwqnjvZo3j55IH!e{$OLGX=p({wNfc<cBo03I>B%82`D-N8`!C<E+H)|h&>dB
zOxB61b$XP0HkT?cpjFFvQRH)I6}T(DfB#<J@QdlBB!qwm5RmqDBf$f(M1*SSh*SW(
z8O8lC3^=hIh?s0C)a3snFrK{ghc1kpTm>VPaH1xjdA<RYf;z_ldJ=(TG##VqETN`T
zTdlx2iH;m6A-)g~ylc9W*#_|&83#|?nQ%vonX(bmeQyv%lr;#m5@|)lLxzWznuiK@
zm#nS=aj(Ti1)HQuSJ$|xkn&IA6^18tPvxk*S_=Y8RQ68QwHfAZ7?cG;&E%D8E9$4t
z^W@P4`WoL*N2&Zic-X{kQChf34ltAk_A|<FbsyP|Qn%Q%Rn1SO&`D_^siOW>b7N6p
zF7{)k|6{ybrATJv)STs%ys4>3EdG%!nebl`YA9DMR_mmKg>EAHUFzRzjw8-?tupxk
z!8}LCk7N8eFV2sX@Vas27~x)}V<X(3TDX@wYvjg_m&P#2OJNW_omBF~XxM0xE*N<@
zxk@;j;t%6|spMx+*JM7921e(VJPpRhU_f?ZAgjLvs~u~u@=!H`<n3e37S9fgMt(_n
zVpXSa{Qg?nWQ`wjV+MVd=)m|D%XCX`={uO|X5{y5G%dyNFr{0<cbwAg6!@c+x*vvL
zhQY&7sUJ<o|C|JV=;eBa^G!>MdJJ9~yj&1oE;K4U2bXi9moLL})&FoP^%TIC0pgXv
zdiSH~@z;j%Sk<00BsCxPnIddhNqsh2w2=ynmI`qefE1Y|M`pQBg)HTyat)*t4_rFI
z*oz$z!LaYU-q7({+H_yK(2<lAL;TSjBREHot(^4|gA{+MrC7t4JZ+9BEr0s^;nAV%
zf^-PQCm#T_Sc#;y%dvBQ`FF;q^5;jXoUigXXI_Ldq(z{0p9z-}^ci6b$Sfhu8dk=0
z*(S(xvfE<P;}GgRM!pj!0;E_*&Tv9`;q~z{=G#dWQ6Lfm>zN*2N|Z^PSa`;U(wo7p
z>naHXX1dxtYZq|@&wO(!RJ&C?YcHiYjjMGqTgHZB%4L}Pl=SO|<OCJ8>ZD5PI=d{t
z=C1pGyMa~DZ+<Jc`Fezt-$Q5KY?eEN+B_x`XIvafuXSBHF5@Gr5;B~^pPy)pjB>T{
z53#<l;&6`5qSVTbX2^sNe)?X-MTr`cVWJ!!N?u&Px4}5zIVI#6htXs_8hE%1e`97&
zjkQE;Lpxlsp)O&KFn#Y+vilS?cpFc;3<B~S&*h*jS|)*`bvoFog8@R^)ahWqGKMiR
z)2Q62MQ|1QR3$)djBb4{Wz15*r$^c>Hrr*)se4!?8?vQ~*(!Y+UX2=`;&u57O@Lb6
zqq7kqUa=nmjosM6Knpv;P*@Ou_e1~2AJAQ5!B<?Xk2mG3?}=Og_wcPR{1<+B@=s8(
zub2Y&HKyb^Yxp_rKC7H^YseoX=x{$tw^iW6I13{0CJ4UJBto$x;}-vljRRo1M8U^J
z6ogsoiTUX#e3|~+`OqWBXP4v;G($Eoyl@0`;*p=p@oz^x^4_yUFH9yyZ7j)$gIPL*
z5gBk-0JTZrzfnLQ!H6m9fVx!TE@-UD1~=ijA*Xc<J@xu6laC2jG3AelPxV~poEGMJ
z!CNRFhCU3E_rt~8JWS!a8?^<Az9sPLQtT=P8dbZR2CPcjXkBZ9RGWC5h3)-kvG*An
zP$k}!iSyZ?IaaA_S)H{CBdOlhqiG+7tj&k!Rmdl&`<&N_M*i?iBgFqaUW6<YB|4q7
zoSad_<C*Cys}Qce1oAZkhB8{Un-TSx?%uvdYpoH!)6m|tV?G{Zkk4oA{WCsQ!(5dZ
zW2u?Tnfa2?44k7-(=%b0#<aD1+-6?!eo{(*idVezclJfG!px68%j;y`eO?gdH}&pw
zb~9fTvCsNUu)I9xrQpSodUG!YXLj>tJQl2Q#-bjUm6HU)kS>k_*OU1x9j7eL0C1Eq
z^{H7XS~HkgOU&w%wA!W9hQ$5=2O=Ek@$ATYe{y(vVjW$a9A2GF3HxW>gM8HWd}+@Z
z)l*8Ld7Ok~sA{Q1Nj(;-eyX9&nyhl)+-Z-yf?p2O&s&pv%Hxe>JE6(RV89F3q;X}p
zmz>}~^p2;O86QS2?OC4vOCV(<IBE%w9A2ZLeaH4VpW!O8m!8O;F<VuaBf6<)WQpOm
zGCo;qUTavuHFK0$N_R`ne#a;8Po|b?7v2D;>>6{ZHkT|lr`42d&7LvpiRu}%QFSS%
zo4OHW^%-NSnX6$jCa(N9%yG*s#bm!Wj9AZg_Sf6h2oGmh*#>;}``$M{jKWncF9!1-
zK1D9U&sd%~{NLJI0h1oWbU}6CQRvtJ5dM&?h8`@6Yk0IGe=RkS0`Yv#kjRXTD(Co^
zfmzGRug;0p(r3v~8GIQ|uISRAk7S5Y4z45|%{#b?&5!4b7V|o}(yv|W$V#P8ZLSzR
z0y}v@`C`gqK#@YVA-B8&g_?r&eBBfY;~lLF52h4S^Oi-(&W~8bXPWII2`))pJe0*m
zyQP&9RdV6$?rrASW?TAR%;Ny^zM01XmgjMRe1MtqeSjYzkfEkDD2lXE9S{7DEf$+2
z%+DLkQ|VX@oEtbdaNZD{OU|M+R6J*OIWIIgA1Fmk9X@CiS0Qm71DXaj4QLwB<SOtC
z`QVkEnP~I$Do<&~7+r)?dhejBom0h_SfsQ4yb(S=W#NVJk%I0{EiVXb0?$FHhb0ND
ze!hrb_JWFoUU%<2f-R!<5)MOa)McH@h3oZPC@GjSZ7=4+{pw@RTz%?YL5&N^hAUZv
zfACDd@<-`<!enfb-Z+Q?fE<%fcUo?n$-$_efTiT#BJvZObh?$hG3j(oI^B|0H|caM
z^<mQKnsmC;iK|>1H0gBloBhfdX42_Cvvj&bsi%XI1E;zbgRe>($WNu4j=ex0uNAq0
zAt3cbH?$EP2WpRsnHifCDSI={?klK_!VYZFUZ=ggf77w-{R7w9-fiz#``g=XYroy?
z?;q@ScRSl#w1G;!q+(uhrD-wxRpR-fi*YXO4#rAsYTXv<Ie3QZQ*ITMaS!b1UwQ-j
zT2*4?1f0xX(KcLffb_-9s1_SEhlP*)*VnIYyxRAPcbVo-JGKTdxV@B+xTb-Sj^}VN
zNU#SV%UR)c6r%`_gljR<IJPlD>NOSK)VQSo68QO(8t!bw*H{GpIihY0{0-_CmOO^h
zR4d6Yc+irpAX6EN&DZ_i?bv+fQEADv<&~klPS3mPS0jHgU?Q(Un>58h31I`bbhnn+
zC8NasrE|IP2t4+{Q;K`UJ5s3+pY)xk#L2^c`z;8gJV%c*AL#=gbgC5j@Bw=;j+j!S
zZy867Ug@f#8yZJUy<UtX#yDc8>cKc-j3dT4V#*=FIAZVv<A`}Cj+m@*K!;Vw6;q>$
z0%uIhox;LD=J~J@I)C_MKsiqvX&(1k%GZwG(XB><6b-7_MaBL-0u%5y7(bFeFJ*&)
zYLn25NYE#|P2#Xp+zcV($-oOqbZ1BLOGiwwfGOGcXjtVSn7Cwu*Po&QY|seJPPCU<
zHzXW+4hAFPn@Qey2)*&HHpp9gi5GgIFDW@Fs&2V4*GlTKV5N|R6X%ZDAvr`H1C8dl
z_%Jzn@CO5O<B`bz;tjE}=+5KAfW}2%@<JSrMg!kr^V6<HgOfhZO!^9jCy#*g360jG
ze_kS4IUZR(Ji1&%GyW@xZy28gW}+Z`?9)z~2+56DNSM1n7JK-Jixf_7#Gf1FLkRdM
zR~7Sb;TAx>Azgw{y!17~myu~;mgwN&&ci4hTKvHVdcmR44S~AQF#Vg3mF`14eONmv
zM$jaO&R|@AUupwN^18631h&;45ReCelys2L=@7qhVY8#V<jJk$Q#KbH)SGaF$a{S0
zdE`F8O}z;wQM}EZJc2%~w-23s6y6GQ95|DEA%I8^0LvbHTD^;+QTTdu(+!+(!{=o;
z09Q6$KO7D0$4x#MMjxC!HaQ=zZ74Xx-N9W3igjO{pF6fZoj)yIuGq82-<?<LWP^C+
zI!A|BpJ^rKZTONR`o<1>y|Ttck=)omw&U9C`M?&8UI+_kZRu<TTBXSG)!E*j#_=_G
z7uKAU2-b|Sont!Y%swv0Q@uo-H3c)oI*Q?lC*la14Ve3e8uhd1ht+T8%Vdf<O9)9{
zGkozxe373Nr6(-<8JHt?OXsNYrEdx3BCSR*Y&a&t+w1Obxd&Fad*E5y`+GZ<z1y~}
zz1>b{dw1vHX0OAXOO<+&@rF(15_EUmj+PvifFA-tpk4Qt`|pc`60!jVHIDuB4(H`N
z9PlSg;KT+gioiY)<`Rkvuuud%CgsB;WkCQszZ96xPK#6+0WVJ7Dez}$XL0xqt#^c$
zUd5g`=}~f}Jxvj@@Z=E*8s-TJf_=<ErG_05|LbI}yq6;so6r>Va>Pg%KLpjOu@QeN
zfbd-uKt~bTX=j5Dwo0jPO3}H<5Q2gfX(`7rn^L*pRmE!c+mhkrro6fAwrbmITH066
z2-;FS>@CT;{m%CWt{CC%*dE;}i<xY56pR{LRmVdY+f-}Oda}EvDu7nONvkU(B?rn+
zWl&rdg*C`KS9PmMhkvdb7tG0MT)YvZaWyK-%Glg!T=Q~6%%X8AfM7H(qj4FH>&0nY
zMXF3Sr7PWL5=l|ofJSL+Dd4TWpz}7C8~Ov;?X=^qS?%kfzq8Zt^!rwSZ?6N|*G}Ks
z@7f2}4*b*K?sj)Njx&Y!#U_NPrMrbA3;GJWR}u_$+;vbC(6<M0Y5_$+VgXqR=`Mkl
z?p(SS>5^DVkQP`PrKNM}TwrOH4p{_|ZdVXQ>8_=pzj^<>nfKnke|+c6oO}K`f8Lpo
zlD4;gsh6)7-3@<<zK+ooYYkdTJnhOo2X3)i<eATT`*kZ|BF$C3+FYbVCF^@!JwnV4
zM~v1+s5hH>6rKo@Usjg{>c-#FwiTO>f!Y@hvN`jz7BK_{bnSFRkqzppx$oRPiF=#C
z=lW%Dk&ueDt}DaU%LA0RsEqcoVzeN%b>LKqLE<(AtB4UCnXyQle=-!tyN4$&q&Y;#
z)V@#0Hwz-zjiIz%3~?UJ`n0*FL)lD<imdDRuC1%y$<1{O-{-H)s(f-xn_?wfC-L`h
zIb|lO=c6hK=TMf{!lCqNIHA|a^6AUUue!5~E|wb(`MNIVImXC}+ZzJ8b>gxWTFhH>
zE|_dQyi|#enJ1D6bA0EZ6?ugbR_6f+*hFVH_Oo*8=f#~pUy795B?@wf?XWYRfFtnF
zdZ7!mP1b5_4SsP0c7il>zdB^(VveiawZEfY?3$4i)jD8IEX=a|>jvp}nlTNdjmI?E
zvu~v2kd=D%E9^T0<UzSNhz^a=@pSuAU-zlNzn@;1>2Bk2L2`5ApBOr}fYnjX!Kgcj
zgg%esEW9oeTY{VQpwQNx+l;3lz1s&FW3Y0J1`jDOalcr@xGl;7oYA#~nqiWUP7EFp
zZw-5ZC~WLl+T23>p9cpH6Vmv+ZC-z9yKK3qTPJDok-Y+$;nb+uTy-7UgWtTE-{hFF
zsd6<SjpA-=qE~ils}xNTLf3d1Hd;NeVf*QN;$Gv$uRj&=oR(@lf~z}^D@noILk(6u
zqQ1IS{#v?h<iTet_gTJg>I_B?ruWH51uYG`XMlVsG!)IUoej*~w)@x~asQiE0<4k9
zRduve^<|xavR&j!{Ft=$19+7J5dO0u`n{Y?x;XRw=(A~qVN3oWe}-*l`R0tpi4326
zrf0`+%rqWrm`rvH91HQnEe2r>a9*}(wQAP-jq<f}ou-61=+r0uqlCB%JR|9RmvSZ7
zRR}+vJ;d{EF})o(PgcR}U-!Oudy-VORaW4@Yc2#g(uWU4z-|>+Sy|sov?Zn4Y}sl_
zRd}{0+O(}xRnowx-^bPUS<^GP-sGjPvA^wyZJ0F8L&sSJUP7NBg{z#|jBz&(<URS%
zc4Pbiv3(woYLm@b7r~5%dY!`zmgg19r&(XmGg5r7vUxQ!$K#8A^r76$UrE}I)e0FX
z5SLoI*@h?iXZdd~BxGi9S`;j$II4C40N-+j>d{SMTgz7>%2>#gA`!R?f>=X04e;hw
z2$G`)8DvCz4V?^d9rQa2$t!#(-e{@)*+<)L{#(M{R0m1ryUNt`rI(m!vjCwrR2w#L
z?FCffI3lw3^Y8OciiIehS&0mh4Osc{cs}yGf_N(r-RF}R(47_#Ni$5H=P&DP{F2Fh
zTK-7&F}jozAC~~*iV6wGTtBBNRt*eZ26?%+zt@LK!$k#PO_1AzX?c6Qs)TwcADPmf
zt{0Xl)km{-vpsf30`KD$pH0NmR*XH`?p_{>4eT-yMI4%Gj+E!i<E9T-XB{nG3DE`B
zicv>Hmv5bM620Q&(WkM?y{V#^9}AGb;bD5co4k^r;G_jo2MBg$D#3R@uO@%4$H+3A
zcRUu%Gl&pzP8p_!hypznufcg2;$Ih!I9yX7GTnGbsyq!QvX!%NxgEb(z$Q=hLaow(
zdYy*W!rcDbYyM0<{Zl2-7ZxFBFGXREl&Cq`@@<J={zgRheH`{q>iUlq>aY@<pG$1Y
zir7O3vS{fx_xq&v_=3s6;e|t!0NMVmgh&s51_?c?1ZS~|r`Zaa5oGHe(jf#aaH-_y
z<&QG+7RzG-`S7iTv~r9G4KiNBbxoRn?EBT8XU^`M;*6;m8%zq?gxVBC7M{@(?rE;9
z8v0Rqu9y0K$>d5kI|G_NGOZ&{2UpPx@&t!(sMy2V=)2lal=}4uXI&>i48i+g%2f_V
z*cWWmvlJ}O=?~_Ful)08ioqG4zi>l7cyws*+q_r*^4dM@lj@t@yEITZ^6AkRl6Oa-
zaQ{&1dRu=6=Ma%)8}e5omT6z6Qfuy>nLiUHdp$$FFYkrN^Tml`l{GkkqGg%_$NuY@
zlWM?2QJrO`mSMP^*s+I5nVM!*)|%PcK+5t*3i#<HW3PBh^3D!rRy~Sy{BqHHH}U%Q
z^KYZrTGqcJ>rN(p3wHRXKh(Vl;5P>eX=PP9d=Zq0{K;vXV2#u}?r(7mRkG&`BpKCy
zUC#sv4XBhHws>n=?3_kFY15pOdMsN{aTo!c-_fh^rk49wcDCz;hBU7TkmtV#{X(yy
zh8GSy?#aSLQ&g6*4Q2MJBK<BVL-h6;@f(S>-)f&#e`P&AG@WF3W($*flbnP*o3zcK
zA0&;Nic_Pb)k<?onyq>%BEf3>E6ZcLqmk&ILDHuu2wJexq!J_#2uI$^uG13%bZe3-
zdJqYE3d+use@#-lbILFpvM*Ka@6YEzg>T%c&96WzX-BgK1qgb<Aa+06kv78>`!5lZ
z0cXOO)Ut8_;eBP^VW+|=wq(dvhYWqOx(V++_dRa;HQjYO)YLHCL{rpwq_#RS(}@mR
zM7*tJ?IVMoyofV9e0vqCs|g8qgjzg8oEwk^>t-MZM2$=8g!F3_k>lcqZX7aDmz_bB
zpo04*eJkz^VKC_JsP&*D8jout^Wr=CB)^sg>_LpG!UQj|)BO(i=3-#_d3yrwk%)kn
zRKQ70!^YU4sRQtt-%f$0)l)$IkY+r0Lu$MsO^Z_2PC7Xg1oX3SlT3rXRLUr?YLa1l
zi_BcEbAMv;#Z#_MU_1R>5guc5bkQqif(guJgg5*V&%2%E93OB^Oc~4}pFDZ}k;y*4
z^=Cq0q7JE8X*ZRkOj8DHehxF73DZ=WEO2{0iSuDN1HbTP@$%}QKeL{+Of+@1T04u`
z-xO^IRQH5ox(35lGP4}*)Uf12nMtpx(ap^<pTETm>N0ja(>vnNxxDK6_+P1bzzWp4
z%&5<THwIjQA>3AR<gy7B2P+jlLlSmah^CpLi>@9fEr8JF%KVA82VrQy5V5Y2(TIA@
z(!n{F#EQ$2$DBpD#gbyeAR;zJnviP7PF~@Js0uuZI+|v~J}{2;+)zqJ`+p#kYiEtU
z_s3(|N_7<iWiLiRRnFq(7zsW;Ys(i{Dq)Z;Ql8?(bH6~!B<z}#%di&5+KR3_Im4vS
z34Pv}MQv|Qz~XtlECNqsKY;15MGlfhp=7qD`}_JtDo*K6N~{ytF--=ituI39(xT%Z
znbzVA%6H)LILiagarGo+?p@6y*L(?2-&rpU=#h&4(JQ@C;xbX|yA2Vd#>6yP=$GA*
zx%YpmqNd%8=o~t;0R;W-E$D3%j#Y;hqM+1enyW_i<tB<LSNJG2J$FohG_5vTiLEZ%
zk@|b+*>(WG{(+1i6~2Z_vwGuSiGrl+u@13ohs{j)hn|Kfzhz}R+<Y)FtuIt{(wkW&
zwfhKb12a+b*5wALP5S)Kzx<zGA>=~l>Z>oU8^e~7_THmiM@Q_de=8y0q`dBH@_cpQ
zt1(!N;GpFuKwIwpZNW*ppgapHYs!k+3?FXe;Sc@fPNL#{F~w!AdilJ$>$HJyR6Cn%
z>xbKAna&Es??*h@8(CUr6CAX1Fs_ogZm|>(dr1UJ@4x22nyjI_^?hBp?qaX@>e+eM
zVh5Oy_thp@`I}7amlS!g9{!e#(D?N|N)y7IzBZi_?=76QoA2Ua(WZT6x!<xfpx74?
