HnajwK1_>k62)g^%EZHQ_qacWGP!NeI
zkH<4tPzasi8>16JeX-!9@sgJ=gJ_fh4(K>vaK({gGKpdw1*AFQeVZg \n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Web Application Firewall (WAF) solution for Microsoft Sentinel allows you to ingest Diagnostic Metrics from Application Gateway, Front Door and CDN into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor Resource Diagnostics](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)\n\n**Data Connectors:** 1, **Workbooks:** 4, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Web Application Firewall (WAF) solution for Microsoft Sentinel allows you to ingest Diagnostic Metrics from Application Gateway, Front Door and CDN into Microsoft Sentinel.\n\n **Data Connectors:** 1, **Workbooks:** 4, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -194,7 +194,7 @@
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment."
+ "text": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code and should be altered to fit the environment."
}
}
]
@@ -208,7 +208,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match for SQL Injection attack in the Front Door Premium WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\n References: https://owasp.org/Top10/A03_2021-Injection/"
+ "text": "Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\nReferences: https://owasp.org/Top10/A03_2021-Injection/"
}
}
]
@@ -222,7 +222,7 @@
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies a match for XSS attack in the Front Door Premium WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)"
+ "text": "Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)"
}
}
]
diff --git a/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json b/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json
index 16e158c167..898e296379 100644
--- a/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json
+++ b/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json
@@ -75,17 +75,17 @@
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0",
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"analyticRulecontentId1": "46ac55ae-47b8-414a-8f94-89ccd1962178",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "analyticRuleVersion2": "1.0.0",
+ "analyticRuleVersion2": "1.0.1",
"analyticRulecontentId2": "16da3a2a-af29-48a0-8606-d467c180fe18",
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
- "analyticRuleVersion3": "1.0.0",
+ "analyticRuleVersion3": "1.0.1",
"analyticRulecontentId3": "b7643904-5081-4920-917e-a559ddc3448f",
"_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
@@ -139,7 +139,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
- "description": "Azure Web Application Firewall (WAF) data connector with template version 2.0.3",
+ "description": "Azure Web Application Firewall (WAF) data connector with template version 2.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -345,7 +345,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
],
"properties": {
- "description": "MaliciousWAFSessions_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "MaliciousWAFSessions_AnalyticalRules Analytics Rule with template version 2.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@@ -359,10 +359,10 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.",
+ "description": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code and should be altered to fit the environment.",
"displayName": "A potentially malicious web request was executed against a web server",
"enabled": false,
- "query": "let queryperiod = 1d;\nlet mode = 'Blocked';\nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\nlet sessionBin = 30m;\nAzureDiagnostics\n| where TimeGenerated > ago(queryperiod)\n| where Category == 'ApplicationGatewayFirewallLog' and action_s == mode\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\n| mv-expand TimeKey to typeof(datetime)\n| join kind = inner(\n AzureDiagnostics\n | where TimeGenerated > ago(queryperiod)\n | where Category == 'ApplicationGatewayAccessLog' and (isempty(httpStatus_d) or httpStatus_d in (successCode))\n | extend TimeKey = bin(TimeGenerated, sessionBin)\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\n| extend\n originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"),\n serverStatus_s = column_ifexists(\"serverStatus_s\", \"\")\n| summarize\n SuccessfulAccessCount = count(),\n UserAgents = make_set(userAgent_s, 250),\n RequestURIs = make_set(requestUri_s, 250),\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\n SuccessCodes = make_set(httpStatus_d, 250),\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\n take_any(SessionBlockedEnded, SessionBlockedCount)\n by hostname_s, clientIp_s, SessionBlockedStarted\n| where SessionBlockedCount > SuccessfulAccessCount\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\n| sort by BlockvsSuccessRatio desc, timestamp asc\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\n",
+ "query": "let queryperiod = 1d;\nlet mode = 'Blocked';\nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\nlet sessionBin = 30m;\nAzureDiagnostics\n| where TimeGenerated > ago(queryperiod)\n| where Category =~ 'ApplicationGatewayFirewallLog' and action_s == mode\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\n| mv-expand TimeKey to typeof(datetime)\n| join kind = inner(\n AzureDiagnostics\n | where TimeGenerated > ago(queryperiod)\n | where Category =~ 'ApplicationGatewayAccessLog' and (isempty(httpStatus_d) or httpStatus_d in (successCode))\n | extend TimeKey = bin(TimeGenerated, sessionBin)\n | extend hostname_s = coalesce(hostname_s,host_s), clientIp_s = coalesce(clientIp_s,clientIP_s)\n) on TimeKey, hostname_s , clientIp_s\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\n| extend\n originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"),\n serverStatus_s = column_ifexists(\"serverStatus_s\", \"\")\n| summarize\n SuccessfulAccessCount = count(),\n UserAgents = make_set(userAgent_s, 250),\n RequestURIs = make_set(requestUri_s, 250),\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\n SuccessCodes = make_set(httpStatus_d, 250),\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\n take_any(SessionBlockedEnded, SessionBlockedCount)\n by hostname_s, clientIp_s, SessionBlockedStarted\n| where SessionBlockedCount > SuccessfulAccessCount\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\n| sort by BlockvsSuccessRatio desc, timestamp asc\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
