From 8e62dcf051232889f66ab408122c7612f66d0b06 Mon Sep 17 00:00:00 2001
From: v-prasadboke <117061676+v-prasadboke@users.noreply.github.com>
Date: Fri, 31 Mar 2023 16:57:39 +0530
Subject: [PATCH] Azure Web Application Firewall Repackaging  (#7711)

* azure waf

* Update zip

---------

Co-authored-by: v-atulyadav <104008048+v-atulyadav@users.noreply.github.com>
---
 .../Data/Solution_AzureWAF.json               |   4 +-
 .../Package/2.0.4.zip                         | Bin 0 -> 17531 bytes
 .../Package/createUiDefinition.json           |   8 +-
 .../Package/mainTemplate.json                 |  74 +++++++++---------
 .../SolutionMetadata.json                     |   2 +-
 5 files changed, 44 insertions(+), 44 deletions(-)
 create mode 100644 Solutions/Azure Web Application Firewall (WAF)/Package/2.0.4.zip

diff --git a/Solutions/Azure Web Application Firewall (WAF)/Data/Solution_AzureWAF.json b/Solutions/Azure Web Application Firewall (WAF)/Data/Solution_AzureWAF.json
index 53f9890b96..26aef4acbf 100644
--- a/Solutions/Azure Web Application Firewall (WAF)/Data/Solution_AzureWAF.json	
+++ b/Solutions/Azure Web Application Firewall (WAF)/Data/Solution_AzureWAF.json	
@@ -2,7 +2,7 @@
   "Name": "Azure Web Application Firewall (WAF)",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/waf_logo.svg\"width=\"75px\" height=\"75px\">",
-  "Description": "The Azure Web Application Firewall (WAF) solution for Microsoft Sentinel allows you to ingest Diagnostic Metrics from Application Gateway, Front Door and CDN into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor Resource Diagnostics](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)",
+  "Description": "The Azure Web Application Firewall (WAF) solution for Microsoft Sentinel allows you to ingest Diagnostic Metrics from Application Gateway, Front Door and CDN into Microsoft Sentinel.",
   "Data Connectors": [
     "Solutions/Azure Web Application Firewall (WAF)/Data Connectors/template_WAF.json"
   ],
@@ -18,7 +18,7 @@
     "Solutions/Azure Web Application Firewall (WAF)/Workbooks/WebApplicationFirewallWAFTypeEvents.json"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel",
-  "Version": "2.0.3",
+  "Version": "2.0.4",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": true
diff --git a/Solutions/Azure Web Application Firewall (WAF)/Package/2.0.4.zip b/Solutions/Azure Web Application Firewall (WAF)/Package/2.0.4.zip
new file mode 100644
index 0000000000000000000000000000000000000000..91e1890c95992d3f88b158d6d9f439167b1de20d
GIT binary patch
literal 17531
zcmV)HK)t_EO9KQH000080OopsR?vp1O_~Y-03a*?02crN0Aq4xVRU6xX+&jaX>MtB
zX>V>WYIARH<yviT8@UnwUZDSBuq|N8kXE*nB1O>LLA5Wb0q2@VzH^JnFsNN>m+>yS
zM{=b&ssDRtxbKo2Td|!4*WlpOa=A0ZnP=Wee){7d0K7k&Am%Cao`V-#o0;dMQ8D7D
zOtOflTw0%f%r*A|m6q?!XwTpG4~CiM3&EG8L(Q4xzZ@U&xsbvNCH>cVV#Tki|K2G1
zCvV_*#Y~0?*Tn0!2(&V4ZvC;N-J(!VUT|%Y5KZndD_>_!vy@w$gfl+T5Do@P&PCJ=
z;E*t9;v>@`4$fI(_@I6>V@3p~JsAf>ZUQYbTXO!JNFy*hcrmTDquJ7rgpKoAZn#E{
zmNZ1VaVshQ4ktJ$Bu_@DEEIBdru5}ZsY^3DPEo67bfO|<MoTuoNbr|$7SYsOiqOW$
z>e*ki4^t0fE~41h&p%A%RPOHntSo=Ny9*bmG1nYYb_FvI?=GcUN)X26+?@9+Vc8|x
z(Tq$fjZsNXOEYeEF}V*J*OsB(WCT`$jfH_pIdK44!kOWq`JC(GHBXV@Tp@2Ejb%xK
zANm(097+Uk`EbT(FwU|>1dPbQOQHD^r$X;+{IU;~9Drn?h5}Sd1DvUr2Ch_2ERjAp
z7LEjqq%u|n@S0nVwu8A=X@}1%1ksXR4dA6l!@!Y3`UpBWJo*{QAgy&~K1mL{yGP72
zI8;*dz$$G>#rp#suPsL-PibT<S#m{Uyv-BthMy3PcPE@_2`OoY%~WnTFk7>X^Q_7|
zefTe|Q>kpRZr0AnwQWNc^u0j~(<Yy_LEVBozC;2l*8zW{)k1`YJH2bqfVQ*#6S3kn
zZC=;WVN`Q&bG_+9mK;k%xJK}!W=+Nd^oFeBK4KUktW)e~sC7s<<9uc^dYTB_%sHXT
zYfn6H9<JLeOH=`<HFaUgVId-A^#w&Y5r*7Fjem%coT(x*fF*~BTM)KDEcy_>j1ZXx
zkPOtS=ty_nS(LXBM$8gkMY0=2uMGN1t2|qi-+9(g9|XFQq(EtP-X>K2EPqsln^;*x
zqa8FQMq*kwuJL4iRxhP3mA%S%H}2Q4_QyIMX98W%YL#@qQYtwWv<mN(!qQwM6!Bqp
z)o9G1I++DdYeFA)%6(hv0GtxQ@C2QjhaK7&xkFLK`FD}aKf0H28QHkkQDU#}(+c~8
zz5cn^RrPNeK<y@w#ELSG_v)w9E;2E1+1PPJ{s@m=+c}Yu2nRbYZ@8-i{m3#gEHmbd
zgS~^j;oe_|d;2>m@FwflB5ktb@{R^PRB4Kd{z$9r2(w9NcEV;nq3N5^kR>=0t0XLn
zfr+yZFt~yB3JOBx7*e)d3d|@8*<Hz`1&J0S%$ATaR%0r(X3eI~ad`MEOVH%bfGNv*
z1t5Ecd-Qg?4zSbr7c_kU<-9(;_yMS5Ko+KF)d^D6<vX-|e*o3kM*Q`0LQhzpIyzVY
z8Qv>VwDW0N=zQuupL#n3plR-_0qjh@!PIk-Y<_#agQU+_a7x(5q#druh_=R>kkp=3
z0`0tt9#{cow+0W2szIH8H=}7KM|UR85*G4PVVyLeor$KWytS6;Rs;HG$@Yhqf3R!$
z=0^WG#o2$yRB*ZWiOPzsxt2<Z9Py|CUzbZ|!DSqxNi3-4a-~#JDN*hTn_?;L6ico=
z`+_nFazk`mMc9N}Vr6_7&k?|_YS4*i>JqZ3%84)W;F2L?iZXL$2^iMriu{adM7ao=
z45-S4qS$EkKz)Gkb(MDAe(Yw>yBT(fqF)|7wqc3MrWb9Pua$tMkj}8AvLZOF6+Mnh
zu7%fX=CB$xep<^;eTpj^>z-g#5+4%fVMTeB@O5{ftL)~XuBUEKF>7U8H)*WD#!Puq
z&gh0_Yz#3hBU-9#epmyJfOtcV=w%4w?srE@whORMr0a&4%@S@KSZc|>hmcYU)5DGs
zBS6fP%r#&UCM%ldN{%8rkXEf*tkqWt&ZNkt&QsU>tJ}f@4r^P6m$tng(eWF_J9m6!