z=R0B<jwO^AA>%^M-DNC%?Ay*n3M4v=HWZe$HuWss^*T02)ZitKXgH`*S#%`9%r0${
zK|s_4w8@Bd<x3dg^x|#d(sgk~yl^tfffv5g$0|vrcX~R?ZP3|W+a+LV^jmCW=K`OQ
z_#1m!W*|j1b7Q#j&`tO}X-IQ$@Q};+s@xZwmJCHsI%6)5pnYJSo5h^pC8JAj1fGv~
zG`of8uR)b2_HHCob;=Tk&?Cmb;dmb&lx(<H-Wh4b(TM&^>zrsNya`Rd*7Ov<4A=^6
z2?M>LYI*Cnn!p(LK#c8TQ=!E(LW4~#oS#$Hx$21r+ebzr^;uP=#9LR~?JFB;H#=rN
zRXfj!_u>h)L_$e@&Ntkj-pi+&zvtiUpqZ!ugw)QK^kN3{@Q)f#dBnIlZxtSXr8dF^
zkkFU!S*tErQTFnt-prq!O|QJ&poPXdK~eMbi|+}<!1f#c-U#im1cDt<vXM<d<S&Zc
zN&&pG@s>UEs|lM3r61YGdy@htn8YSnQ9n-FL?m*dv>2<n`5x%(YXfHXluZSVgN~^L
zW7^4lceK#E4csF^P=O<jH}Zff67(jwsZ9HBoqNha3QZ=B#g@5M@JPC>pju!m)0vw$
ze)^MXOy;t5#m*kNCp=srw9gU#KJQkg_Kbc%LHkON{DNh3!}Kq|os>{;oJxbiIdOqy
zQEgc5u<)OOVeL-t1&s*ZM~Gjn+2X-}gBv$9M7*VNiBmXl4i8fh2LoTd7xt#UKhPTU
z8_+)L8vIJKI#xpZ^3%9U=QxP<V~=WaT0fJ?0Eq3y3yi!FVDg53InK*YX>~N6*!!8H
z{c{yopKmMI1H)iNFRJ;O2Vo~sPKjHsQQHeqe^T%wBmzIG3NR@(Xbj6h@cZ|5`;{4Y
zg|E6huWQxZe+LD~+yIlY!JYo^oyv_wnKLHyLSA$>`a=NUBgx^I-sQds_Ohoz_=M!-
zmo^=W$(`O4r0~<Ce|Cu!h=EST5^sS8Z6=@Pma*@?LH4&K61$t4)!IKNAI>Ow^gyrf
zI~`@!HK-}@G%Q~S%zjQ9mG8T`#=EE2M8i-FqM~{Ji<Cgg$76-c6FbX9q{P-hgCdV4
zb)Hir>SIyz!=@P<@zlCx5#xQ)zy&;z93YFOWSBFv{rue&#M1M;0O#dqia~3(f6!TT
z{^J9ZO-@l&y+@>Uv|GV9>OyJ;adY;BVVW&ezH)%_wZ$&UH+Saha!KY9Ixb+T0(WoU
zncu<Fi_ATxoRSWut=zE@eAw*|%l1CBkAAzvxoC04O<bhnpBDeN4zs)vx|w(QvTb@}
zKz2~pp>PLo36d+eBg`eFywiLYUkj*@p#qy4UQcfux)iX+vL2~H6tHQSfsxtlfIiuV
zF**5?4gY=;bj?yVS`5Ln2)ee3k&QU7v?VwyMHCIo?OHKTZ4WwBt&o&GwN`XWagH3~
z%j*=Nhq;-de$A!CnhUbbNqBYMIW4ykd2f6m4is-=5?^Q)49gYHaxiMpKYn#@7V&OS
z1(j|F^yohnpJfca%OMLhgjU?k{a6_;EI9ZaUp+u`PIdhxDPocp!QNd-f)qsPe>mDO
zJRi{dylXPTjK+<Mm*o%!L^LRMK8Ze+(gbPE6yrcrk1E1>^tY0dtF&WQA6E~c5>DBz
zL(C&y29ot&_g*-iL+@$Isf{eH?|(9`+0LV$us?q2>3%5Mzks=FUzcK6JBEdIgBHP2
z-!8f66n?tv`-c>K#wjKdr*Y1;z-R6QJNwk3dN|-GJwZ?5Ob)dC#8Yp_8S%)^IPtmU
z%Kn(+Bo?hiVl1q6r%~*)<<E<{o^rY-7c_!8<*Sp|X|B&$TS3rzX0y)(d6{JAQ}I~z
zVEk8BvDAL8$W+MlpUFU?(A2m)ui&=8rGX~S-h$CF**%K9LBXQX{M`zOOfm7-QMCT7
zq#QLdzM0?w&Me&Rw#(_nxI!_uoMcej+?ohC{ZSQ|tORG`T_OS|-oRX?R+^;PQ*!9*
zL+mD(<cz0pO5CH1OM2If6<f+=4ukAsokSsu$>+^!9JR>CpRp!irPjj@MwX1Zd7rdr
zA`I&0*|}<G=-5A)m3`4H3<fnCI$Cfk<64EqfcuW47=fQ!L~m?PHk6RDW=y;ko-Dvs
zJI-iF^*t?7eaavMzR8rF59(&p9J*kU(1v0UD``oWfZ8h2hBM!AXUywAfK-X22(A}{
z1atEgb9yFG6XY;;^3VXzMKO8yw4-bWMH@ZfgtSpSZ!!Lkm@Cs;JwA;;rWuH^4eCE|
zyDOTYDyj+y6H_5gTg(cl6YGuCE3f!4a7TY|qlodP$St@g81tdmUnEv{^;;LIHyxxV
zoq!;3eYx~Q;Ee1LKEPSOl%B&I=rFF&_fw?!sbafVID3@2*~9IA)gnE&<fh}MQCB^K
zZ&&<&fST+Bmfr?rspH00rKusZcpZ4U@76{e(j^b1O<fDaB@@+c5k{eIAF7TQ(>VNY
z5!{EB6wbesr5&QLj62-D$y0HD=W*g#;WxgLKH#@`w0jvsC&<U(W7lGXtQ@Hl>U^0{
ztAeKQ63=NeC0znq_Rj0tj!noq3OlxhMvF+PdIF%0);x;>+#M>`T;tT$&N0*}9*DEz
zX6dLcip0nVs<%G@3Zmd0r7bqsu&PpdR^^W1px>oUtNP!vaTu-+>>8;&@_`v_Ne0@4
zI`gQq3CbT{5si?XxRVf}ZUBGupZHWrk~8y#*ehi6L0V~^_4B)chgyt5#PQ5<kR{4g
z==-Wz5_0c_#UGZV)b7^Fvsi{3u2{+=N-@79uEjPt2e%)v1M|HkBetZu?+>Ok@J%X{
ze1Ne(A8uECdWLW!mOrqX!qGn4Z10b978b6y`^OP2mUdLlY()9Vjz$FXP)p{3k>UQ2
zUjGF+6w)q0dQR)z5;iPfLSG7Au;_HX|KQVI0HKe}kpNn5y`hnO+CZFILTq?Br6b<%
zgK-Pyc1^Zsl#uqq86O6@|H|uTyGhiw4kn~Fy-nW9n1vtQp2c5acZTkRPO@}+YP<S+
zs)eWvEl@4*u8C*XrI1W0Xi;rG)AqDkJh%(p-f<5To@Y9EEbk2L>GRd>w;fq#Ejkjm
z?i>f7@9|8`Wz7<6Nt{NbnjGcY(vsx-Wa}o!=BKE}_E?-guiphiUTCDd3nh%FJ!4Q0
z{qA$I_-}nUiMO^bBm2t#e(O#j!awCc4mTo#GEj}w{b_r+ClPjy%t<;FpfYj%d}wBO
zBqo<zWA3gQo8x&mvP8Xj4Qsuc?^K0{OuJ0(7?F#aE06VxdVYF6XdKwBTw<<D?~(PI
z!0pR6`l<)DYA8lPNRwu<7;{FKFT?S+Vn;h&(;s`(BMUdXpKq<`pe`>TMP?U>q9)5s
zF-2_>qfp}+GSUe?n0%Ku^aaOf=T=8vEm3Y$j6*7STa}E&J!}=5WVc6GDgr@g3s}sx
z-0*2>40umAIbQw{X6HXPxI(9b-Y=Pyk;E@;j~ZuoCYHJ@^BYO?Z^ue90d?ZCxLt^O
zj$0N1{6~sF^yw--`ZhE1AtWQkJwK@Q9W1bTs^aeP<ChCGyvEC>+<)Q~t1CoCOj5%d
zS>ddUFON`#xlNp9Qm=~+emJKAbLcL!4!jRqG+fv_KzoVl;)P|bztD!;ko~}kvH}Of
zp=#vcJc8zOE5P~Znp#>iWDTHXhJuyrX>QB(G1s1kj~a^PzM27@bN^?IDFxXm*HkKH
zy|sYPTv=a^niE=6xnl)3=FIb7^lY5RPs63YV%QR}q)<J^Qd{&DJ$674Th}lg$hmb`
z*GVxLla20=J7KZkiFF#%>>(r19j6a@`7v=J)MwMy&oB|iRwxe8e_B4>fvz?HQm*g4
z`ov~gf|+GQKkcX!W*;`f|ESmF7+5iOjqNBaKjsZ#xfpPo%#$g4qKBBrDBp3U)3d<m
zP7pawhRIF}r<vtDrW2h8I<3`zGtRyb_KXJZ1~EZe6_}Vp9A_&*r8kw-v}yhQ-Ew55
zj2(-lI|F0edW!x_Cg6f@iOeG&Ec;_bFi%HIl#&L~M`;;r8eM2qGM9w!;4gwi5=%rb
zRxHQf@H62%t0nYWrr&qRE=sMENw$)-=;YP=dpSJ_E*>?`|Bvkc6S{D4ahU%T|IYtI
o?*7jq|CjOgpQryl1pUwN{a@mj9t1%6pBB7-H|k&7L;q9#7o~K+egFUf

literal 0
HcmV?d00001

diff --git a/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json b/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json
index fb68e92510..0055bbc93e 100644
--- a/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json	
+++ b/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -44,7 +44,7 @@
         "placeholder": "Select a workspace",
         "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
         "constraints": {
-          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
           "required": true
         },
         "visible": true
@@ -60,7 +60,14 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
+              "text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Microsoft Sentinel / Azure Log Analytics workspace."
+            }
+          },
+          {
+            "name": "dataconnectors-parser-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
             }
           },
           {
@@ -98,7 +105,7 @@
             "name": "workbooks-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
+              "text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
               "link": {
                 "label": "Learn more",
                 "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
@@ -114,7 +121,7 @@
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Get a closer look at your BloxOne Threat Defense security event data. This workbook is intended to help visualize BloxOne Threat Defense data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time."
+                  "text": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time."
                 }
               },
               {
@@ -146,7 +153,7 @@
             "name": "analytics-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Azure Sentinel Solution installs analytic rules for Infoblox Cloud Data Connector that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
+              "text": "This Microsoft Sentinel Solution installs analytic rules for Infoblox Cloud Data Connector that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
               "link": {
                 "label": "Learn more",
                 "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
@@ -156,13 +163,13 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "High Number of High Threat Level Detected",
+            "label": "Infoblox - High Number of High Threat Level Queries Detected",
             "elements": [
               {
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This creates an incident in the event a host generates a high number of high threat level queries."
+                  "text": "This creates an incident in the event a single host generates at least 200 high threat level RPZ queries (Threat Defense security hits) in 1 hour. Query count threshold and scheduling is customizable."
                 }
               }
             ]
@@ -170,13 +177,27 @@
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "High Number of NXDOMAIN DNS Queries Detected",
+            "label": "Infoblox - High Number of NXDOMAIN DNS Responses Detected",
             "elements": [
               {
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This creates an incident in the event a host generates a high number of DNS queries for non-existent domains."