@@ -373,10 +373,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "WAF",
"dataTypes": [
"AzureDiagnostics"
- ],
- "connectorId": "WAF"
+ ]
}
],
"tactics": [
@@ -389,8 +389,8 @@
{
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "clientIp_s"
}
],
"entityType": "IP"
@@ -456,7 +456,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
],
"properties": {
- "description": "AFD-Premium-WAF-SQLiDetection_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "AFD-Premium-WAF-SQLiDetection_AnalyticalRules Analytics Rule with template version 2.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@@ -470,10 +470,10 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match for SQL Injection attack in the Front Door Premium WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\n References: https://owasp.org/Top10/A03_2021-Injection/",
+ "description": "Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\nReferences: https://owasp.org/Top10/A03_2021-Injection/",
"displayName": "Front Door Premium WAF - SQLi Detection",
"enabled": false,
- "query": "let Threshold = 1;\nAzureDiagnostics\n| where Category == \"FrontDoorWebApplicationFirewallLog\"\n| where action_s == \"AnomalyScoring\"\n| where details_msg_s contains \"SQL Injection\"\n| parse details_data_s with MessageText \"Matched Data:\" MatchedData \"AND \" * \"table_name FROM \" TableName \" \" *\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\n| join kind = inner(\nAzureDiagnostics\n| where Category == \"FrontDoorWebApplicationFirewallLog\"\n| where action_s == \"Block\") on trackingReference_s\n| summarize URI_s = make_set(requestUri_s), Table = make_set(TableName), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s), Matched_Data = make_set(MatchedData), Detail_Data = make_set(details_data_s), Detail_Message = make_set(details_msg_s), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\n| where Total_TrackingReference >= Threshold\n",
+ "query": "let Threshold = 1;\nAzureDiagnostics\n| where Category =~ \"FrontDoorWebApplicationFirewallLog\"\n| where action_s =~ \"AnomalyScoring\"\n| where details_msg_s has \"SQL Injection\"\n| parse details_data_s with MessageText \"Matched Data:\" MatchedData \"AND \" * \"table_name FROM \" TableName \" \" *\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\n| join kind = inner(\nAzureDiagnostics\n| where Category =~ \"FrontDoorWebApplicationFirewallLog\"\n| where action_s =~ \"Block\") on trackingReference_s\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\n| where Total_TrackingReference >= Threshold\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "High",
@@ -484,10 +484,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "WAF",
"dataTypes": [
"AzureDiagnostics"
- ],
- "connectorId": "WAF"
+ ]
}
],
"tactics": [
@@ -506,8 +506,8 @@
{
"fieldMappings": [
{
- "columnName": "URI_s",
- "identifier": "Url"
+ "identifier": "Url",
+ "columnName": "URI_s"
}
],
"entityType": "URL"
@@ -515,8 +515,8 @@
{
"fieldMappings": [
{
- "columnName": "clientIP_s",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "clientIP_s"
}
],
"entityType": "IP"
@@ -582,7 +582,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
],
"properties": {
- "description": "AFD-Premium-WAF-XSSDetection_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "AFD-Premium-WAF-XSSDetection_AnalyticalRules Analytics Rule with template version 2.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion3')]",
@@ -596,10 +596,10 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies a match for XSS attack in the Front Door Premium WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)",
+ "description": "Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)",
"displayName": "Front Door Premium WAF - XSS Detection",
"enabled": false,
- "query": "let Threshold = 1;\nAzureDiagnostics\n| where Category == \"FrontDoorWebApplicationFirewallLog\"\n| where action_s == \"AnomalyScoring\"\n| where details_msg_s contains \"XSS\"\n| parse details_data_s with MessageText \"Matched Data:\" MatchedData \"AND \" * \"table_name FROM \" TableName \" \" *\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\n| join kind = inner(\nAzureDiagnostics\n| where Category == \"FrontDoorWebApplicationFirewallLog\"\n| where action_s == \"Block\") on trackingReference_s\n| summarize URI_s = make_set(requestUri_s), Table = make_set(TableName), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s), Matched_Data = make_set(MatchedData), Detail_Data = make_set(details_data_s), Detail_Message = make_set(details_msg_s), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\n| where Total_TrackingReference >= Threshold\n",
+ "query": "let Threshold = 1;\nAzureDiagnostics\n| where Category =~ \"FrontDoorWebApplicationFirewallLog\"\n| where action_s =~ \"AnomalyScoring\"\n| where details_msg_s has \"XSS\"\n| parse details_data_s with MessageText \"Matched Data:\" MatchedData \"AND \" * \"table_name FROM \" TableName \" \" *\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\n| join kind = inner(\nAzureDiagnostics\n| where Category =~ \"FrontDoorWebApplicationFirewallLog\"\n| where action_s =~ \"Block\") on trackingReference_s\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\n| where Total_TrackingReference >= Threshold\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "High",
@@ -610,10 +610,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "WAF",
"dataTypes": [
"AzureDiagnostics"
- ],
- "connectorId": "WAF"
+ ]
}
],
"tactics": [
@@ -629,8 +629,8 @@
{
"fieldMappings": [
{
- "columnName": "URI_s",
- "identifier": "Url"
+ "identifier": "Url",
+ "columnName": "URI_s"
}
],
"entityType": "URL"
@@ -638,8 +638,8 @@
{
"fieldMappings": [
{
- "columnName": "clientIP_s",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "clientIP_s"
}
],
"entityType": "IP"
@@ -705,7 +705,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
- "description": "WebApplicationFirewallFirewallEventsWorkbook Workbook with template version 2.0.3",