z#c${G598D}$B-siGDNWj{v4tywR7?9Tze~Z?%!RL6AEWau6<A|qyf?`dkI7A3d#Y#
zaNf5{^Cq{Xf18Z5wycfr>85Uv6!+O@&{B{sUG>$v?~xrr>4-`3(dlEylu3PwdSWd-
z%{zMX;Xmliu41NE)D><b5%$Uz$R*wO=TT83)MN?*0V|vkQ@Khpcw+lSN!@BLL;Oiv
zFtmNMVicSpq6qtw0Wgb6_p-Fr0A{2lj2*wcJpmSmSooTfCON~ZuhYNl)uEMv^Y-I*
z0Nx_|KO}%FRkHw7uX!vOAN*g#xTD)Gu&jB&#R36JuPD5_3Ji-{oR1I3ZyMANZUFJX
z{R%Y+?fO=yfskVxn3%7O@F(8};cCHkvw7blc3)6G`5l6q;a|x$OKP=&n%^Fv9m;Np
z{@2CZ({F>f@)TnH^1%W3^!EU`D!46}7AnVXfM7;jsU{C%U=@+p?!cs&;V`!0z-1+%
zuIBuCj+|2jAsu~HC4h181}kVAilLq&P+0$K7hrwlxNtteOoqTP<N}@UfVl%G>?~Md
ziyZ}3oErh1%Ncr{=h_j>C2gi!7u;hm3J&-7gXZCmU2nbJzq#ujZ+!iwUGGL_aKEm1
zvxM7ry|rZDL)S~HYWAEe(Lm<}D4u2s;`<IeT<-Lsy}i|;WFE1VZM6BjZ)LG!qJ1hG
zleWz;$c<I$k7uWT8eE9*#T%v3I>UOU7cPihv~L#N;@|gB|3kLEW5^U;D!?@-S3s3%
z;G#6e^zz6FmKdb@2Oi|K@4{%0#<&9%oI=5z>jz7G^$NdP;yZG7HyFm%%vhbfy{21A
z089#EQMLtGi_^InD$w1SAlJn?b>}H0f{uK;)U7*S#Gx#=m8VaoJ9~o}w@c1t{b~IL
zd45+sWKh2?j-U*0B<VS=EX*W#wb@%oz1XP7YH$oOCV41$x`P|HyFZm!8DcLY+sy|u
zjxnT@wJ`ruNTaD$<`Z&32Le%{qcVk(Y;GIb$;E6X)&Rnsmv=k>%M2;zs9k9hgiaor
zr!!7sAf1gGU@*tz-_b*&qVj;Yyr|N^d6rv<*@8pHuw4pWmbS%4BD%QBkz*;X4|KD{
z6uLT8AsK{97Z+(mx^u+IxX8qvi#RH@UK?Y$LiM9`)z?^w(1xQ${s9qkU0tm5BqZS&
zox~A;tQ|x_jmw3=GRR$nx_8O2RY-Zr&4^Yd_eS$n<f%i!5GMaR5pYy#?7@S^x7%|#
z4k?1pT~m*svsl-XV=!7V9Lx75M9ST$@{srjH4%sl3{vhfbZ}j|W%(WY0BwY0`HLV5
zVkRSs%7$)M6*an$bIl5;z?`&Wpgdl6%Jrx6EnTnT5)t|ws?4Y`#%DfO_oGvl?eC4o
zdrvM7_73)kwe+K}3&@AuJGc>$|DH@95s%+)yWl1~O1I+g1cvZ=94?p3VW!o4SB0qz
zbty*&d;8Bu<7XH2|KTBZmBWd!{9;mEYLU@J4;R?KH&UC2rrRoh)YlADZZT(fOwn9s
z8Mdx;dGD|tHn#VLH#jh7^zLzsV}LqmiK)JD*Dxyf%ZBsHbq{xCqgq4fx`x+TS@qEC
zOldCG(3}n2s(V6Cr}zi|`yWtC0|XQR000O8AbNjR0ak~q<2V2SNdf`@5dZ)HZDDC{
zRAp^&Y+-a|E^2dcZtOj2bKAI*-?wW216H%OlD9-#m#=L3?K-iOaXlyT*v@2MMJWwT
zLJ}twsUaylo_X2dzTG%TkOCyiM@}hKu?037eFNwQ;lKX%UkIuFd*Y7Sgw~#r+Bi+8
z$&;-u(Xu(AAsw*^3)4;d=PYKMZZwh4lC4gwz3;SoPOH7;v1t(9BHSgLOaq#-&EJzK
z{HfOD1GrI`!n0plocK|Q<Fq$h_)k8cu#|c<MGF4H256$QbR5M9`qFpfD2awCaY!<o
zPNO*epNVQif&>yi%mhhDu-8Qt%u*PPq>>;qjAC+#Opv$iiX2X-f$vfd^4yQv4GjX)
zczgJKqlVZ%3Bsl{ra&Cft&tW)qF>$wjp^-_;kZc}`{78DguMCTDGNvG7@oHCW{(Z&
zEJ%N)!HoBN7qcXq#V&ghN3&^TV^fXtUdJ^jCy6U@V}B}Xs=bO*GE11(Bv-SPgp7I2
zBWXmYG)V}JCr+Av0I?(~`R!B=;#`cQS>QR))p^RCpK0v55p?@)lYq2{A0{cI9%3cw
zn33OZqWD8Hr7m+6nZJ>nvG0zFpAe75{xu9ajH3w$KRqN_hnk}MllbM6Qr<kuYVs`$
za%FM71M7qV8})NG;sz5DVa_B`Hl%cu5C?3Kp;e$kA%BWkXbzZ*ztx+$)imnrd3|H!