+                  "text": "This creates an incident in the event a single host generates at least 200 DNS responses for non-existent domains in 1 hour. Query count threshold and scheduling is customizable."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic3",
+            "type": "Microsoft.Common.Section",
+            "label": "Infoblox - High Threat Level Query Not Blocked Detected",
+            "elements": [
+              {
+                "name": "analytic3-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This creates an incident in the event a single host generates at least 1 high threat level query (Threat Defense security hit) that is not blocked or redirected in 1 hour. Query count threshold and scheduling is customizable."
                 }
               }
             ]
@@ -185,7 +206,7 @@
       }
     ],
     "outputs": {
-      "workspace-location": "[resourceGroup().location]",
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
       "location": "[location()]",
       "workspace": "[basics('workspace')]",
       "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
diff --git a/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json b/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json
index f15e96cd3e..e8e752d9c5 100644
--- a/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json	
+++ b/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json	
@@ -16,10 +16,9 @@
     },
     "workspace-location": {
       "type": "string",
-      "minLength": 1,
-      "defaultValue": "[parameters('location')]",
+      "defaultValue": "",
       "metadata": {
-        "description": "Region to deploy solution resources"
+        "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
       }
     },
     "workspace": {
@@ -68,9 +67,17 @@
         "description": "Unique id for the scheduled alert rule"
       }
     },
+    "analytic3-id": {
+      "type": "string",
+      "defaultValue": "[newGuid()]",
+      "minLength": 1,
+      "metadata": {
+        "description": "Unique id for the scheduled alert rule"
+      }
+    },
     "connector1-name": {
       "type": "string",
-      "defaultValue": "c1c7b469-40de-4a58-a7e1-b8684c95576e"
+      "defaultValue": "7bab8c07-37b5-4aa1-a3d9-41516a6ed601"
     }
   },
   "variables": {
@@ -78,14 +85,19 @@
     "_InfobloxCDCB1TDWorkbook_workbook": "[variables('InfobloxCDCB1TDWorkbook_workbook')]",
     "workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]",
     "_workbook-source": "[variables('workbook-source')]",
-    "HighNumberOfHighThreatLevelDetected_AnalyticalRules": "HighNumberOfHighThreatLevelDetected_AnalyticalRules",
-    "_HighNumberOfHighThreatLevelDetected_AnalyticalRules": "[variables('HighNumberOfHighThreatLevelDetected_AnalyticalRules')]",
-    "HighNumberofNXDOMAINDNSQueriesDetected_AnalyticalRules": "HighNumberofNXDOMAINDNSQueriesDetected_AnalyticalRules",
-    "_HighNumberofNXDOMAINDNSQueriesDetected_AnalyticalRules": "[variables('HighNumberofNXDOMAINDNSQueriesDetected_AnalyticalRules')]",
+    "Infoblox-HighNumberOfHighThreatLevelQueriesDetected_AnalyticalRules": "Infoblox-HighNumberOfHighThreatLevelQueriesDetected_AnalyticalRules",
+    "_Infoblox-HighNumberOfHighThreatLevelQueriesDetected_AnalyticalRules": "[variables('Infoblox-HighNumberOfHighThreatLevelQueriesDetected_AnalyticalRules')]",
+    "Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected_AnalyticalRules": "Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected_AnalyticalRules",
+    "_Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected_AnalyticalRules": "[variables('Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected_AnalyticalRules')]",
+    "Infoblox-HighThreatLevelQueryNotBlockedDetected_AnalyticalRules": "Infoblox-HighThreatLevelQueryNotBlockedDetected_AnalyticalRules",
+    "_Infoblox-HighThreatLevelQueryNotBlockedDetected_AnalyticalRules": "[variables('Infoblox-HighThreatLevelQueryNotBlockedDetected_AnalyticalRules')]",
     "connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
     "_connector1-source": "[variables('connector1-source')]",
     "InfobloxCloudDataConnectorConnector": "InfobloxCloudDataConnectorConnector",
     "_InfobloxCloudDataConnectorConnector": "[variables('InfobloxCloudDataConnectorConnector')]",
+    "workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]",
+    "InfobloxCDC_Parser": "InfobloxCDC_Parser",
+    "_InfobloxCDC_Parser": "[variables('InfobloxCDC_Parser')]",
     "sourceId": "infoblox.infoblox-cdc-solution",
     "_sourceId": "[variables('sourceId')]"
   },
@@ -95,10 +107,10 @@
       "name": "[parameters('workbook1-id')]",
       "location": "[parameters('workspace-location')]",
       "kind": "shared",
-      "apiVersion": "2020-02-12",
+      "apiVersion": "2021-08-01",
       "properties": {
         "displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]",
-        "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Infoblox CDC BloxOne Threat Defense Workbook\\r\\n\\r\\n##### Get a closer look at your BloxOne Threat Defense security event data. \\r\\n\\r\\nThis workbook is intended to help visualize BloxOne Threat Defense data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Overview\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events by IP\",\"subTarget\":\"Events by IP\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events by Domain\",\"subTarget\":\"Events by Domain\",\"style\":\"link\"},{\"id\":\"2e942b67-07c4-4579-ac5b-f43c5b01c51c\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Category Filters\",\"subTarget\":\"Category Filters\",\"style\":\"link\"}]},\"name\":\"links - 16\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9878ee10-a66a-4438-afdd-29789d76bd61\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":3600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Set a time range for which to view data using the dropdown to the left. It will be applied to all visualizations of this workbook. Note that using a large range may cause queries to timeout depending on the size of your environment. If you have difficulties try reducing the range.\\r\\n\\r\\n---\\r\\n\",\"style\":\"info\"},\"customWidth\":\"70\",\"name\":\"text - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events by IP\\r\\n---\\r\\n#### Get a closer look into where threat data is originating. \\r\\nThis section visualizes which IP addresses are producing the most hits. Further drilldown data by source IP address. \\r\\n\\r\\nUse the dropdowns below to filter by Threat Level, Feed, and Class.\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"12793c1f-b77e-4319-99f6-b6b4230d9cfe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"Info\\\"},\\r\\n    { \\\"value\\\":\\\"Low\\\"},\\r\\n    { \\\"value\\\":\\\"Medium\\\"},\\r\\n    { \\\"value\\\":\\\"High\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"},{\"id\":\"06740a9f-b69a-4769-b747-01898d6b9480\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FeedParam\",\"label\":\"Feed\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions)   \\r\\n| where isnotempty(Feed)\\r\\n| summarize by Feed\\r\\n| order by Feed asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"a4bec1da-10e1-4ae3-846b-d8787f569e39\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatClassParam\",\"label\":\"Threat Class\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend ThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, ThreatProperty) \\r\\n| summarize by ThreatClass\\r\\n| order by ThreatClass asc\\r\\n| project value = ThreatClass, label = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 15 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog \\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| project TimeGenerated, SourceIP\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":2,\"title\":\"Top Offending IPs by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"name\":\"Top Offending IPs by Time\"},{\"type\":1,\"content\":{\"json\":\"#### Click on a Source IP in the chart below to further drilldown the IP.\\r\\n\\r\\n---\",\"style\":\"info\"},\"name\":\"text - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by SourceIP\\r\\n| sort by count_ desc\",\"size\":2,\"title\":\"Total Source IP Hit Count\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"ip\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60%\"}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Total Hits\"}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":1}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Total Source IP Hit Count\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where '{ip}' == SourceIP \\r\\n\\r\\n| parse AdditionalExtensions with * \\\";InfobloxThreatProperty=\\\" ThreatProperty \\\";InfobloxThreatConfidence=\\\" ThreatConfidence \\\";InfobloxThreatLevel=\\\" ThreatLevel_Score\\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, ThreatProperty) \\r\\n| extend ThreatProperty = extract(\\\"([^_]*$)\\\", 1, ThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(ThreatLevel_Score)\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, SourceIP, DestinationDnsDomain, ThreatLevel, ThreatLevel_Score, ThreatConfidence, Feed, ThreatClass, ThreatProperty,   DeviceAction, Message, SourcePort\\r\\n\",\"size\":2,\"title\":\"Events for {ip}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"SourceIP\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"Message\"}]}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Events for {ip}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where '{ip}' == SourceIP \\r\\n| summarize count() by Feed\\r\\n| top 10 by count_ \\r\\n| project Feed);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where Feed in ((Top))\\r\\n| where '{ip}' == SourceIP \\r\\n| project TimeGenerated, Feed\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Feed\",\"size\":3,\"title\":\"Feed Trend for {ip}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Feed Trend for {ip}\",\"styleSettings\":{\"margin\":\"0px 10px 0px 0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where '{ip}' == SourceIP \\r\\n| summarize count() by ThreatClass\\r\\n| top 10 by count_ \\r\\n| project ThreatClass);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| where ThreatClass in ((Top))\\r\\n| where '{ip}' == SourceIP \\r\\n| project TimeGenerated, ThreatClass\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ThreatClass\",\"size\":3,\"title\":\"Threat Class Trend for {ip}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Class Trend for {ip}\",\"styleSettings\":{\"margin\":\"0px 10px 0px 0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where '{ip}' == SourceIP \\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ThreatLevel\",\"size\":2,\"title\":\"Threat Level Trend for {ip}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"group\":\"ThreatLevel\",\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"label\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"label\":\"\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"label\":\"\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"label\":\"\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {ip}\"},{\"type\":1,\"content\":{\"json\":\"#### The time graph below utilizes Time Brushing. Click and drag between two points of the graph to view events for only that window of time. By not selecting any window you can also view all events for the TimeRange selected at the top of this workbook. \\r\\n\\r\\n---\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\nlet timeframe = 1h;\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where '{ip}' == SourceIP \\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() by DestinationDnsDomain\\r\\n| top 15 by count_ \\r\\n| project DestinationDnsDomain);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel = extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatLevel = toint(ThreatLevel)\\r\\n| extend ThreatLevel = case(ThreatLevel>=80, \\\"High\\\",\\r\\n                       ThreatLevel>=50 and ThreatLevel<80, \\\"Medium\\\",\\r\\n                       ThreatLevel<50 and ThreatLevel>=1, \\\"Low\\\",\\r\\n                       ThreatLevel == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where '{ip}' == SourceIP \\r\\n| where DestinationDnsDomain in ((Top))\\r\\n| project TimeGenerated, DestinationDnsDomain\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DestinationDnsDomain\\r\\n\",\"size\":2,\"title\":\"Top Domains for {ip} by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"brush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Top Domains for {ip} by Time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Events for {ip} between {brush:label}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where '{ip}' == SourceIP \\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Events Count\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"name\":\"Events Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where '{ip}' == SourceIP \\r\\n\\r\\n| parse AdditionalExtensions with * \\\";InfobloxThreatProperty=\\\" ThreatProperty \\\";InfobloxThreatConfidence=\\\" ThreatConfidence \\\";InfobloxThreatLevel=\\\" ThreatLevel_Score\\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, ThreatProperty) \\r\\n| extend ThreatProperty = extract(\\\"([^_]*$)\\\", 1, ThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(ThreatLevel_Score)\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, SourceIP, DestinationDnsDomain, ThreatLevel, ThreatLevel_Score, ThreatConfidence, Feed, ThreatClass, ThreatProperty, DeviceAction, Message, SourcePort\\r\\n\",\"size\":2,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"SourceIP\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"Message\"}]}},\"showPin\":false,\"name\":\"Events for {ip} between {brush:label} - grid\"}]},\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Total Events for {ip} between {brush:label}\"}]},\"conditionalVisibility\":{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events by IP\"},\"name\":\"Events by IP\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events by Destination Domain\\r\\n---\\r\\n#### Get a closer look into what is being queried. \\r\\nThis section visualizes what domains are producing the most hits. Further drilldown data by destination domain. \\r\\n\\r\\nUse the dropdowns below to filter by Threat Level, Feed, and Class.\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7a14c478-6a17-4750-a9a5-91d65b776a1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"Info\\\"},\\r\\n    { \\\"value\\\":\\\"Low\\\"},\\r\\n    { \\\"value\\\":\\\"Medium\\\"},\\r\\n    { \\\"value\\\":\\\"High\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"},{\"id\":\"9c7f9be1-3480-47c2-b586-d4e2da6bb65c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FeedParam\",\"label\":\"Feed\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions)   \\r\\n| where isnotempty(Feed)\\r\\n| summarize by Feed\\r\\n| order by Feed asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"092a2314-4295-4902-9f0e-1482545ebe92\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatClassParam\",\"label\":\"Threat Class\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"let newstr = '';\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend ThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, ThreatProperty) \\r\\n//| where isnotempty(ThreatClass)\\r\\n| summarize by ThreatClass\\r\\n| order by ThreatClass asc\\r\\n| project value = case(ThreatClass == \\\"\\\", newstr, ThreatClass), label = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass) //, selected = iff(ThreatClass == \\\"\\\", true, false)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\nlet timeframe = 1h;\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() by DestinationDnsDomain\\r\\n| top 15 by count_ \\r\\n| project DestinationDnsDomain);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where DestinationDnsDomain in ((Top))\\r\\n| project TimeGenerated, DestinationDnsDomain\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DestinationDnsDomain\\r\\n\",\"size\":2,\"title\":\"Top Offending Domains by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"name\":\"Top Offending Domains by Time\"},{\"type\":1,\"content\":{\"json\":\"#### Click on a Domain in the chart below to further drilldown the domain.\\r\\n\\r\\n---\",\"style\":\"info\"},\"name\":\"text - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by DestinationDnsDomain\\r\\n| sort by count_ desc\",\"size\":2,\"title\":\"Total Offending Domain Hit Count\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"DestinationDnsDomain\",\"exportParameterName\":\"domain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"40%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"count_\",\"label\":\"Total Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Total Offending Domain Hit Count\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n\\r\\n| parse AdditionalExtensions with * \\\";InfobloxThreatProperty=\\\" ThreatProperty \\\";InfobloxThreatConfidence=\\\" ThreatConfidence \\\";InfobloxThreatLevel=\\\" ThreatLevel_Score\\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, ThreatProperty) \\r\\n| extend ThreatProperty = extract(\\\"([^_]*$)\\\", 1, ThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(ThreatLevel_Score)\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, DestinationDnsDomain, SourceIP, ThreatLevel, ThreatLevel_Score, ThreatConfidence, Feed, ThreatClass, ThreatProperty, DeviceAction, Message, SourcePort\\r\\n\",\"size\":2,\"title\":\"Events for {domain}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"SourceIP\"},{\"columnId\":\"ThreatLevel\"},{\"columnId\":\"ThreatLevel_Score\",\"label\":\"\"},{\"columnId\":\"ThreatConfidence\"},{\"columnId\":\"Feed\"},{\"columnId\":\"ThreatClass\"},{\"columnId\":\"ThreatProperty\"},{\"columnId\":\"DeviceAction\"},{\"columnId\":\"Message\"},{\"columnId\":\"SourcePort\"}]}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Events for {domain}\"},{\"type\":1,\"content\":{\"json\":\"#### The time graph below utilizes Time Brushing. Click and drag between two points of the graph to view events for only that window of time. By not selecting any window you can also view all events for the TimeRange selected at the top of this workbook. \\r\\n\\r\\n---\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\nlet timeframe = 1h;\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where '{domain}' == DestinationDnsDomain\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 15 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where '{domain}' == DestinationDnsDomain\\r\\n| where SourceIP in ((Top))\\r\\n| project TimeGenerated, SourceIP\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":2,\"title\":\"Top IPs Querying {domain} by Time\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"brush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Top IPs Querying {domain} by Time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Events for {domain} between {brush:label}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel = extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatLevel = toint(ThreatLevel)\\r\\n| extend ThreatLevel = case(ThreatLevel>=80, \\\"High\\\",\\r\\n                       ThreatLevel>=50 and ThreatLevel<80, \\\"Medium\\\",\\r\\n                       ThreatLevel<50 and ThreatLevel>=1, \\\"Low\\\",\\r\\n                       ThreatLevel == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n| summarize count()\",\"size\":3,\"title\":\"Events Count\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"name\":\"Events Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n\\r\\n| parse AdditionalExtensions with * \\\";InfobloxThreatProperty=\\\" ThreatProperty \\\";InfobloxThreatConfidence=\\\" ThreatConfidence \\\";InfobloxThreatLevel=\\\" ThreatLevel_Score\\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, ThreatProperty) \\r\\n| extend ThreatProperty = extract(\\\"([^_]*$)\\\", 1, ThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(ThreatLevel_Score)\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, DestinationDnsDomain, SourceIP, ThreatLevel, ThreatLevel_Score, ThreatConfidence, Feed, ThreatClass, ThreatProperty, DeviceAction, Message, SourcePort\\r\\n\",\"size\":2,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"SourceIP\"},{\"columnId\":\"ThreatLevel\"},{\"columnId\":\"ThreatLevel_Score\",\"label\":\"\"},{\"columnId\":\"ThreatConfidence\"},{\"columnId\":\"Feed\"},{\"columnId\":\"ThreatClass\"},{\"columnId\":\"ThreatProperty\"},{\"columnId\":\"DeviceAction\"},{\"columnId\":\"Message\"},{\"columnId\":\"SourcePort\"}]}},\"showPin\":false,\"name\":\"Domain RPZ Events - grid\"}]},\"conditionalVisibility\":{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {domain} between {brush:label}\"}]},\"conditionalVisibility\":{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events by Domain\"},\"name\":\"Events by Domain\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Overview\\r\\n---\\r\\n#### Top level insight into the overall health of your data.