Incident Overview Workbook query fix for ICM (#5168)

* Incident Overview Workbook query fix for ICM * Update metadata
2022-06-01 10:33:28 +05:30 · 2022-06-01 10:33:28 +05:30 · 48c8183258
--- a/Workbooks/IncidentOverview.json
+++ b/Workbooks/IncidentOverview.json
@ -406,7 +406,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "SecurityIncident\r\n| where IncidentNumber == '{IncidentNumber}' \r\n| summarize arg_max(TimeGenerated,CreatedTime,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification,ClassificationReason, ClassificationComment,Labels, Title, AlertIds) by IncidentNumber\r\n| where Severity in ({Severity}) or '{Severity:label}' ==  \"All\"\r\n| extend Tactics = todynamic(AdditionalData.tactics)\r\n| extend Owner = todynamic(Owner.assignedTo), IncidentCreated = format_datetime(CreatedTime,'yy-MM-dd HH:mm')\r\n| where Owner in ({Owner}) or '{Owner:label}' ==  \"All\"\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \r\n| where Product in ({Product}) or '{Product:label}' ==  \"All\"\r\n| extend Tags = extract_all('labelName\":\"(.*?)\"',tostring(Labels))\r\n| extend Owner = case(tostring(todynamic(Owner.assignedTo))==\"\", \"Unassigned\",tostring(todynamic(Owner.assignedTo))), Products = strcat_array(AdditionalData.alertProductNames, \", \"), Alerts = tostring(AdditionalData.alertsCount), Bookmarks = tostring(AdditionalData.bookmarksCount), Comments = tostring(AdditionalData.commentsCount), Tactics = strcat_array(AdditionalData.tactics, \", \"), Labels = strcat_array(Tags, \", \")\r\n| mv-expand AlertIds to typeof(string)\r\n| join kind=leftouter\r\n(SecurityAlert\r\n| summarize arg_max(TimeGenerated,AlertName, Description, AlertType, Entities)by SystemAlertId) on $left.AlertIds == $right.SystemAlertId\r\n| summarize AlertName = makelist(AlertName), AlertType = makelist(AlertType) by Comments, Labels, Title, Products, AlertsCount = Alerts, Bookmarks, Status, Severity, Owner, IncidentCreated, ClassificationComment, Classification, ClassificationReason \r\n| extend AlertNames = strcat_array(AlertName, \", \"), AlertTypes = strcat_array(AlertType, \", \")\r\n| project packed = pack_all()\r\n| mv-expand packed\r\n| parse tostring(packed) with * '\"' Field '\":\"' Value '\"}'\r\n| where Field in ('Severity', 'Owner','Status', 'AlertsCount','Products','Title', 'IncidentCreated', 'Labels','Bookmarks', 'AlertNames', 'AlertsType', 'Classification','ClassificationComment','ClassificationReason')\r\n| extend Field1 = case(Field== \"IncidentCreated\", \"Time created\", Field == \"AlertsCount\", \"Alert count\", Field == \"ClassificationComment\", \"Classification Comment\", Field == \"ClassificationReason\", \"Classification Reason\", Field == \"AlertNames\", \"Alert Names\", Field)\r\n| extend Order = case(Field==\"Title\", 1,Field==\"IncidentCreated\", 2,Field==\"Severity\", 3,Field==\"Status\", 4,Field==\"Owner\", 5,Field==\"Products\", 6,Field==\"AlertsType\",6,Field==\"AlertsCount\", 7,Field==\"Bookmarks\", 8, Field==\"Labels\", 9,Field==\"Classification\", 10,Field==\"ClassificationReason\",11, 100)\r\n",
+        "query": "let incidentNumberToCheck = '{IncidentNumber}';\r\nlet incidentWithNoAlertsQuery = SecurityIncident\r\n| where IncidentNumber == incidentNumberToCheck\r\n| summarize arg_max(TimeGenerated,CreatedTime,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification,ClassificationReason, ClassificationComment,Labels, Title, AlertIds) by IncidentNumber\r\n| where array_length(AlertIds) == 0\r\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\r\n| extend Tactics = todynamic(AdditionalData.tactics)\r\n| extend Owner = todynamic(Owner.assignedTo), IncidentCreated = format_datetime(CreatedTime,'yy-MM-dd HH:mm')\r\n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0]))\r\n| where Product in ({Product}) or '{Product:label}' == \"All\"\r\n| extend Tags = extract_all('labelName\":\"(.