z{c_$5EHB{9Zf%uVeyheKArQ(v<1`wP!;l8IsqZGBO9p<Dd)@`Ol^?PI)tj(%HeJZd
zRTO<_JBa#jD$K`S?5PkChN^*GbI)Juchv;+N{I!{SFyB|=g#Nhc?8CHLvIOn!6K8d
zg7fa@;XJx#@wLxxzAUr7&%>;os}7%kUT*P+oc*q8?9;1&>64#|i6<VS<coqt1_!Z3
zaMV{vfjYeXhF#H|UFo;k)IBKTeU}a0sOL}W8`)%7gB6G$aFH)u5)3jp9VKtnv1I}H
zTt<3HMx1?Z)bjyePg%^lputI)_@i-}Y-J%esW*u}0c5E844?*_`Oi=YqZ6;q19GnA
z+Mx7ICtQ1^laIQG2O&&AQT$9SwoI58!0Dq{z^o%G6zn5F;tDU9VndhU%Y_oWsUpE9
z(Xd=FcNY8UZHA&i6{69YvN2y!%fQH&O*D&SqSnC|Q|6-M2~2XSVd1V>cRbgrH)o;$
z$Bc<s(x}FQjSRWu=A*as6*quUIoY4j0#=6V8ll{R!Sr^hyS+`B)7!n;b9(I_b@qn)
zJ!fy<b-nifPN%)Qm&?_TN0+V{N|&(?p%9o&Y|c0i0~V*)PpPJ4Ahy9Rqu)`%G+v}&
zD-9MRq~bbCaqY#56L32o?a~f)=&-Zz^!8}W+1qLDI9_jO*KO~$hOE6zah*zv>(~|7
zd342fDl4w@Xo~ABRb02C;yB#Z?oO|}4;$|7)?VA`?RQ$vetVZWbbEW>^W1K)w>Mm(
zxNarIb?u7lKDy$%l@-^0G{tp`ic@Q)Vwh}e!BjyM=TunYX)8Rnz*9eu`MUkBT8EWU
zEsk!5SrfraqMawGZsO>ULG0#gkw}eW>yxZmTJM&SZ`Fs4ew{`7=-Bn~LTslF`EF{d
zQWiz7m6g(|q?C#QYDJ}VmMLW}$eU1DmC~)?Bwf2wUdx@{0!=ImMJsEfTS*fYBhHGN
z=q}U5T+}w9uxg@LK@&Z@CSU_`3A@{+j?sHab@VE!qxUH4=q*!6Z>c(Zb(!pw8|f^6
z2tD5kyz{w(TwH4Vlx(FM$9jr~PJJzz-f4B(PHWp~wKWi#qp<H@=3>8QL!^-9uDvq~
z*U596ddHNGw1fd~8vCBd!YniJR$-Xm>}SaHEo1@vJTfWtODV-8oy9!4k&`!#BiMYV
zJ}VPh%9d0q6%Z6Can*3-#!tst!J$C3=O@s3`${UM67mdD#)bGrF>?nK+PW52b5~oE
zzP5r%HS1gTrVU;#sB~}tj!n;FQx<y3>o5-kyxkHtEjlcQ&Smo7$g2+Tzkm}EX>bHq
zXPdo(FelUx6~RR+$m5qJvw>WpL(K!M0W-JO_a!97GU2D<!wj9_nPFm3pTCM<4PI!S
z@wOK1$qLR`B`2m4V2Tu7khL?7Suri2b(xP$i&KAFV42sx2cwjdc?R5f4HFrH4}Qp_
zz(oo`?wb<>h|N(lfXwdS$kePE4j}!xh%+#!b4&eFKMg8R8WtSW*;U{tV^%DvTY$9~
z@RG(Kyy%9DSn2}nqgX(wLXD`oYmen#t4W^6U~J?lisB{#m}f_?Hp%7KPq5xWK<Fuq
zl#p9+4x&{J5>a!-IzJ%0fw8Y=K?wGA<p(}0i6k?3OlU$bemNz6_`9gc5*m60c}|?f
zhnOVU3r9`<Bw%7F;?9yZn)rV*63;+E$Z5>HnajwK1_>k62)g^%EZHQ_qacWGP!NeI
zkH<4tPzasi8>16JeX-!9@sgJ=gJ_fh4(K>vaK({gGKpdw1*AFQeVZg<q7whkP^0xC
zcZP9~gT8O5_&JI;3pJ9h;Z5L&AGW4j|BXL=@1WD^bhmpu|8bLUPTT=BsELlpiOkXg
ze=?A9bKr)-z)fi4`Wu@Tdm6=bI{szGV&4?!)W_&F_`&K{?7M2|bQz^I5OYq<T!tqN
z%;WOD0UI&l<OVY|1eL7g6-^k@e4BaRkxxfql<@laKV^knP0_dnAO{DeUpqWIJ3V=J
zczN>r)r-T+<F|+Zxaikv=3zcrhJS2PaOXqcdkg_QKY#t|^62&J^RJI@h%%4BFkpRq
z{8ZEX^OJMX`|0V~YiKz+ULXfk^LrzOYM$}0VKRRPGdg$^y^}Yo8TllU0iAh*YrABw
zW%b%J7Kd3uU`7||hdR1{LLi?^V5Wpvd`gq_G#Z^tO_KvMp&uKU{)D|?82f>NjdE|8
zK`{0cjY;TN#`HHrM^R(fv&@>}vkGUr?SB^xRj}<Z%cqUa_xJZWj4vpOJ9(K}tIx^0
zVVZ{)=&Ke0@3^y6%-<zMt>|&6qDtBl<M~M#;eIc@<={4@tRD64Ld<8d#}-{Rm;U-C
z2A=%bqPkbGcq9oL{e8Z14zAQt*2Mhg{2m+K?DSTJ9d`$}+Y5Kx50oX4z3YXfmQ!yM
zw3J2yF|3dVoI5xpGJhKz=1juUZ8cEMQxTk#Z~k0Sfi+iw%%uaYn9PV&`l6V3G(le9
zC%Ywa2yvU$r4ggf-COp8g#dN8Tt?x5o-V%PK|zC)o7l?UGcdEI=v|gGF&;A<WakVk
z5+lztTB!ktsg%K)qnbR6V!%unXr|hM%2Fpx9AKX;M=Sc45)CHymjzt?s}``c_7!R&
z_Xxx*1mLea@Y+ici%}Vi2Y1c8+N%!VU$nn>lwTg*?-SK6(R@i1zen_5J!<O#(h{YY
zMd#{KxiFX|3NMSkt3=(EqV4KYc6pS1pkP(Wt_v}sdJXA5k=#~0x_j)h*NW_6&0SU-
zx=(GVQcY)F%URcQ9-@}Bq=qxU9lk@te&t%toip}TYBbAt{P$yVQ4QwKj4i0WJT^bZ
z+RB|7sgO!4^QV6;W^@;2a_7Zx@67Fk<kG%q#&)@_+%YrzAfova8QJ?t#GHA35K&Zc
zlg}oh1^(w&t6kcYs>^GYi)xgsNOVQN`y3^%IbK)esG7Tc1B~3u*gpq<W%f#ShD9E-
z{A^ebzI=06`8e>BeOZMQ<qO}4{4NfZXP06ii;sSwJimeiha>F=K2lyn|4p1QUt(hA
z1LlUeEXz5F@6{3?<9zuN>EG{o`AZ6h>PNE#jPrse+-?SnO&Xl@oqNe<zo+BnW?TI-
zr_1L(yu$muhJ~1EmN?Y-bR$c~TlP0qTzZR3-dS!A)a1bs#+~XNeLh35v}9ef?IR}g
zUb8T|5-BBEEG!AnR4$T<kM~Ile~{}TOb}r{?Fy*;0GRv`4AT!susi4PwI$^07L#ey
z879Lxct7OHQgX%88^*${Yt{o3W<~N~fb1#IAW~u(C5@+u;X1jP@pom<Id+jY*w`e8
zWDI6P#F%_J&Qpf{kdhIsltSVLJ}91?obiFju;4>mA>imi!a;|#7)Fd?<ZGb79|;*n
z!;E>Jj^K3BRFTyr9*iUtnP8})KLqK9X>cp(31^clhGYO9qXZ}!vYVnDcovTjGNHF1
zKlmX76~9t#Os^TgO^u=aJg#WGVr?8pGZ;})i%C$1NlcX0v&ch*D4!r68$yIf<-#D?