\\r\\n\\r\\nUse the dropdowns below to filter by Threat Level, Feed and Class.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"Info\\\"},\\r\\n    { \\\"value\\\":\\\"Low\\\"},\\r\\n    { \\\"value\\\":\\\"Medium\\\"},\\r\\n    { \\\"value\\\":\\\"High\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"},{\"id\":\"1bc7a1f9-d3bd-4e0f-b5ae-4dc8ba8a1463\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FeedParam\",\"label\":\"Feed\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions)   \\r\\n| where isnotempty(Feed)\\r\\n| summarize by Feed\\r\\n| order by Feed asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"1eedd218-57c0-43e3-a306-a716380b05e6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatClassParam\",\"label\":\"Threat Class\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend ThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, ThreatProperty) \\r\\n| summarize by ThreatClass\\r\\n| order by ThreatClass asc\\r\\n| project value = ThreatClass, label = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Hits\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Category Filter Hits\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"yellowGreenBlue\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Category Filter Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions !contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Non-Category Filter Hits\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"coldHot\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Non-Category Filter Hits\"}]},\"name\":\"Totals\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\",\"size\":0,\"title\":\"Hits over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"name\":\"Hits over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by DestinationDnsDomain\\r\\n| top 50 by count_ desc\",\"size\":3,\"title\":\"Top Offending Domains\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false},\"chartSettings\":{\"createOtherGroup\":0}},\"name\":\"Top Offending Domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ desc\",\"size\":0,\"title\":\"Top Offending IPs\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":0}},\"name\":\"Top Offending IPs\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Threat Level\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count:long, ThreatLevel:string, ThreatLevel_count:long) [0,\\\"N/A\\\",1, 0,\\\"Info\\\",2, 0,\\\"Low\\\",3, 0,\\\"Medium\\\",4, 0,\\\"High\\\",5]\\r\\n|union\\r\\n(\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| extend ThreatLevel_count = case(ThreatLevel == \\\"High\\\", 5, ThreatLevel==\\\"Medium\\\", 4, ThreatLevel==\\\"Low\\\", 3, ThreatLevel==\\\"Info\\\", 2, 1)\\r\\n| summarize Count = count() by ThreatLevel, ThreatLevel_count\\r\\n)\\r\\n| summarize Count=sum(Count) by ThreatLevel, ThreatLevel_count\\r\\n| sort by ThreatLevel_count asc\",\"size\":2,\"title\":\"Total Hit Count by Threat Level\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"graph\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"sortCriteriaField\":\"status_count\",\"sortOrderField\":1,\"size\":\"auto\"},\"graphSettings\":{\"type\":2,\"topContent\":{\"columnMatch\":\"ThreatLevel\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"nodeIdField\":\"Count\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"colorSettings\":{\"nodeColorField\":\"ThreatLevel\",\"type\":3,\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\"},{\"operator\":\"Default\",\"representation\":\"gray\"}]},\"hivesMargin\":5}},\"customWidth\":\"30\",\"name\":\"Total Hit Count by Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ThreatLevel\",\"size\":2,\"title\":\"Threat Level Trend\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"70\",\"name\":\"Threat Level Trend\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Feed\"},\"name\":\"text - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by Feed\\r\\n| order by Feed desc\",\"size\":2,\"title\":\"Total Hit Count by Feed\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Feed\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"50%\"}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Feed\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Feed\"},{\"columnId\":\"count_\",\"label\":\"Total Hits\"}]},\"sortBy\":[{\"itemKey\":\"Feed\",\"sortOrder\":1}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Total Hit Count by Feed\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by Feed\\r\\n| top 10 by count_ \\r\\n| project Feed);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog \\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where Feed in ((Top))\\r\\n| project TimeGenerated, Feed\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Feed\",\"size\":2,\"title\":\"Feed Trend\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"0\",\"label\":\"N/A\",\"color\":\"green\"},{\"seriesName\":\"1\",\"label\":\"Low/Info\",\"color\":\"blue\"},{\"seriesName\":\"8\",\"label\":\"High\",\"color\":\"red\"},{\"seriesName\":\"5\",\"label\":\"Medium\",\"color\":\"orange\"}]}},\"customWidth\":\"70\",\"name\":\"Feed Trend\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Class\"},\"name\":\"text - 8 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| summarize count() by ThreatClass\\r\\n| order by ThreatClass asc\\r\\n\\r\\n\\r\\n\",\"size\":2,\"title\":\"Total Hit Count by Class\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"Feed\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"ThreatClass\"},{\"columnId\":\"count_\",\"label\":\"Total Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Total Hit Count by Class\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by ThreatClass\\r\\n| top 10 by count_ \\r\\n| project ThreatClass);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog \\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| where ThreatClass in ((Top))\\r\\n| project TimeGenerated, ThreatClass\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ThreatClass\",\"size\":2,\"title\":\"Class Trend\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"70\",\"name\":\"Class Trend\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Action\"},\"name\":\"text - 8 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by DeviceAction\\r\\n| top 10 by count_ desc\",\"size\":2,\"title\":\"Total Hit Count By Action\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"30\",\"name\":\"Total Hit Count By Action\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend InfobloxThreatProperty = extract(\\\"InfobloxThreatProperty=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, InfobloxThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(extract(\\\"InfobloxThreatLevel=(.*)\\\", 1, AdditionalExtensions))\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction\",\"size\":2,\"title\":\"Action Trend\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"0\",\"label\":\"N/A\",\"color\":\"green\"},{\"seriesName\":\"1\",\"label\":\"Low/Info\",\"color\":\"blue\"},{\"seriesName\":\"8\",\"label\":\"High\",\"color\":\"red\"},{\"seriesName\":\"5\",\"label\":\"Medium\",\"color\":\"orange\"}]}},\"customWidth\":\"70\",\"name\":\"Action Trend\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Events\"},\"name\":\"text - 8 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse AdditionalExtensions with * \\\";InfobloxThreatProperty=\\\" ThreatProperty \\\";InfobloxThreatConfidence=\\\" ThreatConfidence \\\";InfobloxThreatLevel=\\\" ThreatLevel_Score\\r\\n| extend ThreatClass = extract(\\\"(.*?)_\\\", 1, ThreatProperty) \\r\\n| extend ThreatProperty = extract(\\\"([^_]*$)\\\", 1, ThreatProperty) \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| extend Feed = extract(\\\"InfobloxRPZ=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where Feed in ({FeedParam}) or '{FeedParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_Score = toint(ThreatLevel_Score)\\r\\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \\\"High\\\",\\r\\n                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, \\\"Medium\\\",\\r\\n                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, \\\"Low\\\",\\r\\n                       ThreatLevel_Score == 0,\\\"Info\\\",\\r\\n                       \\\"N/A\\\" )\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, DestinationDnsDomain, SourceIP, ThreatLevel, ThreatLevel_Score, ThreatConfidence, Feed, ThreatClass, ThreatProperty, DeviceAction, Message, SourcePort\\r\\n\",\"size\":2,\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_ThreatConfidence_5\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"SourceIP\"},{\"columnId\":\"ThreatLevel\"},{\"columnId\":\"ThreatLevel_Score\",\"label\":\"\"},{\"columnId\":\"ThreatConfidence\"},{\"columnId\":\"Feed\"},{\"columnId\":\"ThreatClass\"},{\"columnId\":\"ThreatProperty\"},{\"columnId\":\"DeviceAction\"},{\"columnId\":\"Message\"},{\"columnId\":\"SourcePort\"}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_ThreatConfidence_5\",\"sortOrder\":2}]},\"showPin\":false,\"name\":\"RPZ Events\"}]},\"conditionalVisibility\":{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},\"name\":\"Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Category Filters \\r\\n---\\r\\n\\r\\nCategory filters are content categorization rules that BloxOne Threat Defense Cloud uses to detect and filter specific internet content. Based on your configuration, specific actions such as Allow or Block will be taken on the detected content. BloxOne Threat Defense Cloud provides the following content categories from which you can build your category filters: \\r\\n\\r\\n* Drugs\\r\\n* Risk/Fraud/Crime \\r\\n* Entertainment/Culture\\r\\n* Purchasing \\r\\n* Information/Communication \\r\\n* Business/Services\\r\\n* Information Technology \\r\\n* Lifestyle\\r\\n* Society/Education/Religion\\r\\n* Mature/Violent\\r\\n* Games/Gambling\\r\\n* Pornography/Nudity\\r\\n* Uncategorized\\r\\n\\r\\nEach of these categories contains sub-categories that further define the respective content. For example, the Drugs category includes the following sub-categories: Tobacco, Alcohol, and Drugs. When you configure your category filter, you can add as many categories and sub-categories as you need. For example, if you want BloxOne Threat Defense Cloud to detect and block internet content related to tobacco and alcohol, you select and add these sub-categories while configuring your category filter. You then add the category filter to your security policy and assign the Block action for the filter.\"},\"name\":\"text - 2\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Category Filter Hits\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"yellowGreenBlue\"}},\"showBorder\":false}},\"name\":\"Total Category Filter Hits\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top Category Filter Hits\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"be7263d9-229e-4875-a60a-76114659b718\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CatFilterSorter\",\"label\":\"Sort Tiles By\",\"type\":2,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"count_ desc\\\", \\\"label\\\":\\\"Hit Count\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\":\\\"DestinationDnsDomain asc, count_ desc\\\", \\\"label\\\":\\\"Domain Name\\\" },\\r\\n    { \\\"value\\\":\\\"CategoryFilter asc, count_ desc\\\", \\\"label\\\":\\\"Filter Type\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Top Category Filters RPZ Hits\",\"styleSettings\":{\"margin\":\"0px 0px 0px 10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| summarize count() by DestinationDnsDomain, CategoryFilter\\r\\n| sort by {CatFilterSorter}\\r\\n| take 50\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"CategoryFilter\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false,\"rowLimit\":50,\"sortOrderField\":1},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Tops\",\"styleSettings\":{\"margin\":\"-20px 0px 0px 0px\"}}]},\"name\":\"Top Category Filter Hits\",\"styleSettings\":{\"margin\":\"10px\"}}]},\"name\":\"Overview\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## By Type\"},\"name\":\"text - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| summarize count() by CategoryFilter\\r\\n| top 15 by count_ \\r\\n| project CategoryFilter);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| where CategoryFilter in ((Top))\\r\\n| project TimeGenerated, CategoryFilter\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by CategoryFilter\",\"size\":2,\"title\":\"Top Offending Category Filter Types by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"name\":\"Top Offending Category Filter Types by Time\"},{\"type\":1,\"content\":{\"json\":\"#### Click on a Category Filter in the chart below to further drilldown the Filter.\\r\\n---\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| summarize count() by CategoryFilter\\r\\n| sort by count_ desc\",\"size\":2,\"title\":\"Total Category Filter Hit Count\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"CategoryFilter\",\"exportParameterName\":\"filter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CategoryFilter\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"40%\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Total Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Total Category Filter Hit Count\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| where '{filter}' == CategoryFilter\\r\\n| sort by  TimeGenerated desc, SourceIP desc\\r\\n| project TimeGenerated, CategoryFilter, SourceIP, DestinationDnsDomain, LogSeverity, DeviceAction, Message, SourcePort\\r\\n\",\"size\":2,\"title\":\"Events for {filter}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"N/A\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"DestinationDnsDomain\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"CategoryFilter\"},{\"columnId\":\"SourceIP\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"LogSeverity\",\"label\":\"ThreatLevel\"},{\"columnId\":\"DeviceAction\"},{\"columnId\":\"Message\"}]},\"sortBy\":[{\"itemKey\":\"DestinationDnsDomain\",\"sortOrder\":1}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"filter\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Events for {filter}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| where '{filter}' == CategoryFilter \\r\\n| summarize count() by SourceIP\\r\\n| top 10 by count_ desc\\r\\n\",\"size\":2,\"title\":\"Top IPs for {filter}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"SourceIP\"},{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"LogSeverity\",\"label\":\"Threat Level\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"Activity\"},{\"columnId\":\"Message\"},{\"columnId\":\"ApplicationProtocol\"}]}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"filter\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Top IPs for {filter}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| where '{filter}' == CategoryFilter \\r\\n| summarize count() by DestinationDnsDomain\\r\\n| top 10 by count_ \\r\\n| project DestinationDnsDomain);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions) \\r\\n| where '{filter}' == CategoryFilter \\r\\n| where DestinationDnsDomain in ((Top))\\r\\n| project TimeGenerated, DestinationDnsDomain\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DestinationDnsDomain\\r\\n\",\"size\":2,\"title\":\"Top Domains for {filter} by Time\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"SourceIP\"},{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"LogSeverity\",\"label\":\"Threat Level\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"Activity\"},{\"columnId\":\"Message\"},{\"columnId\":\"ApplicationProtocol\"}]},\"chartSettings\":{\"createOtherGroup\":0,\"showLegend\":true}},\"customWidth\":\"74\",\"conditionalVisibility\":{\"parameterName\":\"filter\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Top Domains for {filter} by Time\",\"styleSettings\":{\"margin\":\"0 0 0 1%\"}}]},\"name\":\"Category Filter By Type\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## By Source IP\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 15 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| project TimeGenerated, SourceIP\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\",\"size\":2,\"title\":\"Top Offending IPs by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":0,\"showLegend\":true}},\"name\":\"Top Offending IPs by Time\"},{\"type\":1,\"content\":{\"json\":\"#### Click on a Source IP in the chart below to further drilldown the IP.\\r\\n\\r\\n---\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| summarize count() by SourceIP\\r\\n| sort by count_ desc\",\"size\":2,\"title\":\"Total Offending IP Hit Count\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"ip_cat\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"CategoryFilter\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Total Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Total Offending IP Hit Count\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| where '{ip_cat}' == SourceIP\\r\\n| sort by TimeGenerated desc, CategoryFilter desc\\r\\n| project TimeGenerated, SourceIP, CategoryFilter, DestinationDnsDomain, LogSeverity, DeviceAction, Message, SourcePort\\r\\n\",\"size\":2,\"title\":\"Events for {ip_cat}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"N/A\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"SourceIP\"},{\"columnId\":\"CategoryFilter\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"LogSeverity\",\"label\":\"ThreatLevel\"},{\"columnId\":\"DeviceAction\"},{\"columnId\":\"Message\"},{\"columnId\":\"SourcePort\"}]}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ip_cat\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Events for {ip_cat}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| where '{ip_cat}' == SourceIP \\r\\n| summarize count() by DestinationDnsDomain\",\"size\":2,\"title\":\"Top Category Filter Domains for {ip_cat}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"SourceIP\"},{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"LogSeverity\",\"label\":\"Threat Level\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"Activity\"},{\"columnId\":\"Message\"},{\"columnId\":\"ApplicationProtocol\"}]},\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"ip_cat\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Top Category Filter Domains for {ip_cat}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" \\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| where '{ip_cat}' == SourceIP \\r\\n| summarize count() by CategoryFilter\\r\\n| top 10 by count_ \\r\\n| project CategoryFilter);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\"\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\" and AdditionalExtensions contains \\\"InfobloxRPZ=CAT_\\\"\\r\\n| extend CategoryFilter = extract(\\\"InfobloxDomainCat=(.*?);\\\", 1, AdditionalExtensions)\\r\\n| where '{ip_cat}' == SourceIP \\r\\n| where CategoryFilter in ((Top))\\r\\n| project TimeGenerated, CategoryFilter\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by CategoryFilter\",\"size\":2,\"title\":\"Top Filters for {ip_cat} by Time\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"SourceIP\"},{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"LogSeverity\",\"label\":\"Threat Level\"},{\"columnId\":\"DestinationDnsDomain\"},{\"columnId\":\"Activity\"},{\"columnId\":\"Message\"},{\"columnId\":\"ApplicationProtocol\"}]},\"chartSettings\":{\"createOtherGroup\":0,\"showLegend\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"ip_cat\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Top Filters for {ip_cat} by Time\"}]},\"name\":\"Category Filter by IP\"}]},\"conditionalVisibility\":{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Category Filters\"},\"name\":\"Category Filters\"}],\"styleSettings\":{\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-InfobloxCDCB1TDWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+        "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\">**NOTE:** This workbook depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Azure Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 9\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox CDC BloxOne DDI & Threat Defense Workbook\\r\\n\\r\\n##### Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. \\r\\n\\r\\nThis workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\nSupported BloxOne Cloud Source log types:\\r\\n* Threat Defense Query/Response Log\\r\\n* Threat Defense Threat Feeds Hits Log\\r\\n* DDI Query/Response Log\\r\\n* DDI DHCP Lease Log\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS & DHCP Overview\",\"subTarget\":\"DNS & DHCP Overview\",\"style\":\"link\"},{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Overview\",\"subTarget\":\"Security Overview\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events by Device\",\"subTarget\":\"Events by Device\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events by Domain\",\"subTarget\":\"Events by Domain\",\"style\":\"link\"},{\"id\":\"2e942b67-07c4-4579-ac5b-f43c5b01c51c\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Filters\",\"subTarget\":\"Filters\",\"style\":\"link\"}]},\"name\":\"links - 16\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9878ee10-a66a-4438-afdd-29789d76bd61\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":14400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Set a time range for which to view data using the dropdown to the left. It will be applied to all visualizations of this workbook. Note that using a large range may cause queries to timeout depending on the size of your environment. Reduce the range if this keeps occurring.