*?)\"',tostring(Labels))\r\n| extend Owner = case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner)), Products = strcat_array(AdditionalData.alertProductNames, \", \"), Alerts = tostring(AdditionalData.alertsCount), Bookmarks = tostring(AdditionalData.bookmarksCount), Comments = tostring(AdditionalData.commentsCount), Tactics = strcat_array(AdditionalData.tactics, \", \"), Labels = strcat_array(Tags, \", \")\r\n;\r\nlet incidentWithAlertsQuery = SecurityIncident\r\n| where IncidentNumber ==  incidentNumberToCheck\r\n| summarize arg_max(TimeGenerated,CreatedTime,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification,ClassificationReason, ClassificationComment,Labels, Title, AlertIds) by IncidentNumber\r\n| where array_length(AlertIds) > 0\r\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\r\n| extend Tactics = todynamic(AdditionalData.tactics)\r\n| extend Owner = todynamic(Owner.assignedTo), IncidentCreated = format_datetime(CreatedTime,'yy-MM-dd HH:mm')\r\n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0]))\r\n| where Product in ({Product}) or '{Product:label}' == \"All\"\r\n| extend Tags = extract_all('labelName\":\"(.*?)\"',tostring(Labels))\r\n| extend Owner = case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner)), Products = strcat_array(AdditionalData.alertProductNames, \", \"), Alerts = tostring(AdditionalData.alertsCount), Bookmarks = tostring(AdditionalData.bookmarksCount), Comments = tostring(AdditionalData.commentsCount), Tactics = strcat_array(AdditionalData.tactics, \", \"), Labels = strcat_array(Tags, \", \")\r\n| mv-expand AlertIds to typeof(string)\r\n| join kind=leftouter\r\n(SecurityAlert\r\n| summarize arg_max(TimeGenerated,AlertName, Description, AlertType, Entities) by SystemAlertId) on $left.AlertIds == $right.SystemAlertId\r\n| summarize AlertName = makelist(AlertName), AlertType = makelist(AlertType) by Comments, Labels, Title, Products, AlertsCount = Alerts, Bookmarks, Status, Severity, Owner, IncidentCreated, ClassificationComment, Classification, ClassificationReason\r\n| extend AlertNames = strcat_array(AlertName, \", \"), AlertTypes = strcat_array(AlertType, \", \")\r\n;\r\nincidentWithNoAlertsQuery\r\n| union incidentWithAlertsQuery\r\n| project packed = pack_all()\r\n| mv-expand packed\r\n| parse tostring(packed) with * '\"' Field '\":\"' Value '\"}'\r\n| where Field in ('Severity', 'Owner','Status', 'AlertsCount','Products','Title', 'IncidentCreated', 'Labels','Bookmarks', 'AlertNames', 'AlertsType', 'Classification','ClassificationComment','ClassificationReason')\r\n| extend Field1 = case(Field== \"IncidentCreated\", \"Time created\", Field == \"AlertsCount\", \"Alert count\", Field == \"ClassificationComment\", \"Classification Comment\", Field == \"ClassificationReason\", \"Classification Reason\", Field == \"AlertNames\", \"Alert Names\", Field)\r\n| extend Order = case(Field==\"Title\", 1,Field==\"IncidentCreated\", 2,Field==\"Severity\", 3,Field==\"Status\", 4,Field==\"Owner\", 5,Field==\"Products\", 6,Field==\"AlertsType\",6,Field==\"AlertsCount\", 7,Field==\"Bookmarks\", 8, Field==\"Labels\", 9,Field==\"Classification\", 10,Field==\"ClassificationReason\",11, 100)",
        "size": 0,
        "noDataMessage": "Enter an incident number",
        "noDataMessageStyle": 5,
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@ -1112,7 +1112,7 @@
    "dataTypesDependencies": ["SecurityAlert", "SecurityIncident"],
    "dataConnectorsDependencies": [],
    "previewImagesFileNames": [ "IncidentOverviewBlack1.png", "IncidentOverviewWhite1.png", "IncidentOverviewBlack2.png", "IncidentOverviewWhite2.png" ],
-    "version": "2.1.0",
+    "version": "2.2.0",
    "title": "Incident overview",
    "templateRelativePath": "IncidentOverview.json",
    "subtitle": "",