zL100C)3G0ZNbsgDs(KG+0ZCGt!uWVC8z(#AH?|>hGyqE$SG)~<fsKXNK5WE!7&ETB
z%ZmpxjnFH7(8aCBEv99qu*eNf2>S>z0ePh(ikVU%5kV3bLm)N|#6sj3-IM2CO(1`$
zoo~QW!oPr{`4KL*+uncmLu{TP+XtlnRA{g+n|0|P5bqWY%6A*@>YY{#rm=dv)vh<;
zOAo*Fu&ut0U+P`{e~&-jhW7Ux3ZXEnr(k3Uq}!T6b9sx>57i!}uzipl0ge8R9P$}J
zjH39K9Q+@tYXLx}kyIFfeMMc^BsYaYf;%5%9Wf<QoT8H}$APCbahuYuPNwR6kt%4y
z&b+AV5jn|9DPE*B7Mq$lx*6O+6onsB0>!;iQ`bwAv|E!VX*9Hv|LuTaeAb#aHn14b
z(5O`~c@tKtIcwQItw`W;=vnq^%@X9ZXa=F>0New9Ha3cK(q&ZcC}p6@2nYH*yG5zc
zaKsu{e%LVfX=>I21kJ;7@=H+K7aVhP?XZtistt>g3<Mnw8xZYSim4U^{5=Ab#EA~*
z@?kd`H^g>z-a4_hx`pb{ORQAfkdWDE!%svy2v<-SJUR_Lu5`Tt!*xS*(~WG*IdP)^
zOIBBqR-v0_SEzLg>kOA^rq#q>!NLmup+RaEA%8ss=za(cgo>u7K8lXW76Q~vYqpoo
zO@n!C<d!EmjADP}!+Pmlgxxo>{}xufhw&(p3<R@DIPiz;qYpD!qhDLpp<io~eyv~I
zXbR*aP)psI(G@{51O+!0$S$(U=}@Y-;Dd6=H-PYP1cFPrBYyx{va~T%t>}@R?UsU8
zOq`z-z~hX!68!5D^QC@^WK+O%ky~g1fo{sy4uhu@^ci{=Ty%Q(qA&{xQiP%5tvO~G
zqMP)9yF@l&tEPzgH?tPCaEK8I)*h27@MQ^uCuh%iwe=Vl5Gi_c(NiQM)8es=k`KO>
zMlqv7!${eNJ{6i!;xfFcQ7tDxnap!y7R4SY$-;_J8P(*?$!nVB*));bEErK!xBaHc
zu$!7M^^M2)#8T=x_m<G*YpS#Mksb1k&jO3U5(f4QO65C4=J_+@NkD#zB^J^+n#I{h
z>+G`q^D_A3<qJgEV2nmA7N<YNrO+?HLSWT<Ii_Yo$S#*-7-bv<h`wbcgu5nR0$)=<
zKvInOP^7R(^9rZ2tZ#-Gwuku14}^&9P~mRR66k`Or3O`={Vm7fjc>yk&c>VGgsG*t
z7<H|5)J{Sl_YK0@4Fs5xGIuO)WU=DCY`6DYRq-(%dS24$6n4KW>t*P(z+2WCKNbY|
zsreofF_eeI4m}SI+@@dNLrlJE50*z3>sw96*BNXtFlACv`NNYlBVv;sl$+MCL&#IP
zg&eH?RBrLoy!*Zk@eqXsV^k}gyIn;7s&6tFZ`E7+B1193ZGyBMd99R3l_<<7U$e*S
z_ZX_3m{p(kdkhO39`ZegFH*$q6#VGUY4oqXbXK)uRmI=SvA44>;x03>3Ps$`x`_KI
zMcmGPi@1l+kDRlZO<-^6fPFd_znuC<s+#eGS93datB~)tnmf-a@Bh72b5GRf4y$q#
zn!00Nv84Rvgp>T`gcNqmA7trNdohAY2jNvrtS*Y;V5-s+vR*3t@!Sk?X^7Q5cZ^jC
zEaVWNSiFefhr^hPY9$zTJs~nZ!T<WzW<NY<Lk25*u$3o7c|>$Wlj&v@kG3wOX}h&`
z*y;{=6wj#NGOm|PGn9oV2L<7i%<qk;R;>kQ*&D0`F091qm5Y9Uw%&ZB?P)Z^qk^h$
zUTed?hha1U^S*E+yeU?P^I%`<2gzWPi~x8H`smjR+84lJjY$rS8(DznVeTbM5{O2Z
z>|+XDU!oC#UNNKeq+cWQJAOqnULC>z<UirR6ooe6rSj+JuU}&GB{rc(@C$-z8BUVM
zV1ht<W(1h36xEO>DJIfO)t0;v(#*N#WF>_r6hO1YVlyYIsq<p1U40H+@|<hG#!ET|
zsT3=ZZ_ZB!_L@Vx)!L9O>M%La0)Xd{)xqj=ISZa2ho1G=HJ~rks1IdQs~A*Dd%#Uc
z>!E2uLLPCI%>kA)S%8&BYXTQ`ASHvZiwsN*c%mF+AfH!hb(>R0s<fz;*(~V)c8~{&
z>M8Nd9dlN?oD;Xf=}GaQVKOxXtyALq=Z8v(AAx~}2|K=~iDfPXpkscP#{RsRS2x3)
z#s0OAFJT=gu)-EbR+Wb;8Td}ym^kFmTHE{9XPCLSJZtTJ!&&_|abPn~4qeRX^C{(#
zlKF4WPtDnUWB1P}qB|Ep&K^xx>%zwuDtvUleBq;GoV%(OKFoVsvU1_Wisvy3AJ)Ov
zg^zXNW3JP>@L|h~b_;%V=Zw?Wo^Gz3<*nfF<=ER@7e1DmScSqzcU|~+l)^{%p$i}X
zdvUR@dt^5IgVa6dIpzJo_qs<&z}ml-atB#l@3^_San$kOG@3e~IP`(tt;5{`{&b%4
z>!dFHlnpM_by9-{FlfHBplU?~CG?{eM1bdY8Dw1sS(ic9We^FpE`#WwAF2#erGk-H
zL8=Z~rEbyQv)3j%t*-4^Yj3+-m5z07BLA#w6Z4;nvRc<BzEEwV`{ipB#yC{5Heud(
zl9g){Ry>bUo3IYHu1&0K6LXz@?AipzLDL_-|2}Tjdn>tn^pb=c=z&WSN;}_15n_QY
zl?xCGRF3wYT%EVb+#aLuut4DVt2vm{KkDc4HD*LJlQ-M`H(qU+H_)%8(ok4IBZ*ZD
z3kv?(lB@CV>U<djwT?>0u*Nji7ffMhuMlQ3&}>IgX?gqtEDQg(0vC|@0|`8}AH^dY
z`hN<V6ZwZIZft*DfydrW@{ec+CJo<5EG5@|;`2Wl!Een|c=hfh%C9fV&<F%rZ@}#d
zp*+FOD;#*;NsPgOP*f`XfI+g+8G09y`6JBFiRuS$hObxR8V~}zUqZ!3Q{u!w`LH>+
zPMKe%RoHYCr>Z$4Kr3oHXk*ruHeS9R_<xFo6(aeouU7E=+LM0mRg^MBv(?^g^=r+3
z&4<8|z@v8nh(-^;wxL;iDSU%=bYtH8r=JS5W?A%7SpC{3z<^}(PAQfG9MW!Kdp^p3
zc@&+@zyA@ODdtar!i-#=z2qSLYc3(lg75K%y?xdhZnxXc_I_vR^t|1nvp4jp<L&J2
z?6tbXu6H%$2r3Plv4XkmbF5(TX30norI?({L?JY!@r)sAtbz&FJeeDPiDY(wrWXHv
zl1MICibbhJ04EGKaJ(M!D`HTb6>xNA|8o1jrM<mpdC=Xl_2~61PkP;s<;mWTtxtQm
zW1}Dw$NZz6R?pU}-D&OHNbmI8R+PH%%g?skdp+B;-QC?C`RqMtjpE;w5!WI~g@59G
zr1^Q<J-5Bn-FLj+j_dSxwzr*qZ+FLm_V&(xXNUH-yLT`@h>yDAbu5NAnFXnT!L2B7