\\r\\n\\r\\n---\\r\\n\",\"style\":\"info\"},\"customWidth\":\"70\",\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"0 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events by Device\\r\\n---\\r\\n#### Get a closer look into where threat data is originating. \\r\\nThis section visualizes which devices are producing the most hits. Further drilldown data by source IP address. \\r\\n\\r\\nMake sure to set all Threat Defense dropdowns below back to \\\"All\\\" when switching between Log Types.\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"12793c1f-b77e-4319-99f6-b6b4230d9cfe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LogTypeParam\",\"label\":\"Log Type\",\"type\":2,\"isRequired\":true,\"value\":\"RPZ\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"RPZ\\\",  \\\"label\\\":\\\"Threat Defense Security Hits\\\" },\\r\\n    { \\\"value\\\":\\\"DNS\\\", \\\"label\\\":\\\"DNS Queries & Responses\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy - Copy2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19099936-395c-4ac9-a462-097e6c1fe50c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"Info\\\"},\\r\\n    { \\\"value\\\":\\\"Low\\\"},\\r\\n    { \\\"value\\\":\\\"Medium\\\"},\\r\\n    { \\\"value\\\":\\\"High\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"},{\"id\":\"2d6b86ef-4bd8-4afd-be72-83f7cb365585\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FeedParam\",\"label\":\"Feed\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"InfobloxCDC\\r\\n| where isnotempty(InfobloxB1FeedName)\\r\\n| summarize by InfobloxB1FeedName\\r\\n| order by InfobloxB1FeedName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8e48699a-6c2e-42b2-bcd8-15cfce54fe4d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatClassParam\",\"label\":\"Threat Class\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"InfobloxCDC\\r\\n| summarize by ThreatClass\\r\\n| order by ThreatClass asc\\r\\n| project value = ThreatClass, label = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"ActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"NXDOMAIN\\\", \\\"label\\\": \\\"Block\\\"},\\r\\n    { \\\"value\\\":\\\"REDIRECT\\\", \\\"label\\\": \\\"Redirect\\\"},\\r\\n    { \\\"value\\\":\\\"PASSTHRU\\\", \\\"label\\\": \\\"Log\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"id\":\"f57d037a-57c8-4b7b-93fd-8f6215d1c9c2\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"},\"name\":\"parameters - 6 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 15 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where SourceIP in ((Top))\\r\\n| project TimeGenerated, SourceIP\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":2,\"title\":\"Top Source IPs by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"name\":\"Top Source IPs by Time\"},{\"type\":1,\"content\":{\"json\":\"#### Click on a Device in the chart below to further drilldown the device.\\r\\n\\r\\n---\",\"style\":\"info\"},\"name\":\"text - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| summarize count() by SourceIP, DeviceName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n| order by count_ desc\",\"size\":2,\"title\":\"Hit Count by Device\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"ip\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"40%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Hit Count by Device\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs 'RPZ'\\r\\n| where '{ip}' == SourceIP \\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested\\r\\n\",\"size\":2,\"showAnalytics\":true,\"title\":\"Events for {ip}\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"InfobloxB1PolicyAction\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"InfobloxB1PolicyAction\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibilities\":[{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"}],\"showPin\":false,\"name\":\"Events for {ip}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs 'DNS'\\r\\n| where '{ip}' == SourceIP \\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, Activity, DestinationDnsDomain, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, InfobloxDNSQClass, InfobloxDNSQType, InfobloxDNSRCode, Protocol, AdditionalExtensionsParsedNested\\r\\n\",\"size\":2,\"showAnalytics\":true,\"title\":\"Events for {ip}\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibilities\":[{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"DNS\"}],\"showPin\":false,\"name\":\"Events for {ip} - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| extend InfobloxB1FeedName = case(InfobloxB1FeedName == \\\"\\\", InfobloxRPZ, InfobloxB1FeedName)\\r\\n| where '{ip}' == SourceIP \\r\\n| summarize count() by InfobloxB1FeedName\\r\\n| top 10 by count_ \\r\\n| project InfobloxB1FeedName);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| extend InfobloxB1FeedName = case(InfobloxB1FeedName == \\\"\\\", InfobloxRPZ, InfobloxB1FeedName)\\r\\n| where '{ip}' == SourceIP \\r\\n| where InfobloxB1FeedName in ((Top))\\r\\n| project TimeGenerated, InfobloxB1FeedName\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxB1FeedName\",\"size\":0,\"title\":\"Feed Trend for {ip}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"}],\"name\":\"Feed Trend for {ip}\",\"styleSettings\":{\"margin\":\"0px 10px 0px 0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| where '{ip}' == SourceIP \\r\\n| summarize count() by ThreatClass\\r\\n| top 10 by count_ \\r\\n| project ThreatClass);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| where '{ip}' == SourceIP \\r\\n| where ThreatClass in ((Top))\\r\\n| project TimeGenerated, ThreatClass\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ThreatClass\",\"size\":0,\"title\":\"Threat Class Trend for {ip}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"}],\"name\":\"Threat Class Trend for {ip}\",\"styleSettings\":{\"margin\":\"0px 10px 0px 0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{ip}' == SourceIP \\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ThreatLevel\",\"size\":0,\"title\":\"Threat Level Trend for {ip}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"group\":\"ThreatLevel\",\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"label\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"label\":\"\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"label\":\"\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"label\":\"\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"}],\"name\":\"Threat Level Trend for {ip}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{ip}' == SourceIP \\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SimplifiedDeviceAction\",\"size\":0,\"title\":\"Action Trend for {ip}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"PASSTHRU\",\"label\":\"Log\",\"color\":\"green\"},{\"seriesName\":\"REDIRECT\",\"label\":\"Redirect\",\"color\":\"orange\"},{\"seriesName\":\"NXDOMAIN\",\"label\":\"Block\",\"color\":\"redBright\"},{\"seriesName\":\"<empty>\",\"label\":\"Unknown\",\"color\":\"turquoise\"}]}},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"}],\"name\":\"Action Trend for {ip}\"},{\"type\":1,\"content\":{\"json\":\"#### The time graph below utilizes Time Brushing. Click and drag between two points of the graph to view events for only that window of time. By not selecting any window you can also view all events for the TimeRange selected at the top of this workbook. \\r\\n\\r\\n---\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{ip}' == SourceIP \\r\\n| summarize count() by DestinationDnsDomain\\r\\n| order by count_ desc\",\"size\":2,\"title\":\"Queries for {ip}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"60%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Queries for {ip}\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\nlet timeframe = 1h;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{ip}' == SourceIP \\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() by DestinationDnsDomain\\r\\n| top 15 by count_ \\r\\n| project DestinationDnsDomain);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{ip}' == SourceIP \\r\\n| where DestinationDnsDomain in ((Top))\\r\\n| project TimeGenerated, DestinationDnsDomain\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DestinationDnsDomain\\r\\n\",\"size\":2,\"title\":\"Top Queries for {ip} by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"brush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"80\",\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Top Queries for {ip} by Time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Events for {ip} between {brush:label}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{ip}' == SourceIP \\r\\n| summarize count()\",\"size\":3,\"title\":\"Events Count\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"name\":\"Events Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{ip}' == SourceIP \\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested\",\"size\":2,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"InfobloxB1PolicyAction\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxB1PolicyAction\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"},\"showPin\":false,\"name\":\"Events for {ip} between {brush:label} - grid\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} \\r\\n| where DeviceEventClassID has_cs 'DNS'\\r\\n| where '{ip}' == SourceIP \\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, Activity, DestinationDnsDomain, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, InfobloxDNSQClass, InfobloxDNSQType, InfobloxDNSRCode, Protocol, AdditionalExtensionsParsedNested\\r\\n\",\"size\":2,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"DNS\"},\"showPin\":false,\"name\":\"Events for {ip} between {brush:label} - grid - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"ip\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Total Events for {ip} between {brush:label}\"}]},\"conditionalVisibility\":{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events by Device\"},\"name\":\"Events by Device\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events by Destination Domain\\r\\n---\\r\\n#### Get a closer look into what is being queried. \\r\\nThis section visualizes where users are visiting. Further drilldown data by destination query (domain). \\r\\n\\r\\nMake sure to set all Threat Defense dropdowns below back to \\\"All\\\" when switching between Log Types.\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9d2856d9-b23c-4779-916d-abef2e4c50e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LogTypeParam\",\"label\":\"Log Type\",\"type\":2,\"isRequired\":true,\"value\":\"RPZ\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"RPZ\\\",  \\\"label\\\":\\\"Threat Defense Security Hits\\\" },\\r\\n    { \\\"value\\\":\\\"DNS\\\", \\\"label\\\":\\\"DNS Queries & Responses\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy - Copy2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a5663eb6-1030-421e-a60a-6af9f4af3f99\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"Info\\\"},\\r\\n    { \\\"value\\\":\\\"Low\\\"},\\r\\n    { \\\"value\\\":\\\"Medium\\\"},\\r\\n    { \\\"value\\\":\\\"High\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"},{\"id\":\"5cbd5c34-3703-4835-aa3b-228504310c1c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FeedParam\",\"label\":\"Feed\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"InfobloxCDC\\r\\n| where isnotempty(InfobloxB1FeedName)\\r\\n| summarize by InfobloxB1FeedName\\r\\n| order by InfobloxB1FeedName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3c67b4c6-8cf3-4c75-87ea-4bca83dee296\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatClassParam\",\"label\":\"Threat Class\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"InfobloxCDC\\r\\n| summarize by ThreatClass\\r\\n| order by ThreatClass asc\\r\\n| project value = ThreatClass, label = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"ActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"NXDOMAIN\\\", \\\"label\\\": \\\"Block\\\"},\\r\\n    { \\\"value\\\":\\\"REDIRECT\\\", \\\"label\\\": \\\"Redirect\\\"},\\r\\n    { \\\"value\\\":\\\"PASSTHRU\\\", \\\"label\\\": \\\"Log\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"id\":\"730927d0-a8ce-461d-b20b-fe9cda17c486\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"},\"name\":\"parameters - 6 - Copy - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\nlet timeframe = 1h;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() by DestinationDnsDomain\\r\\n| top 15 by count_ \\r\\n| project DestinationDnsDomain);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where DestinationDnsDomain in ((Top))\\r\\n| project TimeGenerated, DestinationDnsDomain\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DestinationDnsDomain\\r\\n\",\"size\":2,\"title\":\"Top Queries by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"name\":\"Top Queries by Time\"},{\"type\":1,\"content\":{\"json\":\"#### Click on a Query in the chart below to further drilldown the query.\\r\\n\\r\\n---\",\"style\":\"info\"},\"name\":\"text - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| summarize count() by DestinationDnsDomain\\r\\n| sort by count_ desc\",\"size\":2,\"title\":\"Hit Count by Query/Domain\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"DestinationDnsDomain\",\"exportParameterName\":\"domain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"40%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Hit Count by Query/Domain\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs 'RPZ'\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested\\r\\n\",\"size\":2,\"showAnalytics\":true,\"title\":\"Events for {domain}\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibilities\":[{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"}],\"showPin\":false,\"name\":\"Events for {domain}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where DeviceEventClassID has_cs 'DNS'\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, Activity, DestinationDnsDomain, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, InfobloxDNSQClass, InfobloxDNSQType, InfobloxDNSRCode, Protocol, AdditionalExtensionsParsedNested\\r\\n\\r\\n\",\"size\":2,\"showAnalytics\":true,\"title\":\"Events for {domain}\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibilities\":[{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"DNS\"}],\"showPin\":false,\"name\":\"Events for {domain} - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### The time graph below utilizes Time Brushing. Click and drag between two points of the graph to view events for only that window of time. By not selecting any window you can also view all events for the TimeRange selected at the top of this workbook. \\r\\n\\r\\n---\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n| summarize count() by SourceIP, DeviceName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n| sort by count_ desc\",\"size\":2,\"title\":\"Devices Querying {domain}\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"40%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Devices Querying {domain}\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\nlet timeframe = 1h;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 15 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n| where SourceIP in ((Top))\\r\\n| project TimeGenerated, SourceIP\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":2,\"title\":\"Top Devices Querying {domain} by Time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"brush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Top Devices Querying {domain} by Time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Events for {domain} between {brush:label}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs '{LogTypeParam}'\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n| summarize count()\",\"size\":3,\"title\":\"Events Count\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"name\":\"Events Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} \\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where DeviceEventClassID has_cs 'RPZ'\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested\\r\\n\",\"size\":2,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"RPZ\"},\"showPin\":false,\"name\":\"Domain RPZ Events - grid\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and TimeGenerated {brush} \\r\\n| where DeviceEventClassID has_cs 'DNS'\\r\\n| where '{domain}' == DestinationDnsDomain \\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, Activity, DestinationDnsDomain, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, InfobloxDNSQClass, InfobloxDNSQType, InfobloxDNSRCode, Protocol, AdditionalExtensionsParsedNested\\r\\n\",\"size\":2,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"50\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"LogTypeParam\",\"comparison\":\"isEqualTo\",\"value\":\"DNS\"},\"showPin\":false,\"name\":\"Domain RPZ Events - grid - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"domain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {domain} between {brush:label}\"}]},\"conditionalVisibility\":{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events by Domain\"},\"name\":\"Events by Domain\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## BloxOne Threat Defense Security Overview\\r\\n---\\r\\n#### Top level insight into your BloxOne Threat Defense security data.