+ "description": "WebApplicationFirewallFirewallEventsWorkbook Workbook with template version 2.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -723,7 +723,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Application gateway firewall events\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Lable = strcat(Resource, \\\" - \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where action_s == \\\"Blocked\\\" or action_s == \\\"Detected\\\" \\r\\n| summarize count() by requestUri_s \\r\\n| top 10 by count_ desc \",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Blocked URL addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| summarize number = count() by action_s\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"WAF actions\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\" \\r\\n| summarize number = count() by instanceId_s, TimeGenerated\\r\\n| where instanceId_s contains \\\"role\\\"\\r\\n| extend roulenumber = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\", 1, instanceId_s) \\r\\n| project roulenumber , number , TimeGenerated \\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Role use, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| summarize count() by Message\\r\\n| top 10 by count_ \\r\\n\",\"size\":0,\"exportFieldName\":\"Message\",\"exportParameterName\":\"Selected\",\"exportDefaultValue\":\"*\",\"exportToExcelOptions\":\"visible\",\"title\":\"Event trigger\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true}}],\"labelSettings\":[{\"columnId\":\"Message\"},{\"columnId\":\"count_\",\"label\":\"\"}]}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where ('{Selected}' == Message) or '{Selected}'==\\\"*\\\"\\r\\n| summarize count() by Message, TimeGenerated\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Messages, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where '{Selected}' == Message or '{Selected}' == \\\"*\\\"\\r\\n| extend Role = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| project Message, TimeGenerated, SourceSystem, hostname_s, ResourceId, ResourceGroup, ResourceProvider, Category, Role, action_s, site_s, details_message_s, details_file_s, clientIp_s, requestUri_s\\r\\n| sort by TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Message, full details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"name\":\"query - 11\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where Message contains \\\"attack\\\"\\r\\n| extend Role = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| summarize Amount = count() by Message, bin(TimeGenerated, 1h), hostName = hostname_s, ResourceId, Category, Role\\r\\n| project Amount, Message, TimeGenerated, hostName, ResourceId, Category, Role\\r\\n| order by Amount desc\",\"size\":0,\"exportFieldName\":\"\",\"exportParameterName\":\"MessageFilter\",\"exportDefaultValue\":\"{\\\"Message\\\":\\\"*\\\"}\",\"exportToExcelOptions\":\"visible\",\"title\":\"Attacks events, by messages\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":8,\"formatOptions\":{\"showIcon\":true,\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"hostName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Category\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Role\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"$gen_group\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TenantId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SourceSystem\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"MG\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ManagementGroupName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Computer\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleGroup_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"transactionId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"originalHost_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"_schema_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"error_code_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"error_message_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"instanceId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientIp_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientPort_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"requestUri_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleSetType_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleSetVersion_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"action_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"site_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_message_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_data_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_file_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_line_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"hostname_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientIP_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientPort_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpMethod_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"requestQuery_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"userAgent_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpStatus_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpVersion_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"receivedBytes_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"sentBytes_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"timeTaken_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"sslEnabled_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"host_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_clientTrackingId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"tags__type_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"msg_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_originRunId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_actionName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_actionTrackingId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"workflowId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Level\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"OperationName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"status_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"tags_LogicAppsCategory_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_resourceGroupName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_workflowName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_runId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_location_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_triggerName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SubscriptionId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceProvider\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Resource\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceType\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"code_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_clientTrackingId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_subscriptionId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_workflowId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"startTime_t\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"endTime_t\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"_ResourceId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Message\"],\"expandTopLevel\":false}}},\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.childRows; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where Message contains \\\"attack\\\"\\r\\n| where SelectedMS.Message == Message or SelectedMS.Message == \\\"*\\\" or Message == Child[0].Message\\r\\n| summarize count() by Message, TimeGenerated\",\"size\":0,\"exportParameterName\":\"Message\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"exportToExcelOptions\":\"visible\",\"title\":\"Attack events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"70\",\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Message contains \\\"SQL Injection\\\" \\r\\n| summarize count() by hostname_s, Message\\r\\n| order by count_ desc \",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"SQL injection, by host name\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"query - 15\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallFirewallEvents\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Application gateway firewall events\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Lable = strcat(Resource, \\\" - \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where action_s == \\\"Blocked\\\" or action_s == \\\"Detected\\\" \\r\\n| summarize count() by requestUri_s \\r\\n| top 10 by count_ desc \",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Blocked URL addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| summarize number = count() by action_s\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"WAF actions\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\" \\r\\n| summarize number = count() by instanceId_s, TimeGenerated\\r\\n| where instanceId_s has \\\"role\\\"\\r\\n| extend rolenumber = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\", 1, instanceId_s) \\r\\n| project rolenumber , number , TimeGenerated \\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Role use, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| summarize count() by Message\\r\\n| top 10 by count_ \\r\\n\",\"size\":0,\"exportFieldName\":\"Message\",\"exportParameterName\":\"Selected\",\"exportDefaultValue\":\"*\",\"exportToExcelOptions\":\"visible\",\"title\":\"Event trigger\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true}}],\"labelSettings\":[{\"columnId\":\"Message\"},{\"columnId\":\"count_\",\"label\":\"\"}]}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where ('{Selected}' == Message) or '{Selected}'==\\\"*\\\"\\r\\n| summarize count() by Message, TimeGenerated\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Messages, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where '{Selected}' == Message or '{Selected}' == \\\"*\\\"\\r\\n| extend Role = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| project Message, TimeGenerated, SourceSystem, hostname_s, ResourceId, ResourceGroup, ResourceProvider, Category, Role, action_s, site_s, details_message_s, details_file_s, clientIp_s, requestUri_s\\r\\n| sort by TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Message, full details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"name\":\"query - 11\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where Message has \\\"attack\\\"\\r\\n| extend Role = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| summarize Amount = count() by Message, bin(TimeGenerated, 1h), hostName = hostname_s, ResourceId, Category, Role\\r\\n| project Amount, Message, TimeGenerated, hostName, ResourceId, Category, Role\\r\\n| order by Amount desc\",\"size\":0,\"exportFieldName\":\"\",\"exportParameterName\":\"MessageFilter\",\"exportDefaultValue\":\"{\\\"Message\\\":\\\"*\\\"}\",\"exportToExcelOptions\":\"visible\",\"title\":\"Attacks events, by messages\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":8,\"formatOptions\":{\"showIcon\":true,\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"hostName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Category\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Role\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"$gen_group\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TenantId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SourceSystem\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"MG\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ManagementGroupName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Computer\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleGroup_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"transactionId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"originalHost_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"_schema_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"error_code_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"error_message_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"instanceId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientIp_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientPort_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"requestUri_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleSetType_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleSetVersion_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"action_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"site_