z{9^{5&#}}w4vz)?1TX97ZOxK%%@wZtaX&9qs6`U4zxeI#ee>1&(5yP<B`AJl(t(@b
z<fpJHP;rA3Jm8S>#wP{DFMN`KsusxIgdAirO>!zrSV<b=S~-7!Bta~~A5DROL+C;J
z>O1-ClP93ze(k-{K_UG6Xc%~XlR*5M&xDB?f$-<UAox`d0>Z*)pOnNeg*sdCJ=P@4
zA@kjElqd82`D7lT<71__f#^7e88peY`aomo)|kg$kZ7kE+`G-i!QB$mAI$8;6^8iR
zU*I%Pczx#+f1vt-2JmYX=ca{s86x<njg8{KSss;FqZJ10J)gSWmn*iSue?)CQBZz-
zB=4N%&*wcz^Bui>n?a`06lPm-V=zDtxC;?3>IAR%6K23ZV!GurI{xUgAU9x86)w2~
zImO{$FypOHP3s>CGhuvf`%&t;5IDsomxDZyqe&L#`ty_O16pg7^D@Kr5C@Zf!CY7$
zr^1-U-w}K3d+C@z?Uo|0IK1MJ{k3@;%{w<rc@cBrj@GQieLvH~^ELw2k7ID{_GhrT
zhclrSZ1>)_XNZU<<HHNAX^8oqxkErj5_CXu&ItyIBQQRVT6xPQHfMuDTMTyDFq7PP
zNB_UQ>;Gw7N%Fs+bpJzZv=T6~Aqh!<;c{9AhWF4iGc3&8m3A0KPV5lh3o#ofuq?;@
z?N?R(#cjKtIElj}jM3A)*zT_WR$cw6?y740-$(X8+Two|`{2j>Elg{%sue4BOEpPC
z8m%0QsUPuhv^>v}bL$ccVv`V{5p)^Onl+qZkaXG<t7lBH{TG;F3(v1VZhB3{8^Ta3
z6KPE2$x}S>{~||0QhKMpD;82|xDJD=jY@Rl^&C)dA}IY{`<R>SKk0itYsm4mJ3!xV
zM!p-@PWaWM+Lj16c_2HvRL`r#qN4mc>OjaI_JfDBE)^W<xk;LQ_){cz%_Q%f0aTgy
zM27~_GL(b*3``quptUb*&zT!<j8-l2Nvji)p_iy9J)5LNBWodk3C(7W#RMm?x$z_?
z>+=Q@5aU7t<MnT?7G{2*SI{IE?&TIcK{Q<F#jfLw#9Bx78YDLlVHSO)9Ta%xhLxfR
zj&-KZD-){N`hnLQPtBb%`>VCt)8Cnl1F^3_DCd-t^K_G;kH4yW@HNm0+&cgAZzs1`
z(RDB<{*8|t&on*7=hG2a8q~MiGycsp_jk*=KYQ+HO#S4{m!xBJU%+ZYp)IyJqOMxg
z@w8c-SnP`W?CLRuk&8!ykItf_-@lB4$zAk#A?)WYWzBC<OCsBDi{UNiF}DI<5&cyU
zCUH9vdtTqyQF2m*#W$!j#mGgA^(KRXtk)XKMgfaryOdc9b@m~bZQB_qST6wu=9tH?
zW*3MPkn>)u(EI@PC1-ntB#v&=HwGy#H{3*1?Qikv&l{g93E~qyDP?%6R;IL(1>~Wr
zPC-Oda1Yl!&EtBNrVgbQDp9dhe=rt$Pli_Yg#E0PJ$!X7B=@tHEw_L<B31~a!}Lcc
z1mWu!GYe=~e8^IGXy3}CU_m11=4RyGL~`wFatj@ARJ>N9%%vfBQIzEbD3oY4mkK2-
zr)8l;X@(a`@J~11uziELq)@WQMh0Gn;x}*Tpz%|oM0NO9DB;h)6iZH-&=G_zd<q=X
z&7eZ07e#b58F0ia4seR13yc0R<Oms;??P$I8^L}hC(A-fx4Fq<!BoA`C>XWz+Rv2`
zR_aEfv~~1VC}HhpvEs>I0AeYaa7;}rl<<T$b`Y_whO)2&T><gJnId+IToh5RmlsMh
zrQ)xII(J`R32D9&u@cgFL{~8BNJT4@Y~&KU0<t86iiJREtpC{?_k*IRoseyRMP;gB
z(%SW)h0@ip^DLb3iX^7j_56F!{rEWcimo+!%dCPfs^Z_A-$C&xmTnjhL{Nx=JGoyx
z8tew6k;g+axB1+baXVoByD79N^sQ>Q$HhYd3T;v-MY+?`<~aOvQar*}MQ~W~Wd$pM
zHnhBul?^R!HT4FNu;^Yo_wMn)yFiMu?cqWx^H3}WcK}VA^Wets9^KuAaxbUgLKH8`
zA4<DlRY8(rR$0bqm9tiQu&s)|u<2Pr|6ENv%IB@%ZLHY&;z}sXqso;KUkOpZSzjRG
z73{H01p&ntr5HSnv0=gMQA*AfUP35i$F+;yUiNs*xq_({&V=m(4lB?ut|w0L=oLKo
zeOR4G-Tq_zq-s3!<f#{)chfn+M?8i8uALkqJ?~$44)kDfCx8Pt9pct9>7(>!A?M&2
z@=}_Ie7?dUdXG?)-`#wQ9aBDU9kQJrHd5j6#sS3@bvnVl#|C~lW<gIKC$i0$ZKpWn
z#-fh<K1J4yirntvtIOaaq!NA$Jr{|0`#}%_eMa3CBW^=ATpx6{aVV=HzOjeC-|e#p
zC*;|rWya5Y*w52xy{&>Q#!Q6F3Dj{jCehy0Abzj>kZB9EA<R50r{r0u<Wx_}ag8si
z^^k#H)4Y?fmpwYyPtMogaM5Ifx0hvtS1&}?ywYiyoJH{q2d`&&|LImLi3y?1N4mwi
z0AlTYSvyNsfDN73&X03BUNwX(Z4c@v1DObmav6Tc&J(AF$cv~dlv{>Xx$(#SNr$4S
zsOTa)8aZ1=8nI=BmvE;u2s%5rP6%BkLa(SWB-`9@?HLB%91>Lv;06<8N`SUSBJ(H`
zU7=!A020wp>7W?#7s(hIdBU)~jhKdVWV6E=%HgGOF-3+l{PU9}{TJ`Cm4}mMWe+jf
zdjP16f<d<)oL(DWY=`$ZhfFJ_RfdCs{*ZBePbdHtAXg}~#Z6VVzjjcHe*eLf9jmy)
z)6)v>JiA3KDu=<4PE7b#bsOgUAtM3aisJdrh<#=!!?_%)*ix6I?B079&bXh8b4WHF
z!s6B8mB2Re`5D#cd0S^tlW4ii2$>n1BJ+mJl$noZicA_Ztdg7tvxMwi;jBb<E?vzN
zn3WMS%LtkCMaVQY-_>MGW*-DvsP&^SCm9uk**eBRQ|~gvHfIKHj?c(c7;|HJluu59
z6CqbK0ydkPj(<5TG$k^7q7F)EXH~@X+7OTZO-D10-&VMAgu7Q9UNUcF$2=mrjAlB6
zmu5sWt(DPCi;QMkTTL`mv9-vrjra*enx=1XeFGs)&DYW{JOdShpF5<fLvuu^VRI<5
z(x{9+p_CytQ+k-Pvx`V&wK6nVi+;Hyth5_E40#U-bIzBGc3OLd(N1HdLe96Q{l#h}
zvB4;uNNYtzL5;fVIu`b{v+H#C_xCDxqf&A0y6f)SP6Hl$^#iBYt@WzTUXyRn=P5;1
zJ-#t3YCdn+(<nITbs6;Z%>+Gtp`eqqA~vib7A2k;A9ct6JqT)Xmt0||NDCdta>Rt+
z4#nBBR=e~$(Q(=XTC;5z$y1jWvduJA_P=y3o{i!bmWXe-)@X!Xek=-aDtHH>$-CO!