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"Info\\\"},\\r\\n    { \\\"value\\\":\\\"Low\\\"},\\r\\n    { \\\"value\\\":\\\"Medium\\\"},\\r\\n    { \\\"value\\\":\\\"High\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"},{\"id\":\"1bc7a1f9-d3bd-4e0f-b5ae-4dc8ba8a1463\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FeedParam\",\"label\":\"Feed\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"InfobloxCDC\\r\\n| where isnotempty(InfobloxB1FeedName)\\r\\n| summarize by InfobloxB1FeedName\\r\\n| order by InfobloxB1FeedName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1eedd218-57c0-43e3-a306-a716380b05e6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatClassParam\",\"label\":\"Threat Class\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"InfobloxCDC\\r\\n| summarize by ThreatClass\\r\\n| order by ThreatClass asc\\r\\n| project value = ThreatClass, label = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"ActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"NXDOMAIN\\\", \\\"label\\\": \\\"Block\\\"},\\r\\n    { \\\"value\\\":\\\"REDIRECT\\\", \\\"label\\\": \\\"Redirect\\\"},\\r\\n    { \\\"value\\\":\\\"PASSTHRU\\\", \\\"label\\\": \\\"Log\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":259200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"title\":\"Unique Impacted Devices\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"palette\":\"orangeBlue\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Unique Impacted Devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1ConnectionType == \\\"remote_client\\\"\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"title\":\"Unique Impacted B1 Endpoints\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"pink\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Unique Impacted B1 Endpoints\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| summarize dcount(DestinationDnsDomain)\",\"size\":3,\"title\":\"Unique Threat Indicators\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_DestinationDnsDomain\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Unique Threat Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| summarize dcount(ThreatClass)\",\"size\":3,\"title\":\"Unique Threat Classes\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_ThreatClass\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Unique Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n//| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Security Hits (All Actions)\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Security Hits (All Actions)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1PolicyAction == \\\"Log\\\" or SimplifiedDeviceAction == \\\"PASSTHRU\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Allowed + Logged Hits (PASSTHRU)\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Allowed + Logged Hits (PASSTHRU)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1PolicyAction == \\\"Block\\\" or SimplifiedDeviceAction == \\\"NXDOMAIN\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Blocked Hits (NXDOMAIN)\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"redBright\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Blocked Hits (NXDOMAIN)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1PolicyAction == \\\"Redirect\\\" or SimplifiedDeviceAction == \\\"REDIRECT\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Redirects (REDIRECT)\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Redirects (REDIRECT)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1PolicyAction == \\\"Log\\\" or SimplifiedDeviceAction == \\\"PASSTHRU\\\"\\r\\n| where ThreatLevel == \\\"High\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total High Threat Level Hits Not Blocked\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total High Threat Level Hits Not Blocked\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName !has_cs \\\"CAT_\\\" and InfobloxRPZ !has_cs \\\"CAT_\\\" and InfobloxB1FeedName !has_cs \\\"APP_\\\" and InfobloxRPZ !has_cs \\\"APP_\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Non-Filter Hits\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"coldHot\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Non-Filter Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName has_cs \\\"CAT_\\\" or InfobloxRPZ has_cs \\\"CAT_\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Category Filter Hits\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"yellowGreenBlue\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Category Filter Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName has_cs \\\"APP_\\\" or InfobloxRPZ has_cs \\\"APP_\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Application Filter Hits\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"yellow\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Application Filter Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1ConnectionType == \\\"remote_client\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Hits via B1 Endpoints\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"orangeRed\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits via B1 Endpoints\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1ConnectionType == \\\"nios\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Hits via NIOS\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits via NIOS\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1ConnectionType == \\\"dfp\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Hits via DFP\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"orange\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits via DFP\"}]},\"customWidth\":\"40\",\"name\":\"Totals\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\",\"size\":3,\"title\":\"Security Hits over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"60\",\"name\":\"Security Hits over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by DestinationDnsDomain\\r\\n| top 50 by count_ desc\",\"size\":2,\"title\":\"Top Indicators\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false},\"chartSettings\":{\"createOtherGroup\":0}},\"customWidth\":\"65\",\"name\":\"Top Indicators\",\"styleSettings\":{\"margin\":\"0px 10px 0px 0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ desc\",\"size\":3,\"title\":\"Top Impacted IPs\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":0}},\"customWidth\":\"35\",\"name\":\"Top Impacted IPs\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Threat Level\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count:long, ThreatLevel:string, ThreatLevel_count:long) [0,\\\"N/A\\\",1, 0,\\\"Info\\\",2, 0,\\\"Low\\\",3, 0,\\\"Medium\\\",4, 0,\\\"High\\\",5]\\r\\n|union\\r\\n(\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatLevel_count = case(ThreatLevel == \\\"High\\\", 5, ThreatLevel==\\\"Medium\\\", 4, ThreatLevel==\\\"Low\\\", 3, ThreatLevel==\\\"Info\\\", 2, 1)\\r\\n| summarize Count = count() by ThreatLevel, ThreatLevel_count\\r\\n)\\r\\n| summarize Count=sum(Count) by ThreatLevel, ThreatLevel_count\\r\\n| sort by ThreatLevel_count asc\",\"size\":0,\"title\":\"Hit Count by Threat Level\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"graph\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"sortCriteriaField\":\"status_count\",\"sortOrderField\":1,\"size\":\"auto\"},\"graphSettings\":{\"type\":2,\"topContent\":{\"columnMatch\":\"ThreatLevel\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"nodeIdField\":\"Count\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"colorSettings\":{\"nodeColorField\":\"ThreatLevel\",\"type\":3,\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\"},{\"operator\":\"Default\",\"representation\":\"gray\"}]},\"hivesMargin\":5}},\"customWidth\":\"30\",\"name\":\"Hit Count by Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ThreatLevel\",\"size\":0,\"title\":\"Threat Level Trend\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"70\",\"name\":\"Threat Level Trend\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Feed\"},\"name\":\"text - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| extend InfobloxB1FeedName = case(InfobloxB1FeedName == \\\"\\\", InfobloxRPZ, InfobloxB1FeedName)\\r\\n\\r\\n//| summarize c = count() by InfobloxB1FeedName\\r\\n//| summarize c = sum(c) by InfobloxB1FeedName = tolower(InfobloxB1FeedName)\\r\\n\\r\\n| summarize count() by InfobloxB1FeedName\\r\\n| order by count_ desc\",\"size\":0,\"title\":\"Hit Count by Feed\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1FeedName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"Feed\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Hit Count by Feed\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| extend InfobloxB1FeedName = case(InfobloxB1FeedName == \\\"\\\", InfobloxRPZ, InfobloxB1FeedName)\\r\\n| summarize count() by InfobloxB1FeedName\\r\\n| top 10 by count_ \\r\\n| project InfobloxB1FeedName);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| extend InfobloxB1FeedName = case(InfobloxB1FeedName == \\\"\\\", InfobloxRPZ, InfobloxB1FeedName)\\r\\n| where InfobloxB1FeedName in ((Top))\\r\\n| project TimeGenerated, InfobloxB1FeedName\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxB1FeedName\",\"size\":0,\"title\":\"Feed Trend\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"0\",\"label\":\"N/A\",\"color\":\"green\"},{\"seriesName\":\"1\",\"label\":\"Low/Info\",\"color\":\"blue\"},{\"seriesName\":\"8\",\"label\":\"High\",\"color\":\"red\"},{\"seriesName\":\"5\",\"label\":\"Medium\",\"color\":\"orange\"}]}},\"customWidth\":\"70\",\"name\":\"Feed Trend\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Class\"},\"name\":\"text - 8 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| summarize count() by ThreatClass\\r\\n| order by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"Hit Count by Class\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"Feed\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Hit Count by Class\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| summarize count() by ThreatClass\\r\\n| top 10 by count_ \\r\\n| project ThreatClass);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| extend ThreatClass = case(ThreatClass == \\\"\\\", \\\"N/A\\\", ThreatClass)\\r\\n| where ThreatClass in ((Top))\\r\\n| project TimeGenerated, ThreatClass\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ThreatClass\",\"size\":0,\"title\":\"Class Trend\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"70\",\"name\":\"Class Trend\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Action\"},\"name\":\"text - 8 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| summarize count() by SimplifiedDeviceAction\\r\\n| top 10 by count_ desc\",\"size\":0,\"title\":\"Hit Count By Action\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"REDIRECT\",\"label\":\"Redirect\",\"color\":\"orange\"},{\"seriesName\":\"NXDOMAIN\",\"label\":\"Block\",\"color\":\"redBright\"},{\"seriesName\":\"PASSTHRU\",\"label\":\"Log\",\"color\":\"green\"},{\"seriesName\":\"\",\"label\":\"Unknown\",\"color\":\"turquoise\"}]}},\"customWidth\":\"30\",\"name\":\"Hit Count By Action\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SimplifiedDeviceAction\",\"size\":0,\"title\":\"Action Trend\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"REDIRECT\",\"label\":\"Redirect\",\"color\":\"orange\"},{\"seriesName\":\"NXDOMAIN\",\"label\":\"Block\",\"color\":\"redBright\"},{\"seriesName\":\"PASSTHRU\",\"label\":\"Log\",\"color\":\"green\"},{\"seriesName\":\"<empty>\",\"label\":\"Unknown\",\"color\":\"turquoise\"}]}},\"customWidth\":\"70\",\"name\":\"Action Trend\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Events\"},\"name\":\"text - 8 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| where ThreatClass in ({ThreatClassParam}) or '{ThreatClassParam:label}' ==  \\\"All\\\"\\r\\n| where InfobloxB1FeedName in~ ({FeedParam}) or InfobloxRPZ in~ ({FeedParam}) or'{FeedParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| where SimplifiedDeviceAction in ({ActionParam}) or InfobloxB1PolicyAction has_cs \\\"{ActionParam:label}\\\" or '{ActionParam:label}' ==  \\\"All\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested\\r\\n\",\"size\":2,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"30\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":5000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"InfobloxB1FeedName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxB1FeedName\",\"sortOrder\":1}]},\"showPin\":false,\"name\":\"RPZ Events\"}]},\"conditionalVisibility\":{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Security Overview\"},\"name\":\"Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## BloxOne DNS Query/Response & DHCP Leases Overview\\r\\n---\\r\\n#### Top level insight into your BloxOne DNS Query/Response and DHCP Lease data.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"title\":\"Unique Devices\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"palette\":\"orangeBlue\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Unique Devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where InfobloxB1ConnectionType == \\\"remote_client\\\"\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"title\":\"Unique B1 Endpoints\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"pink\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Unique B1 Endpoints\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| summarize dcount(DestinationDnsDomain)\",\"size\":3,\"title\":\"Unique Queries (Domains)\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_DestinationDnsDomain\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Unique Queries (Domains)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Queries\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Queries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where InfobloxB1ConnectionType == \\\"remote_client\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Queries via B1 Endpoints\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"orangeRed\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Queries via B1 Endpoints\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where InfobloxB1ConnectionType == \\\"nios\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Queries via NIOS\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Queries via NIOS\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where InfobloxB1ConnectionType == \\\"dfp\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Total Queries via DFP\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"orange\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Queries via DFP\"}]},\"customWidth\":\"40\",\"name\":\"Totals\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxDNSRCode\",\"size\":0,\"title\":\"DNS Queries over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"60\",\"name\":\"DNS Queries over Time - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID == \\\"DHCP-LEASE-CREATE\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"New DHCP Leases\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"orangeBlue\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"New DHCP Leases\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID == \\\"DHCP-LEASE-CREATE\\\"\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"title\":\"New DHCP Leases (Unique IPs)\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"pink\"}},\"showBorder\":false,\"size\":\"full\"}},\"customWidth\":\"33\",\"name\":\"New DHCP Leases (Unique IPs)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID == \\\"DHCP-LEASE-UPDATE\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Updated DHCP Leases \",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID == \\\"DHCP-LEASE-UPDATE\\\"\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"title\":\"Updated DHCP Leases (Unique IPs)\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Released DHCP Leases\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"title\":\"Released DHCP Leases (Unique IPs)\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| summarize avg(toint(column_ifexists(\\\"InfobloxLifetime\\\", \\\"\\\")))\",\"size\":3,\"title\":\"Average Lease Lifespan (seconds)\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"avg_InfobloxLifetime\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"redBright\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Average Lease Lifespan (seconds)\"}]},\"customWidth\":\"40\",\"name\":\"Totals - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"title\":\"DHCP Leases over Time\",\"color\":\"magenta\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"60\",\"name\":\"DHCP Leases over Time\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## DNS Events\"},\"name\":\"text - 8 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| summarize count() by DestinationDnsDomain\\r\\n| order by count_ desc\",\"size\":2,\"title\":\"Top Requested Domains\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1FeedName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"Feed\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Top Requested Domains\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"title\":\"Response Codes\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1FeedName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"Feed\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Response Codes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| summarize count() by InfobloxB1ConnectionType\",\"size\":3,\"title\":\"Queries by Connection Type\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1FeedName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"Feed\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"\",\"label\":\"unknown\",\"color\":\"orange\"}]}},\"name\":\"Queries by Connection Type\"}]},\"customWidth\":\"30\",\"name\":\"group - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 25 by count_ desc\",\"size\":2,\"title\":\"Top Source IPs by DNS Queries\",\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":0}},\"customWidth\":\"40\",\"name\":\"Top Source IPs by DNS Queries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, Activity, DestinationDnsDomain, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, InfobloxDNSQClass, InfobloxDNSQType, InfobloxDNSRCode, Protocol, AdditionalExtensionsParsedNested\\r\\n\",\"size\":2,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"30\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":5000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"InfobloxDNSQType\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"InfobloxDNSQType\",\"sortOrder\":2}]},\"showPin\":false,\"name\":\"DNS Events\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## DHCP Events\"},\"name\":\"text - 8 - Copy - Copy - Copy - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b71068b1-a89d-4605-8440-802f89726143\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPTypeParam\",\"label\":\"DHCP Operation\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"jsonData\":\"[\\r\\n\\r\\n    { \\\"value\\\":\\\"Create\\\"},\\r\\n    { \\\"value\\\":\\\"Delete\\\"},\\r\\n    { \\\"value\\\":\\\"Update\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 23\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| where InfobloxLeaseOp in ({DHCPTypeParam}) or '{DHCPTypeParam:label}' ==  \\\"All\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, DeviceEventClassID, SourceIP, SourceHostName, SourceMACAddress, InfobloxLeaseOp, InfobloxLifetime, InfobloxLeaseUUID, AdditionalExtensionsParsedNested\\r\\n\",\"size\":2,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":43200000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel_Score\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"gray\",\"text\":\"N/A\"},{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"30\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"\"}],\"compositeBarSettings\":{\"labelText\":\"[\\\"ThreatLevel\\\"]\",\"columnSettings\":[{\"columnName\":\"ThreatLevel\",\"color\":\"orange\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"blue\"}]}}},{\"columnMatch\":\"ThreatConfidence\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":100,\"palette\":\"purpleBlueGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":5000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":2}]},\"showPin\":false,\"name\":\"DHCP Events\"}]},\"conditionalVisibility\":{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"DNS & DHCP Overview\"},\"name\":\"DNS Query/Response Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Filters \\r\\n---\\r\\n\\r\\nCategory filters are a set of content categorization rules that BloxOne Threat Defense Cloud uses to detect and filter specific internet content. Based on your configuration, specific actions such as Allow or Block will be taken on the detected content.\\r\\n\\r\\nApplication filters are a set of rules that BloxOne Threat Defense Cloud uses to detect and filter specific Internet content. The Application Classification Service (ACS) provides accessibility to applications based on their category or subcategory. Using application filters, you can set security policies based on whether you want to allow an app to access the Internet at all times, or if you want the app to use local resolution when used with BloxOne DDI appliances. \\r\\n\\r\\nSee more about filters on the official [Infoblox Documentation Portal](https://docs.infoblox.com/display/BloxOneThreatDefense/Filters).