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_message_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_data_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_file_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_line_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"hostname_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientIP_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientPort_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpMethod_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"requestQuery_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"userAgent_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpStatus_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpVersion_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"receivedBytes_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"sentBytes_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"timeTaken_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"sslEnabled_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"host_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_clientTrackingId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"tags__type_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"msg_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_originRunId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_actionName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_actionTrackingId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"workflowId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Level\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"OperationName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"status_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"tags_LogicAppsCategory_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_resourceGroupName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_workflowName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_runId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_location_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_triggerName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SubscriptionId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceProvider\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Resource\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceType\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"code_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_clientTrackingId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_subscriptionId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_workflowId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"startTime_t\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"endTime_t\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"_ResourceId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Message\"],\"expandTopLevel\":false}}},\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.childRows; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where Message has \\\"attack\\\"\\r\\n| where SelectedMS.Message == Message or SelectedMS.Message == \\\"*\\\" or Message == Child[0].Message\\r\\n| summarize count() by Message, TimeGenerated\",\"size\":0,\"exportParameterName\":\"Message\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"exportToExcelOptions\":\"visible\",\"title\":\"Attack events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"70\",\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Message has \\\"SQL Injection\\\" \\r\\n| summarize count() by hostname_s, Message\\r\\n| order by count_ desc \",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"SQL injection, by host name\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"query - 15\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallFirewallEvents\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -800,7 +800,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName2'))]"
],
"properties": {
- "description": "WebApplicationFirewallGatewayAccessEventsWorkbook Workbook with template version 2.0.3",
+ "description": "WebApplicationFirewallGatewayAccessEventsWorkbook Workbook with template version 2.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -895,7 +895,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName3'))]"
],
"properties": {
- "description": "WebApplicationFirewallOverviewWorkbook Workbook with template version 2.0.3",
+ "description": "WebApplicationFirewallOverviewWorkbook Workbook with template version 2.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion3')]",
@@ -913,7 +913,7 @@
},
"properties": {
"displayName": "[parameters('workbook3-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Lable = strcat(Resource, \\\" - \\\", Count)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b1a1c99d-4498-4e02-82f0-d52c276d5657\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Events\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count = count() by OperationName\\r\\n| order by Count desc, OperationName asc\\r\\n| project value = OperationName, Label = strcat(OperationName, ' - ', Count)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\n| summarize count() by Resource, TimeGenerated\",\"size\":1,\"exportToExcelOptions\":\"visible\",\"title\":\"Resource events, by time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Resource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"70\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by Resource\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Resource use\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by OperationName, TimeGenerated\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Firewall and access events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"70\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by OperationName\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Events, by operation\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 6\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Lable = strcat(Resource, \\\" - \\\", Count)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b1a1c99d-4498-4e02-82f0-d52c276d5657\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Events\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count = count() by OperationName\\r\\n| order by Count desc, OperationName asc\\r\\n| project value = OperationName, Label = strcat(OperationName, ' - ', Count)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\n| summarize count() by Resource, TimeGenerated\",\"size\":1,\"exportToExcelOptions\":\"visible\",\"title\":\"Resource events, by time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Resource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"70\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by Resource\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Resource use\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by OperationName, TimeGenerated\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Firewall and access events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"70\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by OperationName\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Events, by operation\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 6\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -990,7 +990,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName4'))]"
],
"properties": {
- "description": "WebApplicationFirewallWAFTypeEventsWorkbook Workbook with template version 2.0.3",
+ "description": "WebApplicationFirewallWAFTypeEventsWorkbook Workbook with template version 2.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion4')]",
@@ -1008,7 +1008,7 @@
},
"properties": {
"displayName": "[parameters('workbook4-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure WAF Events\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"afd56a69-16a5-436d-850e-16c24e839503\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::all\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e38cad87-ff16-40e6-9384-f6fd24fa9d6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value=strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"value\":[\"/subscriptions/6b1ceacd-5731-4780-8f96-2078dd96fd96\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a125fc08-be6d-4b8b-87e2-7e0cd957db47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultWorkspace_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n|take 1\\r\\n|project id\",\"crossComponentResources\":[\"{Subscription}\"],\"isHiddenWhenLocked\":true,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"65674a40-2869-4867-a24d-f86f05fd0354\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspaces\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id, selected = iff(id =~ '{DefaultWorkspace_Internal}', true, false)\\r\\n\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000}],\"allowCustom\":true}},{\"id\":\"604a42a0-deca-4a95-a15f-8977646a7fac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAFType\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\"\\r\\n| summarize Count=count() by ResourceType\\r\\n| extend ResourceTypeImproved = iif(ResourceType == \\\"APPLICATIONGATEWAYS\\\", \\\"Application Gateway\\\", ResourceType)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"FRONTDOORS\\\", \\\"Azure Front Door\\\", ResourceTypeImproved)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"PROFILES\\\", \\\"Azure Front Door Premium\\\", ResourceTypeImproved)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"Azure CDN\\\", ResourceTypeImproved)\\r\\n| order by Count desc, ResourceTypeImproved asc\\r\\n| project ResourceTypeImproved\",\"crossComponentResources\":[\"{Workspaces}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"WAF Type\"},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"label\":\"WAF Items\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\"))\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Label = strcat(Resource, \\\" - \\\", Count)\",\"crossComponentResources\":[\"{Workspaces}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n// Application Gateway has Matched, Blocked, Detected : translates to Matched, Block, Log\\r\\n// Azure Front Door has Matched, Block, Log : translates to Matched, Block, Log\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| summarize number = count() by Action\",\"size\":3,\"showAnalytics\":true,\"title\":\"WAF actions filter\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"SelectedAction\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"27\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where Action == \\\"Block\\\"\\r\\n| where requestUri_s <> \\\"/\\\"\\r\\n| summarize count() by requestUri_s \\r\\n| top 40 by count_ desc \",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 40 Blocked Request URI addresses, filter to single URI address\",\"noDataMessage\":\"The current data has no \\\"Blocked\\\" results\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"requestUri_s\",\"exportParameterName\":\"RequestURI\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"requestUri_s\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":5}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"requestUri_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"63\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule contains \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\",1),\\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule contains \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule,\\\"):\\\",1)),\\\"\\\"),Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 50 event triggers, filter by rule name\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Rule\",\"exportParameterName\":\"Selected\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"$gen_bar_count__1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_count__1\",\"sortOrder\":2}]},\"customWidth\":\"30\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize count() by Rule, bin(TimeGenerated, 1h)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages, by time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"timeBrushUpperSection\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"70\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,requestUri_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,instanceId_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\" \\r\\n| extend Role = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| extend RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s, Site = site_s\\r\\n| project Rule, TimeGenerated, SourceSystem, Hostname, ResourceId, ResourceGroup, ResourceProvider, Category, Role, Action, Site, Message_Details, File_Details, ClientIP, RequestUri\\r\\n| sort by TimeGenerated\",\"size\":0,\"showAnalytics\":true,\"title\":\"Message, full details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushUpperSection\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 11\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\" \\r\\n| summarize Amount = count() by Rule\\r\\n| order by Amount desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Attacks events, by messages and filterable by rule name\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"\",\"exportParameterName\":\"MessageFilter\",\"exportDefaultValue\":\"{\\\"Rule\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true,\"aggregation\":\"Sum\"}}],\"filter\":true}},\"customWidth\":\"20\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\" \\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize Amount = count() by Rule, bin(TimeGenerated, 1h), ResourceId\\r\\n| project Amount, Rule, TimeGenerated, ResourceId\\r\\n| order by Amount desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Attack events, by time\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"timeBrushLowerSection\",\"exportParameterName\":\"Message\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"80\",\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where Rule == Child or Child == \\\"*\\\" \\r\\n| summarize count() by TrackingID\\r\\n| top 50 by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"TrackingID filter\",\"noDataMessage\":\"You have over-filtered or you are missing this data.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"exportFieldName\":\"TrackingID\",\"exportParameterName\":\"SelectedTrackingID\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TrackingID\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TrackingID\",\"sortOrder\":2}]},\"customWidth\":\"20\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\\r\\n| project TrackingID, TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category\",\"size\":0,\"showAnalytics\":true,\"title\":\"TrackingID Messages\",\"noDataMessage\":\"You have over-filtered or you are missing this data.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50}},\"customWidth\":\"80\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize count() by ClientIP\\r\\n| top 10 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Attacking IP Addresses, filter to single IP address\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"exportFieldName\":\"x\",\"exportParameterName\":\"ClientIP\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"ClientIP\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ClientIP\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"25\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,requestUri_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where ('{ClientIP}' == ClientIP or '{ClientIP}' == \\\"*\\\")\\r\\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\\r\\n| project TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category\",\"size\":0,\"title\":\"Attack messages of IP address\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"75\",\"showPin\":true,\"name\":\"query - 13\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallWAFTypeEvents\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure WAF Events\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"afd56a69-16a5-436d-850e-16c24e839503\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::all\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e38cad87-ff16-40e6-9384-f6fd24fa9d6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value=strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"value\":[\"/subscriptions/6b1ceacd-5731-4780-8f96-2078dd96fd96\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a125fc08-be6d-4b8b-87e2-7e0cd957db47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultWorkspace_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n|take 1\\r\\n|project id\",\"crossComponentResources\":[\"{Subscription}\"],\"isHiddenWhenLocked\":true,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"65674a40-2869-4867-a24d-f86f05fd0354\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspaces\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id, selected = iff(id =~ '{DefaultWorkspace_Internal}', true, false)\\r\\n\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000}],\"allowCustom\":true}},{\"id\":\"604a42a0-deca-4a95-a15f-8977646a7fac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAFType\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\"\\r\\n| summarize Count=count() by ResourceType\\r\\n| extend ResourceTypeImproved = iif(ResourceType == \\\"APPLICATIONGATEWAYS\\\", \\\"Application Gateway\\\", ResourceType)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"FRONTDOORS\\\", \\\"Azure Front Door\\\", ResourceTypeImproved)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"PROFILES\\\", \\\"Azure Front Door Premium\\\", ResourceTypeImproved)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"Azure CDN\\\", ResourceTypeImproved)\\r\\n| order by Count desc, ResourceTypeImproved asc\\r\\n| project ResourceTypeImproved\",\"crossComponentResources\":[\"{Workspaces}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"WAF Type\"},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"label\":\"WAF Items\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\"))\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Label = strcat(Resource, \\\" - \\\", Count)\",\"crossComponentResources\":[\"{Workspaces}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n// Application Gateway has Matched, Blocked, Detected : translates to Matched, Block, Log\\r\\n// Azure Front Door has Matched, Block, Log : translates to Matched, Block, Log\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| summarize number = count() by Action\",\"size\":3,\"showAnalytics\":true,\"title\":\"WAF actions filter\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"SelectedAction\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"27\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where