zVtAawo|Gi{K!zaCxcq4^f$%d6$KIX(@@51}@pHWX;v5ajOE!ure{9=9aUFfHW`uzg
zZs{^1HZ9drlOZkvo1zF~A7yvFN+L@7pWnSlyyH{7SHsXMXb@uUT)OYG>Q8r0;zKe)
z)PIm{;|MUsF}*>}Lw&<f?>9u}sDn{M^k4aD4DF{d;+8tatXuj4<u@LV?Cb)7nFv3L
zo%p&BCoN+n3xA+o<C7tNW=Hdx;zpM*pwF?<{dZ;Ye4+)!^}0U5S}J-Ha)U^^msZ6x
z$_(xkeKW=d;<ij9?EgG{NB%#UBgD(JTxaw+H5X0CREHf9fqpU~li8}Om{sewEKwQj
zQO0s)j>+K)p^!9N(2Qfm3@2lR?pZ>+S<88UJ1vxDmX*xz8|R%2rZKGM*}QUfb&i2f
z*N`a|iy-{U45yal34<Y2%ykZf{ZDQ;6Yg|dJ5|u88hcHPDQ7s5Qge<|sTeZYG)c6x
zqlM^=7p0Ye4{-oCi#IPbHf+|{+HXNY)_ChoYl>8@yTeMTs{-qa3}nAIoPc^w_Chl`
z>NlXt93=Wv3B6)0(_ah!WU)_-dt?lX%d?gqj>2MkER<F}FiNC_wbH7t(!ey<o5E<(
z_OXg1p4w-A_58O$kT2dlDa>EDj5^Y-KNJ<sAN)Ax<ncVuG}wDn)4(7`4Vzn0AcR&d
zCW6c>qGu+z6|y<|*Kgl07$@`k8MxpW;pPp14BpP=`BcPoxtomc2Fp#DhIzv5zo`k6
zYrg35Jz9xiAK7ze3WOyJ412?0gRqXTe!_IkLAB?aFyqPSpOe53S2AZ_*_}v*&zWf&
zBSvWM(t}y=v`jN@3Ls;a0gzeQ*e+wSv!=~zD^fICn##e62_uSDEYc1C#3Smo^x!&H
z6so1AM{SwDkEcOP)t6C6W{Z{+vN}NRcwIL17Z4!SBg@TpAnE=ZjLmc1Bx11ZU${tY
zW@m+EqDUJB59fHdCA_RwDix!UOGz`jo|XjS+<spMi#DoU>HHP@E1ka<aQ>>jyz|!-
z1I@Ma0DHC8bFaiXthSJIn6Y=~auGA|*Gu_{naxz$Tz+DiGz#<+%PfNnV)I;QrJq>o
zCsz82m40ID=O?yX`ic3apI9+|V!Jc_#CA(Ru_FD%c30yk_7yk=5v^i&GuOW@=dj%r
z@OuN!Vd+Lu-bJUKBJdWS!yNb*cTNW^5d4n;=w?PaA$@bU68vI*Tf3|G+gi+XDmr+e
z$1F#x`hi#LHL6v+aZu~ob$734@Aq8CcANXn{mO1{*X{K9F;bpF)n;RS&sj8NUPmh3
zo9DW8rFt{2R93`(Zlm6<Hg^wfx8Cg9^=6}CAGmu>8{Su&2eqbCZ|p9>ejsmj#;av8
z-tA;C_IX^!=;c2rf!KfFAR4YWz&&<xm}0H^R4-{qt{tmMYN<n}=-4{CaFIEYKZ&&D
zq-nxhDvia?arWS`-*|+mGx|X0C^r319Pw?b9*xgJ$8~)ieP<wZM@Jjq#pM3*0r-Fi
zVC9qcXfTMPOCI63XRFY&DV@nWRj1lLIB@NH{b1j&dzG5KU+YzX$!gu&Uej$f8+!{d
znRWoO{(Kfcz>OU$Pi43G@w0*F?gh`q5)$KigNX4GUpIjDHrA8xsI1ldi7GB!fkSAT
z*A`(kre(wDL>SRli}KF6_&ZL4&$wws;_OJ2cqT#2=xGs2y||wRoxAdLdi0&2Gl-~a
z&y0w+FMD90wg$o*tAqhERV?X+mv-xt%{<mwD|gKNe2#ftvr*8>JoBb`)LB!U@t&Wb
zjkZKtcK@rIp-Zj?OHR`iktJtpa)~lI6U5PwK3Nxt_^Vp=Gx-qIUl%X3HD<;He#u-%
z7GTZO*v^N(%Tc;bl`LBj%Pz^IpCW!#+^~jBxtJJjE^JRHcm9cPX+#(MD~;$DFrwRi
zc_X^y>D4Q+oLlYD!YeUqTP)(a?2x(a*yIqul<}JR7>&(kyp~C$K;yN{GPnRV&oNdS
zua(AYrSV#6ytaPEYxUB2%`c7DiZNcR&oo}Em&R*F8n4w?W4s0|i7ovJ!<*Mr=<f|!