\"},\"name\":\"text - 2\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs \\\"CAT_\\\" or InfobloxRPZ has_cs \\\"CAT_\\\" or InfobloxB1FeedName has_cs \\\"APP_\\\" or InfobloxRPZ has_cs \\\"APP_\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"All Filter Hits\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"orange\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"All Filter Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs \\\"CAT_\\\" or InfobloxRPZ has_cs \\\"CAT_\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Category Filter Hits\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"yellowGreenBlue\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Category Filter Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs \\\"APP_\\\" or InfobloxRPZ has_cs \\\"APP_\\\"\\r\\n| summarize count()\",\"size\":3,\"title\":\"Application Filter Hits\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"redPurple\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Application Filter Hits\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top Category Filter Hits\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"be7263d9-229e-4875-a60a-76114659b718\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CatFilterSorter\",\"label\":\"Sort Tiles By\",\"type\":2,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"count_ desc\\\", \\\"label\\\":\\\"Hit Count\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\":\\\"DestinationDnsDomain asc, count_ desc\\\", \\\"label\\\":\\\"Domain Name\\\" },\\r\\n    { \\\"value\\\":\\\"InfobloxDomainCat asc, count_ desc\\\", \\\"label\\\":\\\"Filter Type\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Top Category Filters RPZ Hits\",\"styleSettings\":{\"margin\":\"0px 0px 0px 10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs \\\"CAT_\\\" or InfobloxRPZ has_cs \\\"CAT_\\\"\\r\\n| summarize count() by DestinationDnsDomain, InfobloxDomainCat\\r\\n| sort by {CatFilterSorter}\\r\\n| take 50\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"InfobloxDomainCat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false,\"rowLimit\":50,\"sortOrderField\":1},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Tops\",\"styleSettings\":{\"margin\":\"-20px 0px 0px 0px\"}}]},\"name\":\"Top Category Filter Hits\",\"styleSettings\":{\"margin\":\"10px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top Application Filter Hits\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"be7263d9-229e-4875-a60a-76114659b718\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AppFilterSorter\",\"label\":\"Sort Tiles By\",\"type\":2,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"count_ desc\\\", \\\"label\\\":\\\"Hit Count\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\":\\\"DestinationDnsDomain asc, count_ desc\\\", \\\"label\\\":\\\"Domain Name\\\" },\\r\\n    { \\\"value\\\":\\\"InfobloxDomainCat asc, count_ desc\\\", \\\"label\\\":\\\"Filter Type\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Top Category Filters RPZ Hits\",\"styleSettings\":{\"margin\":\"0px 0px 0px 10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs \\\"APP_\\\" or InfobloxRPZ has_cs \\\"APP_\\\"\\r\\n| summarize count() by DestinationDnsDomain, InfobloxDomainCat\\r\\n| sort by {AppFilterSorter}\\r\\n| take 50\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"InfobloxDomainCat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false,\"rowLimit\":50,\"sortOrderField\":1},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Tops\",\"styleSettings\":{\"margin\":\"-20px 0px 0px 0px\"}}]},\"name\":\"Top Application Filter Hits\",\"styleSettings\":{\"margin\":\"10px\"}}]},\"name\":\"Overview\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## By Filters\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9f55f1ff-f771-485f-82a9-52a9f42251cc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FilterTypeParam\",\"label\":\"Filter Type\",\"type\":2,\"isRequired\":true,\"value\":\"CAT_\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"CAT_\\\",  \\\"label\\\":\\\"Category Filters\\\" },\\r\\n    { \\\"value\\\":\\\"APP_\\\", \\\"label\\\":\\\"Application Filters\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| summarize count() by InfobloxDomainCat\\r\\n| top 15 by count_ \\r\\n| project InfobloxDomainCat);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where InfobloxDomainCat in ((Top))\\r\\n| project TimeGenerated, InfobloxDomainCat\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxDomainCat\",\"size\":2,\"title\":\"Top Filters by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"name\":\"Top Filters by Time\"},{\"type\":1,\"content\":{\"json\":\"#### Click on a Filter in the chart below to further drilldown the filter.\\r\\n---\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| summarize count() by InfobloxDomainCat\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Hit Count by Filter \",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"InfobloxDomainCat\",\"exportParameterName\":\"filter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"CategoryFilter\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60%\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Hit Count by Filter \",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where '{filter}' == InfobloxDomainCat\\r\\n| sort by  TimeGenerated desc, SourceIP desc\\r\\n| project TimeGenerated, DestinationDnsDomain, InfobloxDomainCat, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {filter}\",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"N/A\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"InfobloxB1SrcOSVersion\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"InfobloxB1SrcOSVersion\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"filter\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Events for {filter}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where '{filter}' == InfobloxDomainCat \\r\\n| summarize count() by SourceIP\\r\\n| top 10 by count_ desc\\r\\n\",\"size\":2,\"title\":\"Top IPs for {filter}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"LogSeverity\",\"label\":\"Threat Level\"}]}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"filter\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Top IPs for {filter}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where '{filter}' == InfobloxDomainCat \\r\\n| summarize count() by DestinationDnsDomain\\r\\n| top 10 by count_ \\r\\n| project DestinationDnsDomain);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where '{filter}' == InfobloxDomainCat \\r\\n| where DestinationDnsDomain in ((Top))\\r\\n| project TimeGenerated, DestinationDnsDomain\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DestinationDnsDomain\\r\\n\",\"size\":2,\"title\":\"Top Queries for {filter} by Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"LogSeverity\",\"label\":\"Threat Level\"}]},\"chartSettings\":{\"createOtherGroup\":0,\"showLegend\":true}},\"customWidth\":\"74\",\"conditionalVisibility\":{\"parameterName\":\"filter\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Top Queries for {filter} by Time\",\"styleSettings\":{\"margin\":\"0 0 0 1%\"}}]},\"name\":\"Category Filter By Type\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## By Source IP\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| summarize count() by SourceIP\\r\\n| top 15 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where SourceIP in ((Top))\\r\\n| project TimeGenerated, SourceIP\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\",\"size\":2,\"title\":\"Top Source IPs by Time\",\"color\":\"red\",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":0,\"showLegend\":true}},\"name\":\"Top Source IPs by Time\"},{\"type\":1,\"content\":{\"json\":\"#### Click on a Source IP in the chart below to further drilldown the IP.\\r\\n\\r\\n---\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| summarize count() by SourceIP\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Hit Count by Source IP\",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"ip_cat\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\",\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"CategoryFilter\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Hits\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"Hit Count by Source IP\",\"styleSettings\":{\"margin\":\"0 10px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where '{ip_cat}' == SourceIP\\r\\n| sort by TimeGenerated desc, InfobloxDomainCat desc\\r\\n| project TimeGenerated, DestinationDnsDomain, InfobloxDomainCat, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested\\r\\n\\r\\n\",\"size\":2,\"showAnalytics\":true,\"title\":\"Events for {ip_cat}\",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"N/A\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ip_cat\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Events for {ip_cat}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where '{ip_cat}' == SourceIP \\r\\n| summarize count() by DestinationDnsDomain\",\"size\":2,\"title\":\"Top Queries for {ip_cat}\",\"timeContext\":{\"durationMs\":14400000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"LogSeverity\",\"label\":\"Threat Level\"}]},\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"ip_cat\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Top Queries for {ip_cat}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:start};\\r\\nlet endtime = {TimeRange:end};\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where '{ip_cat}' == SourceIP \\r\\n| summarize count() by InfobloxDomainCat\\r\\n| top 10 by count_ \\r\\n| project InfobloxDomainCat);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxCDC\\r\\n| where TimeGenerated {TimeRange} \\r\\n| where DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| where InfobloxB1FeedName has_cs '{FilterTypeParam}' or InfobloxRPZ has_cs '{FilterTypeParam}'\\r\\n| where '{ip_cat}' == SourceIP \\r\\n| where InfobloxDomainCat in ((Top))\\r\\n| project TimeGenerated, InfobloxDomainCat\\r\\n| make-series Total= count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxDomainCat\",\"size\":2,\"title\":\"Top Filters for {ip_cat} by Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"N/A\"},{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"blue\",\"text\":\"Low/Info\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"Medium\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"High\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"LogSeverity\",\"color\":\"blue\"},{\"columnName\":\"DestinationDnsDomain\",\"color\":\"purple\"}]}}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"LogSeverity\",\"label\":\"Threat Level\"}]},\"chartSettings\":{\"createOtherGroup\":0,\"showLegend\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"ip_cat\",\"comparison\":\"isNotEqualTo\"},\"showPin\":false,\"name\":\"Top Filters for {ip_cat} by Time\"}]},\"name\":\"Category Filter by IP\"}]},\"conditionalVisibility\":{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Filters\"},\"name\":\"Category Filters\"}],\"styleSettings\":{\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-InfobloxCDCB1TDWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
         "version": "1.0",
         "sourceId": "[variables('_workbook-source')]",
         "category": "sentinel"
@@ -107,14 +119,14 @@
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]",
-      "apiVersion": "2020-01-01",
+      "apiVersion": "2021-03-01-preview",
       "kind": "Scheduled",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "description": "This creates an incident in the event a host generates a high number of high threat level queries.",
-        "displayName": "High Number of High Threat Level Detected",
+        "description": "This creates an incident in the event a single host generates at least 200 high threat level RPZ queries (Threat Defense security hits) in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).",
+        "displayName": "Infoblox - High Number of High Threat Level Queries Detected",
         "enabled": false,
-        "query": "\nlet threshold = 200;\nCommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n| where DeviceEventClassID has \"RPZ\"\n| extend ThreatLevel_Score = toint(extract(\"InfobloxThreatLevel=(.*)\", 1, AdditionalExtensions))\n| where ThreatLevel_Score >=80\n| summarize count() by SourceIP, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (CommonSecurityLog\n    | where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n    | where DeviceEventClassID has \"RPZ\"\n    | extend ThreatLevel_Score = toint(extract(\"InfobloxThreatLevel=(.*)\", 1, AdditionalExtensions))\n    | where ThreatLevel_Score >=80\n    ) on SourceIP\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP\n",
+        "query": "\nlet threshold = 200;\nInfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n| where ThreatLevel_Score >=80\n| summarize count() by SourceIP\n| where count_ > threshold\n| join kind=inner (InfobloxCDC\n    | where DeviceEventClassID has_cs \"RPZ\"\n    | where ThreatLevel_Score >=80\n    ) on SourceIP\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
         "queryFrequency": "PT1H",
         "queryPeriod": "PT1H",
         "severity": "Medium",
@@ -124,20 +136,40 @@
         "triggerThreshold": 0,
         "tactics": [
           "Impact"
+        ],
+        "entityMappings": [
+          {
+            "fieldMappings": [
+              {
+                "columnName": "IPCustomEntity",
+                "identifier": "Address"
+              }
+            ],
+            "entityType": "IP"
+          },
+          {
+            "fieldMappings": [
+              {
+                "columnName": "HostCustomEntity",
+                "identifier": "HostName"
+              }
+            ],
+            "entityType": "Host"
+          }
         ]
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]",
-      "apiVersion": "2020-01-01",
+      "apiVersion": "2021-03-01-preview",
       "kind": "Scheduled",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "description": "This creates an incident in the event a host generates a high number of DNS queries for non-existent domains.",
-        "displayName": "High Number of NXDOMAIN DNS Queries Detected",
+        "description": "This creates an incident in the event a single host generates at least 200 DNS responses for non-existent domains in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).",
+        "displayName": "Infoblox - High Number of NXDOMAIN DNS Responses Detected",
         "enabled": false,
-        "query": "\nlet threshold = 200;\nCommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n| where DeviceEventClassID has \"RPZ\"\n| where SimplifiedDeviceAction == \"NXDOMAIN\"\n| summarize count() by SourceIP, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (CommonSecurityLog\n    | where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n    | where DeviceEventClassID has \"RPZ\"\n    | where SimplifiedDeviceAction == \"NXDOMAIN\"\n    ) on SourceIP\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP\n",
+        "query": "\nlet threshold = 200;\nInfobloxCDC\n| where DeviceEventClassID == \"DNS Response\"\n| where InfobloxDNSRCode == \"NXDOMAIN\"\n| summarize count() by SourceIP\n| where count_ > threshold\n| join kind=inner (InfobloxCDC\n    | where DeviceEventClassID == \"DNS Response\"\n    | where InfobloxDNSRCode == \"NXDOMAIN\"\n    ) on SourceIP\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
         "queryFrequency": "PT1H",
         "queryPeriod": "PT1H",
         "severity": "Medium",
@@ -147,6 +179,69 @@
         "triggerThreshold": 0,
         "tactics": [
           "Impact"
+        ],
+        "entityMappings": [
+          {
+            "fieldMappings": [
+              {
+                "columnName": "IPCustomEntity",
+                "identifier": "Address"
+              }
+            ],
+            "entityType": "IP"
+          },
+          {
+            "fieldMappings": [
+              {
+                "columnName": "HostCustomEntity",
+                "identifier": "HostName"
+              }
+            ],
+            "entityType": "Host"
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]",
+      "apiVersion": "2021-03-01-preview",
+      "kind": "Scheduled",
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "description": "This creates an incident in the event a single host generates at least 1 high threat level query (Threat Defense security hit) that is not blocked or redirected in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).",
+        "displayName": "Infoblox - High Threat Level Query Not Blocked Detected",
+        "enabled": false,
+        "query": "\nlet threshold = 1;\nInfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n| where ThreatLevel_Score >=80\n| where InfobloxB1PolicyAction == \"Log\" or SimplifiedDeviceAction == \"PASSTHRU\"\n| summarize count() by SourceIP\n| where count_ > threshold\n| join kind=inner (InfobloxCDC\n    | where DeviceEventClassID has_cs \"RPZ\"\n    | where ThreatLevel_Score >=80\n    | where InfobloxB1PolicyAction == \"Log\" or SimplifiedDeviceAction == \"PASSTHRU\"\n    ) on SourceIP\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "Medium",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+          "Impact"
+        ],
+        "entityMappings": [
+          {
+            "fieldMappings": [
+              {
+                "columnName": "IPCustomEntity",
+                "identifier": "Address"
+              }
+            ],
+            "entityType": "IP"
+          },
+          {
+            "fieldMappings": [
+              {
+                "columnName": "HostCustomEntity",
+                "identifier": "HostName"
+              }
+            ],
+            "entityType": "Host"
+          }
         ]
       }
     },
@@ -161,7 +256,7 @@
         "connectorUiConfig": {
           "title": "Infoblox Cloud Data Connector",
           "publisher": "Infoblox",
-          "descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Azure Sentinel.  By connecting your logs to Azure Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
+          "descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Azure Sentinel. By connecting your logs to Azure Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
           "graphQueries": [
             {
               "metricName": "Total data received",
@@ -171,37 +266,45 @@
           ],
           "sampleQueries": [
             {
-              "description": "Return all BloxOne Threat Defense (TD) logs",
-              "query": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n | where DeviceEventClassID has_cs \"RPZ\""
+              "description": "Return all BloxOne Threat Defense (TD) security events logs",
+              "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\""
             },
             {
-              "description": "Return all BloxOne DDI logs",
-              "query": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n | where DeviceEventClassID has_cs \"DNS Response\""
+              "description": "Return all BloxOne Query/Response logs",
+              "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"DNS\""
             },
             {
-              "description": "Return all Category Filters security events",
-              "query": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n | where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions contains \"InfobloxRPZ=CAT_\""
+              "description": "Return all Category Filters security events logs",
+              "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=CAT_\""
+            },
+            {
+              "description": "Return all Application Filters security events logs",
+              "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=APP_\""
             },
             {
               "description": "Return Top 10 TD Domains Hit Count",
-              "query": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n | where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by DestinationDnsDomain \n| top 10 by count_ desc"
+              "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by DestinationDnsDomain \n| top 10 by count_ desc"
             },
             {
               "description": "Return Top 10 TD Source IPs Hit Count",
-              "query": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n | where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by SourceIP \n| top 10 by count_ desc"
+              "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by SourceIP \n| top 10 by count_ desc"
+            },
+            {
+              "description": "Return Recently Created DHCP Leases",
+              "query": "InfobloxCDC\n| where DeviceEventClassID == \"DHCP-LEASE-CREATE\""
             }
           ],
           "dataTypes": [
             {
               "name": "CommonSecurityLog (InfobloxCDC)",
-              "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+              "lastDataReceivedQuery": "InfobloxCDC\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
             }
           ],
           "connectivityCriterias": [
             {
               "type": "IsConnectedQuery",
               "value": [
-                "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\"\n| where DeviceProduct == \"Data Connector\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
+                "InfobloxCDC\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)"
               ]
             }
           ],
@@ -234,6 +337,12 @@
             ]
           },
           "instructionSteps": [
+            {
+              "description": ">**IMPORTANT:** This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Azure Sentinel Solution."