Action == \\\"Block\\\"\\r\\n| where requestUri_s <> \\\"/\\\"\\r\\n| summarize count() by requestUri_s \\r\\n| top 40 by count_ desc \",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 40 Blocked Request URI addresses, filter to single URI address\",\"noDataMessage\":\"The current data has no \\\"Blocked\\\" results\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"requestUri_s\",\"exportParameterName\":\"RequestURI\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"requestUri_s\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":5}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"requestUri_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"63\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule has \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\",1),\\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule has \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule,\\\"):\\\",1)),\\\"\\\"),Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 50 event triggers, filter by rule name\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Rule\",\"exportParameterName\":\"Selected\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"$gen_bar_count__1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_count__1\",\"sortOrder\":2}]},\"customWidth\":\"30\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize count() by Rule, bin(TimeGenerated, 1h)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages, by time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"timeBrushUpperSection\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"70\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,requestUri_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,instanceId_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\" \\r\\n| extend Role = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| extend RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s, Site = site_s\\r\\n| project Rule, TimeGenerated, SourceSystem, Hostname, ResourceId, ResourceGroup, ResourceProvider, Category, Role, Action, Site, Message_Details, File_Details, ClientIP, RequestUri\\r\\n| sort by TimeGenerated\",\"size\":0,\"showAnalytics\":true,\"title\":\"Message, full details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushUpperSection\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 11\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\" \\r\\n| summarize Amount = count() by Rule\\r\\n| order by Amount desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Attacks events, by messages and filterable by rule name\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"\",\"exportParameterName\":\"MessageFilter\",\"exportDefaultValue\":\"{\\\"Rule\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true,\"aggregation\":\"Sum\"}}],\"filter\":true}},\"customWidth\":\"20\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\" \\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize Amount = count() by Rule, bin(TimeGenerated, 1h), ResourceId\\r\\n| project Amount, Rule, TimeGenerated, ResourceId\\r\\n| order by Amount desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Attack events, by time\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"timeBrushLowerSection\",\"exportParameterName\":\"Message\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"80\",\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where Rule == Child or Child == \\\"*\\\" \\r\\n| summarize count() by TrackingID\\r\\n| top 50 by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"TrackingID filter\",\"noDataMessage\":\"You have over-filtered or you are missing this data.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"exportFieldName\":\"TrackingID\",\"exportParameterName\":\"SelectedTrackingID\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TrackingID\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TrackingID\",\"sortOrder\":2}]},\"customWidth\":\"20\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\\r\\n| project TrackingID, TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category\",\"size\":0,\"showAnalytics\":true,\"title\":\"TrackingID Messages\",\"noDataMessage\":\"You have over-filtered or you are missing this data.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50}},\"customWidth\":\"80\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize count() by ClientIP\\r\\n| top 10 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Attacking IP Addresses, filter to single IP address\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"exportFieldName\":\"x\",\"exportParameterName\":\"ClientIP\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"ClientIP\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ClientIP\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"25\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,requestUri_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where ('{ClientIP}' == ClientIP or '{ClientIP}' == \\\"*\\\")\\r\\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\\r\\n| project TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category\",\"size\":0,\"title\":\"Attack messages of IP address\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"75\",\"showPin\":true,\"name\":\"query - 13\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallWAFTypeEvents\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -1063,7 +1063,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.3",
+ "version": "2.0.4",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
diff --git a/Solutions/Azure Web Application Firewall (WAF)/SolutionMetadata.json b/Solutions/Azure Web Application Firewall (WAF)/SolutionMetadata.json
index 73ca419a03..9e924e42a3 100644
--- a/Solutions/Azure Web Application Firewall (WAF)/SolutionMetadata.json
+++ b/Solutions/Azure Web Application Firewall (WAF)/SolutionMetadata.json
@@ -4,7 +4,7 @@
"firstPublishDate": "2022-05-18",
"providers": [ "Microsoft" ],
"categories": {
- "domains": [ "Security – Network" ]
+ "domains": [ "Security - Network" ]
},
"support": {
"tier": "Microsoft",
T`gcNqmA7trNdohAY2jNvrtS*Y;V5-s+vR*3t@!Sk?X^7Q5cZ^jC
zEaVWNSiFefhr^hPY9$zTJs~nZ!TXWz+Rv2`
zR_aEfv~~1VC}HhpvEs>I0AeYaa7;}rl<