zu%#PCc^92~iolz&V3U4R*nz<$WFe|WFle9=b^FYbL{3N0o9rZ@J3lD}X_mT37oI^0
zU#;X#T)hdDEU#ph7juQA!_l@cyt)mBH!K+UF?tPj$u^XDPnxe2-qGc)p!nkDt!mML
z?#E8>@F0t9KcGLzMu&W+>9W_}WJClfL);u0liyh1^LYs`W>{BWy<y$-farWJK00O6
z&Lej0E`pqsGp)8Ey_l^YvDI;Kdlw8LqZ0GiWXSNO-^c#UjTy46`JA5HXgbXUyV`Ub
zc73<$+WU=)2anxa-P_+iXjB$4rxN$U>J@39ArlQn1XHa;P4+L*&O6`Y9@EbH|FMm{
z`?VW#OPfc=P1=}*=^N{(c4^W!#1DU^HT>^=Z+K4E-6iV&Eo$GCJ!kppX5`%UcScc}
zx-pWsyWe%({XM(at2XU=#cSFJyZd#!*X+5qde1p<o1F!QNFN)0NSYZ#Qh-TPbi9CZ
z4&p;#G6HG|TOT~Z*wNF6JNU{<(AdK5PGKYz`+xxm`Blmo%e&XxjDIG^dYZ<v&w!Yy
z#f;1uw&rITX|eh})skkX+Vz~SYd7|Gt9E^FzhdwA4w`nYvbXQL2QbJ7O-=&`XgQ0f
ze()fgc`XC(S__}26v5k0wbtl$VcqU{AbIMY{f@oA=hf^zuhMl78hdW1zKEfnXrw~v
ze~j#ji5|(=ehz7465!J$&L22{%|>&t?$j%GZ66kq`hIiIc4~Fk?(H{wl}694>^ABP
z44@jhP#>|z>O|9$L(QV$O$i%6E@0A3nUXG%eM%k~Ba3^pLgGa{4rt|2@7dC>2ygyQ
zmmIeG%?gNynp3e|uj|-#=b&Lb)dq~-!QNi8-gNeQPIrNU6FUemBpL9slT(o7;-ZsH
z)M>aPv?(r@{{S!rhSp-E2|tEwhw4>y-$3%!h4zZu2x>3JBWD=$w`Xqj9$t4rF}}I<
zdLXWb-KeB3_MPlNI4)ZJ7yGd#u24~JmN$G9X9J@dwdl!DFTZ~IcJlS><<wLcmtRlM
z&Oc2}bA0mU@1H(u#h;#CLh<M47hmDc*{6B^Cy3oda&eD`{^{%%k2Sf#_j{XjbcK}+
zz9toY{!yp2wO9qBPo_>5<tKI_(uGSZ1yw>HLvt0_#mKw$C$}rFN-kE>>j)WgRBEcH
zO{^XU4+vAb*>K<~0!_~;r6ak@F9#D6fWWZ){jr8x(PEC<F`UK=I+4YTKjZsImRhW8
zR=HT^T#i<>Sj{7%U&(5<MO(tO74jqi&<El(GWJw$h|E3bY9rFlBHedF`erb6;uXs(
zEYU+)#_U2!#`b6(aK%zYC76qdb#JalB<Q0Zm0V}iE#Wq_xyC0~>0Nh71sM!(GqFdm
z6(zUtrtU%)eV|Gjd^gMWCdYb{%YkokJ$SXAd*y;rE*RHua>000>qUGlr;npr6C!_+
zgu}?OFsE1jj?Kf?nJqTXgBwZPnDZo0&bar9taX${=)E#$R)Lx2g!nb75>E6`1(E!+
zn2>E4j6Ay9RHTc9nl8=MHCLu%c^WWsMa8Jz9|yEQZ?O}Q)wB`(fr~seBcTKHcv4uH
zv7aRQq$ZrEO&RhNRsC^9B3CHIQYy=y6}85nR+LhG;qPUpr1Bl3EFXAo*$D>1f<5Hh
zoNh=wF|A|5{|MJU+_pY~CHj$sw{|olJ&sTn<JAwD40>(Nf)%k{-2CW*J42oN-oX7L
z7w<5-{DFT~1XPkMv6HX0kS7)U@lhax_q_Sg=1;ocRn+cGcPs)_R-pjMn%^_3#!vMW
zvXP!q)oO`q=KfWpniAC%jA}|)^K-$PwSx$J#N%XCCE|(n>tWb`{Wm4u(UTcNyu@<J
zlz8`Ko$j8blx=?Z<lIo?8z&>Wlgay`e!D!=<L7gbg2*m}#R7(0`_5O-0A;-xb56Jq
zZJ3PEU5;!oX~qqM<lsT$LVy$D%K{+1N2kJ|OLeu+dPAV)ZmLgpS1hWHWejSQzGr6f
zz&ZQoBGPeltaQ27T#<BM;EwwSkGW&GaNfcziJZHBVt691fH}X!I1%{u(9ma*F{sYh
zk;{Z6qVIR{UI2-4HtYpd!*geR9^g<|T-IqRW7WrRM>jVk?<SfESAZ<u5i8!nO7PhO
z^xIA5<KMD!qAm7uFbGD*VY+_T_na|QpVD?QT^6BX;Ce)eWK*&dg3N`+<3Pq6Ug9yG
zIc!sN_u8n*6mtb!smPRy%yp^A<R)J#GV7$ste3K}@f6>md)`2jf&g@d`8yJPPra3-
z7QtMeGNy45y<`eS>jf1;q%EwduoTJppMl{qP{1RtJKMkq!(lLH9gn$whzpdv&AXBp
z)^<iC=TQWrK|)quD(r07fd!h+MXS1H@%F={v#4%cY-b0i)NOF@p|hSp_MHJ}XX413
z0h(gBu~L}1^HMGR7L0+CEd8n*j66e&=-;;RVoo*>V8GR1&(B&sUj=G>=Zr$Hjb3A$
z8{erF%*Oxy*np2(cKY-|G+A$Rs>vbX<pHRP{*VJlWJbS7SFO=I=7-F=cYF#AM%}?L
zcza|aZ_*SU7z@)?-$qjP<sTL96NovN{tL8H-iut}?TB&Wkji>N4VBtEO*54fTuZc$
zdMUC3eOur%)(lN$*P5v<cBqFegO*AL6woIhA4Q=E_y6K?2>d6|3)&rL)aE6(tDFWT
z|0)!@8WEs1S8GgE`Lh(xj|}wCeB*iP;!TP{R`9oKX}B@}uTnE8HG@(!C^ZA3RB8r)
ztY(mGG_L{`6>Drp)iR-`#XA0Q6JeT)glw^DU-yTc2W5U%aWFc$gB~vkCNb&9(Io7r
zA*1^A+a1iKE3eC8nDx3LA^@HhMEF-nRaP0`Uju}@FANCNcrXnI(`YaW1~af=2;ez-
z68CzyMNFD@co_`5<VVo^5?}fN<%U#4{jL5x8**B@wA7mnER54*O68ItunW^~d3DoO
zm2Y5{jh!Ke;wl^lTRD>%GA#6?gxw|VE*N%~sQdMz?v<d$644if=oduYEIGyjjWIqV
za@jPq)#i7{{`ZmnkGA+<#Xk7)ev3M+8e8DDQuI~JSiG5hyIw59_)TAu6^FG?_$mtt
zQp>Z&a0N1?;On%-FbulkGheVR_N!Q`;Zw9~TkHxD3vx377ug!+icNY+LMOQ*dBH=i
zM`R;!Jd8Lcf0GSM^mrlSpId6CS~Mh*4|#P`-4SnFGz%@Qzm<LksspM#u}WVrs6C08
zf}$(0XKPTiRj2jTh^B6u3wMIZ=qe5J6Nc^Ckpykq&WIdXZXD15t3<FRf-M-qmJl{4
zgxy>O!(yw29Eyg7;@GMISPbJ92*pacykfY#D8`MpmXB^JN<u5koIyoX5D7JF2IFpX
z1dNVEP-X2#JsEMCn3sbAT2ND#3~7t~Q%dc*8V%?HG=kwwFN(<lycXQLHrYXFAJQAz
zqV}he3uT5O#1jq;?{j>XgY~@LP;Zuf1m~yg<Sum%YkIVgIB`b5tNzh!B;bu>vS{YE
z6KVXJ^0&;|du|qnDdpV!e1)plBNXL#H=knM^1OA3rb{D<_RzNlV~snV;ND{cKOAH9
zaWxY*Kj{WSLgZjk$9;c*vAv=qw~^0?_-`RhCZOBx2SMoJ&0eU0#pv2l0~b~ajCL++
zAijYB^1FTZ0P7BA^W3P=5;M=l%!MqjCHyYoce#NqX|Fr_R?zIH#<i<d7)1D0BHa>8
zBMuW^BQpi;+#owY#?G?i&^Jhv`>dRnW!`U1XEVb0dAB%^bc7wZ5_yF{J&%padGHY5
zQJn$er^0s{ddhJv@H?L=_%A_i`Fc%YJ&cz#B_zpy7DTR>5V?fNMM31bFkgvle<EC4
z0^79$wkyzlSBVnW41Nou--IAPJBb>akomL-B&Gd|VEmHEIX6;Q1sYAIqfU{@3iZv4
zx?GErm&U_*4`JT{Oai!MWcMUGhW0$d7sST5eu#l<06h31ziTiDIG&A)XMx@LR<_nz
z)9|nyIb-tqUHpoLvguvuQSfk%QQ+aJQNaRYJHXZyceX?W4SsA(WX-+nT%09C390?z
z+qdY3=8+xMR3qz`H1aM=k9c__?^1IqHJ5@lmr`*l6_-+Ri4iSaaft}>G0+N#sUFF6
zYOL6Lt3(D?BSgTsA-O;Y7CR$c;BxbG9VF<M(rhg((`A$85lJ+(=>w7po|<Sz;j&Bg
z4$*rc*5t_cJkivo)w$kC-R@lqpz9@+O;I%0c-BJQd@cH)(cmZZG^03Y(^B>FfA-Ui
zLeN90UX<!Zsa{ChZ$-T*b%M3i3Fd&|g(wjP=@7<463J6C5gw6LQ%59o<5f<D8xA4Z
z1g1Tj60sjXPY>8%oK?{>NY-?4@-OX6`n*JS?=q((f4D`^YNFi4`sQtixv`cFo<F^>
z)+KO0F;SX#&MBn*b#x~}8DM{b0Q<GZwONxb4-t#iWXnTDne2rQ5lxY*ic;xc{$Nr4
zSa>&KF7>$F0w}itW)4rT(#tJ?6>R|&xJS6k-GsT7-*Wq5CEE{6?j~eXn{zustVJ77
zl96~i#a2Wk{!P(H_W4hFOt}_ElPNDS1+f8cugSK}iyc7D86sh3G=jZ`s{e(rg*Y&u
zR#Jom=$3EZ?HyirF0OM3p@;pUH?Yl%ky!9QMFa7tu-o@;9j?xf$9Lg}ogGl*`;*Rg
zH@MyTEPG@}qh_CpF0ua(UD64H-@~2GAn5GeIw3T2hm)lK!jIcLiq|ttiQzlzKmUUz
z{-jR&?gM)Vs;DsuAE+}I(|o^oMm~0RxVfRmL_&`<cVp{^kwjN8J(7^!^e&n1IsW1~