+            },
+            {
+              "description": ">**IMPORTANT:** This Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements."
+            },
             {
               "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
               "innerSteps": [
@@ -262,7 +371,7 @@
               "title": "1. Linux Syslog agent configuration"
             },
             {
-              "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Azure Sentinel via the Linux Syslog agent. This Sentinel data connector assumes an Infoblox Cloud Data Connector on-prem host has already been created and configured in the Infoblox Cloud Services Portal (CSP). \n\n1. Log into the Infoblox Cloud Services Portal (CSP).\n2. Navigate to **Manage > Data Connector**.\n3. Click the **Destination Configuration** tab at the top.\n4. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Azure-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Leave the protocol at **TCP**.\n - Click **Save & Close**.\n5. Click the **Traffic Flow Configuration** tab at the top.\n6. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Azure-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **CDC Enabled Host** section. \n    - **On-Prem Host**: Select your desired on-prem host for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section.  \n    - **Source**: Select **BloxOne Cloud Source**. \n    - Select all desired **log types** you wish to collect. \n - Expand the **Destination Configuration** section.  \n    - Select the **Destination** you just created. \n - Click **Save & Close**. \n7. Allow the configuration some time to activate.",
+              "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Azure Sentinel via the Linux Syslog agent.\n2. Navigate to **Manage > Data Connector**.\n3. Click the **Destination Configuration** tab at the top.\n4. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Azure-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n5. Click the **Traffic Flow Configuration** tab at the top.\n6. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Azure-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **CDC Enabled Host** section. \n    - **On-Prem Host**: Select your desired on-prem host for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section.  \n    - **Source**: Select **BloxOne Cloud Source**. \n    - Select all desired **log types** you wish to collect. Currently supported log types are:\n      - Threat Defense Query/Response Log\n      - Threat Defense Threat Feeds Hits Log\n      - DDI Query/Response Log\n      - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section.  \n    - Select the **Destination** you just created. \n - Click **Save & Close**. \n7. Allow the configuration some time to activate.",
               "title": "2. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent"
             },
             {
@@ -285,15 +394,40 @@
               "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
               "title": "4. Secure your machine "
             }
-          ]
+          ],
+          "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Azure Sentinel Solution."
         }
       }
     },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2020-08-01",
+      "name": "[parameters('workspace')]",
+      "location": "[parameters('workspace-location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "Infoblox Cloud Data Connector Data Parser",
+          "dependsOn": [
+            "[variables('workspace-dependency')]"
+          ],
+          "properties": {
+            "eTag": "*",
+            "displayName": "Infoblox Cloud Data Connector Data Parser",
+            "category": "Samples",
+            "functionAlias": "InfobloxCDC",
+            "query": "\nCommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\"\r\n| extend AEcopy = AdditionalExtensions\r\n| extend AEcopy = extract_all(@\"(?P<key>[^=;]+)=(?P<value>[^=;]+)\", dynamic([\"key\",\"value\"]), AEcopy)\r\n| mv-apply AEcopy on (\r\n    summarize AdditionalExtensionsParsedNested = make_bag(pack(tostring(AEcopy[0]), AEcopy[1]))\r\n)\r\n| extend AdditionalExtensionsParsed = AdditionalExtensionsParsedNested\r\n| evaluate bag_unpack(AdditionalExtensionsParsed)\r\n| extend ThreatLevel_Score = toint(column_ifexists(\"InfobloxThreatLevel\", \"\"))\r\n| extend ThreatLevel = case(ThreatLevel_Score>=80, \"High\",\r\n                       ThreatLevel_Score>=30 and ThreatLevel_Score<80, \"Medium\",\r\n                       ThreatLevel_Score<30 and ThreatLevel_Score>=1, \"Low\",\r\n                       ThreatLevel_Score == 0,\"Info\",\r\n                       \"N/A\" )\r\n| extend ThreatClass = extract(\"(.*?)_\", 1, tostring(column_ifexists(\"InfobloxThreatProperty\", \"\")))\r\n| extend ThreatProperty = extract(\"([^_]*$)\", 1, tostring(column_ifexists(\"InfobloxThreatProperty\", \"\")))\r\n| extend InfobloxB1FeedName = column_ifexists(\"InfobloxB1FeedName\", \"\")\r\n| extend InfobloxRPZ = column_ifexists(\"InfobloxRPZ\", \"\")\r\n| extend InfobloxB1PolicyAction = column_ifexists(\"InfobloxB1PolicyAction\", \"\")\r\n| extend InfobloxB1PolicyName = column_ifexists(\"InfobloxB1PolicyName\", \"\")\r\n| extend InfobloxDomainCat = column_ifexists(\"InfobloxDomainCat\", \"\")\r\n| extend InfobloxB1ConnectionType = column_ifexists(\"InfobloxB1ConnectionType\", \"\")\r\n| extend InfobloxB1SrcOSVersion = column_ifexists(\"InfobloxB1SrcOSVersion\", \"\")\r\n| extend InfobloxB1Network = column_ifexists(\"InfobloxB1Network\", \"\")\r\n| extend DeviceName = column_ifexists(\"DeviceName\", \"\")\r\n| extend SourceMACAddress = column_ifexists(\"SourceMACAddress\", \"\")\r\n| extend InfobloxLeaseOp = column_ifexists(\"InfobloxLeaseOp\", \"\")\r\n| extend InfobloxLifetime = column_ifexists(\"InfobloxLifetime\", \"\")\r\n| extend InfobloxLeaseUUID = column_ifexists(\"InfobloxLeaseUUID\", \"\")\r\n| extend InfobloxDNSRCode = column_ifexists(\"InfobloxDNSRCode\", \"\")\r\n| extend InfobloxDNSQClass = column_ifexists(\"InfobloxDNSQClass\", \"\")\r\n| extend InfobloxDNSQType = column_ifexists(\"InfobloxDNSQType\", \"\")\r\n",
+            "version": 1
+          }
+        }
+      ]
+    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
       "apiVersion": "2021-03-01-preview",
       "properties": {
-        "version": "1.1.0",
+        "version": "2.0.1",
         "kind": "Solution",
         "contentId": "[variables('_sourceId')]",
         "parentId": "[variables('_sourceId')]",
@@ -317,22 +451,32 @@
             {
               "kind": "Workbook",
               "contentId": "[variables('_InfobloxCDCB1TDWorkbook_workbook')]",
-              "version": "1.1.0"
+              "version": "2.0.1"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('_HighNumberOfHighThreatLevelDetected_AnalyticalRules')]",
-              "version": "1.1.0"
+              "contentId": "[variables('_Infoblox-HighNumberOfHighThreatLevelQueriesDetected_AnalyticalRules')]",
+              "version": "2.0.1"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('_HighNumberofNXDOMAINDNSQueriesDetected_AnalyticalRules')]",
-              "version": "1.1.0"
+              "contentId": "[variables('_Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected_AnalyticalRules')]",
+              "version": "2.0.1"
+            },
+            {
+              "kind": "AnalyticsRule",
+              "contentId": "[variables('_Infoblox-HighThreatLevelQueryNotBlockedDetected_AnalyticalRules')]",
+              "version": "2.0.1"
             },
             {
               "kind": "DataConnector",
               "contentId": "[variables('_InfobloxCloudDataConnectorConnector')]",
-              "version": "1.1.0"
+              "version": "2.0.1"
+            },
+            {
+              "kind": "Parser",
+              "contentId": "[variables('_InfobloxCDC_Parser')]",
+              "version": "2.0.1"
             }
           ]
         },
diff --git a/Tools/Create-Azure-Sentinel-Solution/input/Solution_Infoblox.json b/Tools/Create-Azure-Sentinel-Solution/input/Solution_Infoblox.json
new file mode 100644
index 0000000000..ea20628f41
--- /dev/null
+++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_Infoblox.json
@@ -0,0 +1,23 @@
+{
+    "Name": "Infoblox Cloud Data Connector",
+    "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">",
+    "Description": "The [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).",
+    "WorkbookDescription": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time.",
+    "Workbooks": ["Workbooks/InfobloxCDCB1TDWorkbook.json"],
+    "Analytic Rules": [
+      "Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml",
+      "Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml",
+      "Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml"
+    ],
+    "Data Connectors": [
+        "Data Connectors/InfobloxCloudDataConnector.json"
+    ],
+	"Parsers": [
+		"Parsers/InfobloxCDC.txt"
+	],
+	"Metadata": "SolutionMetadata.json",
+	"BasePath": "C:\\GitHub\\azure\\Solutions\\Infoblox Cloud Data Connector",
+    "Version": "2.0.1"
+  }
+  
diff --git a/Tools/Create-Azure-Sentinel-Solution/input/Solution_IoTOTThreatMonitoringwithDefenderforIoT.json b/Tools/Create-Azure-Sentinel-Solution/input/Solution_IoTOTThreatMonitoringwithDefenderforIoT.json
deleted file mode 100644
index 0d81d7250f..0000000000
--- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_IoTOTThreatMonitoringwithDefenderforIoT.json
+++ /dev/null
@@ -1,33 +0,0 @@
-{
-  "Name": "IoTOTThreatMonitoringwithDefenderforIoT",
-  "Author": "Eli Forbes - v-eliforbes@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
-  "Description": "There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Azure Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Azure Sentinel (IT) alerting. This solution includes Workbooks, Analytics rules, and Playbooks providing a guide OT detection, Analysis, and Response.",
-  "Workbooks": [
-    "Workbooks/IoTOTThreatMonitoringwithDefenderforIoT.json"
-  ],
-  "Analytic Rules": [
-    "Analytic Rules/IoTDenialofService.yaml",
-    "Analytic Rules/IoTExcessiveLoginAttempts.yaml",
-    "Analytic Rules/IoTFirmwareUpdates.yaml",
-    "Analytic Rules/IoTHighBandwidth.yaml",
-    "Analytic Rules/IoTIllegalFunctionCodes.yaml",
-    "Analytic Rules/IoTInsecurePLC.yaml",
-    "Analytic Rules/IoTInternetAccess.yaml",
-    "Analytic Rules/IoTMalware.yaml",
-    "Analytic Rules/IoTNetworkScanning.yaml",
-    "Analytic Rules/IoTPLCStopCommand.yaml",
-    "Analytic Rules/IoTUnauthorizedDevice.yaml",
-    "Analytic Rules/IoTUnauthorizedNetworkConfiguration.yaml",
-    "Analytic Rules/IoTUnauthorizedPLCModifications.yaml",
-    "Analytic Rules/IoTUnauthorizedRemoteAccess.yaml"
-  ],
-  "Playbooks": [
-    "Playbooks/AutoCloseIncidents.json",
-    "Playbooks/MailBySensor.json",
-    "Playbooks/NewAssetServiceNowTicket.json"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT",
-  "Version": "1.0.11"
-}
\ No newline at end of file
diff --git a/Tools/Create-Azure-Sentinel-Solution/input/Solution_MaturityModelForEventLogManagementM2131.json b/Tools/Create-Azure-Sentinel-Solution/input/Solution_MaturityModelForEventLogManagementM2131.json
deleted file mode 100644
index ce066c61ea..0000000000
--- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_MaturityModelForEventLogManagementM2131.json
+++ /dev/null
@@ -1,34 +0,0 @@
-
-{
-  "Name": "MaturityModelForEventLogManagementM2131",
-  "Author": "TJ Banasik - thomas.banasik@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "This solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31))[https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf].",
-  "Workbooks": [
-  "Workbooks/MaturityModelForEventLogManagement_M2131.json"
-  ],
-  "Playbooks": [
-  "Playbooks/Notify_LogManagementTeam.json",
-  "Playbooks/Open_DevOpsTaskRecommendation.json",
-  "Playbooks/Open_JIRATicketRecommendation.json"
-  ],
-  "Analytic Rules": [
-  "Analytic Rules/M2131AssetStoppedLogging.yaml",
-  "Analytic Rules/M2131DataConnectorAddedChangedRemoved.yaml",
-  "Analytic Rules/M2131EventLogManagementPostureChangedEL0.yaml",
-  "Analytic Rules/M2131EventLogManagementPostureChangedEL1.yaml",
-  "Analytic Rules/M2131EventLogManagementPostureChangedEL2.yaml",
-  "Analytic Rules/M2131EventLogManagementPostureChangedEL3.yaml",
-  "Analytic Rules/M2131LogRetentionLessThan1Year.yaml",
-  "Analytic Rules/M2131RecommendedDatatableUnhealthy.yaml"
-  ],
-  "Hunting Queries": [
-  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL0.yaml",
-  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml",
-  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL2.yaml",
-  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "C:\\GitHub\\azure\\Solutions\\MaturityModelForEventLogManagementM2131",
-  "Version": "1.0.3"
-}
\ No newline at end of file
diff --git a/Tools/Create-Azure-Sentinel-Solution/input/Solution_ThreatAnalysis&Response.json b/Tools/Create-Azure-Sentinel-Solution/input/Solution_ThreatAnalysis&Response.json
deleted file mode 100644
index 21481e9cca..0000000000
--- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_ThreatAnalysis&Response.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-  "Name": "ThreatAnalysis&Response",
-  "Author": "Sanmit Biraj - v-sabiraj@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The MITRE ATT&CK Cloud Matrix provides tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: Azure AD, Office 365, SaaS, IaaS. For more information, see the 💡 [MITRE ATT&CK: Cloud Matrix](https://attack.mitre.org/matrices/enterprise/cloud/)",
-  "WorkbookDescription": "Workbook to showcase MITRE ATT&CK Coverage for Azure Sentinel",
-  "Workbooks": [
-    "Workbooks/ThreatAnalysis&Response.json",
-    "Workbooks/DynamicThreatModeling&Response.json"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "C:\\GitHub\\azure\\Solutions\\ThreatAnalysis&Response",
-  "Version": "1.0.14"
-}
\ No newline at end of file
diff --git a/Tools/Create-Azure-Sentinel-Solution/input/Solution_ZeroTrust(TIC3.0).json b/Tools/Create-Azure-Sentinel-Solution/input/Solution_ZeroTrust(TIC3.0).json
deleted file mode 100644
index c2c5eb24c7..0000000000
--- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_ZeroTrust(TIC3.0).json
+++ /dev/null
@@ -1,22 +0,0 @@
-
-{
-  "Name": "ZeroTrust(TIC3.0)",
-  "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The Microsoft Sentinel: Zero Trust (TIC3.0) Workbook provides an automated visualization of Zero Trust principles cross walked to the Trusted Internet Connections framework. Compliance isn’t just an annual requirement, and organizations must monitor configurations over time like a muscle. This workbook leverages the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Windows Virtual Desktop, and many more. This workbook enables Implementers, SecOps Analysts, Assessors, Security & Compliance Decision Makers, and MSSPs to gain situational awareness for cloud workloads' security posture. The workbook features 76+ control cards aligned to the TIC 3.0 security capabilities with selectable GUI buttons for navigation. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, visualizations, tailored recommendations, and respective documentation references.",
-  "WorkbookDescription": "Gain insights into ZeroTrust logs.",
-  "Workbooks": [
-    "Workbooks/ZeroTrust(TIC3.0).json"
-  ],
-  "Analytic Rules": [
-    "Analytic Rules/Zero_Trust_TIC3.0_ControlAssessmentPostureChange.yaml"
-  ],
-  "Playbooks": [
-    "Playbooks/Notify_GovernanceComplianceTeam.json",
-    "Playbooks/Open_DevOpsTaskRecommendation.json",
-    "Playbooks/Open_JIRATicketRecommendation.json"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroTrust(TIC3.0)",
-  "Version": "2.0.1"
-}
\ No newline at end of file