zLFg%&p7d;_s5)x<Ys5NdY1Y}f6S3~X9pGjMWlXxZfM5N;MV(Ts)M|F6ivIxyy!X8a
zLl$Hc>YXmXcIQsc7rmD@wyce4Ot)d)OmqA9Bk*eRVWFMoPfpyD7Lz`(p)0#aD7Iho
z+#RclcW*S=J73@5Eap7Dr&hn^*U~Bhp$F?epIE+DJ?G&3`6@5>SM;xy>Ct&zb%O1n
zZ-bHmW5DZ!uQRF~{GZ%uSreV>vqSdYeHo**AFk>1F@#&*e|X%&!MRItO`iF=fHPlu
zCuryJoG^|(KY`Uii!p(xr0B$k!%dziobpS6t)Hw#p4-pMc(w%SI7^&fSHa~pFRFW{
z!}8laYi)O(o1n<NWIgAhhL)fYQBIHAQY4)C_I!9{CUI{=0*|)kc9uq=hpUYnZr!<f
zkCUVFj`hU7{*P`SKkLTeyv35~FC#CH+zpml&eghmPj+zlwVk-Mqd<{!{`3Nm|BozM
z)$hsb{B4-qz#V1d_T<}jKE2-i^&e6cUbTOa=t)~5YW(1hn6%dMTNC^^rUFOjQ%)%^
zUb=Q^#C*o+qg6jm?5eg&$X7J%aXJ=P^<jPe`&f&|b#nVu4wiE$-+Q<;`RUIm{aT;)
ztS#Q}nRn2|ZAyYjZPvfk4x4?Sr=Pn$4Kh^E5Tv<#PReGL9V@$>rln3h=(;`9DkF3U
z7u)1Dd6!fcNbFq6JjYQfduC?)qKtiemV8zd=UVj4=h)wbDK~W@<BxJnPHozHMSe+^
zOaAi}J{CKj1ExeuPdLBWW~=AbS+eZP3*PuhN?v6O?6h}x;C66xQ)7tRpDfqu<#O+B
z#J#zD&X$`loOF|2=Ig}?d#!&JO$s!eu~tF2mOZG}T-D$J%TMw76HoTq7enU*0(j3J
zvk$)fQ9r#kA??YU=1JEgMGg1<OO#msWVH&zW%;dtUhVy%D7{W9O2=R}^Mr>Vrz$Tz
zQ?AUlId#$un=?l|ca^No4d3?qmxQlqUs1_=jtT#D{gx$pSq6W3S-B}}nP%jfNp)>4
z@lKo0>tFn;IYsecy63w;Le^msZ7uWMADvUpOz-^jQ?+1?<z<z3C7#x<hn9&NY!31A
z+^EST=RBWFAhb6@mHXw9jE>GQ-}UD<fAzd6lUmsP+wQZ;aY0GL`0|a%UZ}*yM`xYh
zw)9)otxdagqRXaddYdho?_NBkf4h*@!JwK@pTEx^FL(Jn{n65-SN8J!s;~ZY{W!ix
z^x2yFy8-oo1KWFkJ-YJQ{o#+KOOihl<-_=*;w@KY-?;kM;?%?)20NuPU#ETf)jlsY
z$8wgKgL%W$su_zo<DV>(*?dzxzvpeQ=>?9a(1otK%$sypEZH@i>-pMRai3%5lMPLU
z;ttpU=MV5^WD;S(eZ&WFTO<P`g93;G0vrc^ARB^hV<ku{#E|pA(?c+}Sq6BsvVoK^
N0bvV}e&`J10RXK-^V$Fa

literal 0
HcmV?d00001

diff --git a/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json b/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json
index e593b456fd..c918bf21c6 100644
--- a/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json	
+++ b/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/waf_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Web Application Firewall (WAF) solution for Microsoft Sentinel allows you to ingest Diagnostic Metrics from Application Gateway, Front Door and CDN into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor Resource Diagnostics](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)\n\n**Data Connectors:** 1, **Workbooks:** 4, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/waf_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Web Application Firewall (WAF) solution for Microsoft Sentinel allows you to ingest Diagnostic Metrics from Application Gateway, Front Door and CDN into Microsoft Sentinel.\n\n **Data Connectors:** 1, **Workbooks:** 4, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -194,7 +194,7 @@
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment."
+                  "text": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code and should be altered to fit the environment."
                 }
               }
             ]
@@ -208,7 +208,7 @@
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies a match for SQL Injection attack in the Front Door Premium WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\n References: https://owasp.org/Top10/A03_2021-Injection/"
+                  "text": "Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\nReferences: https://owasp.org/Top10/A03_2021-Injection/"
                 }
               }
             ]
@@ -222,7 +222,7 @@
                 "name": "analytic3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies a match for XSS attack in the Front Door Premium WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)"
+                  "text": "Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)"
                 }
               }
             ]
diff --git a/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json b/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json
index 16e158c167..898e296379 100644
--- a/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json	
+++ b/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json	
@@ -75,17 +75,17 @@
     "_dataConnectorId1": "[variables('dataConnectorId1')]",
     "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
     "dataConnectorVersion1": "1.0.0",
-    "analyticRuleVersion1": "1.0.2",
+    "analyticRuleVersion1": "1.0.3",
     "analyticRulecontentId1": "46ac55ae-47b8-414a-8f94-89ccd1962178",
     "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
     "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
     "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
-    "analyticRuleVersion2": "1.0.0",
+    "analyticRuleVersion2": "1.0.1",
     "analyticRulecontentId2": "16da3a2a-af29-48a0-8606-d467c180fe18",
     "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
     "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
     "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
-    "analyticRuleVersion3": "1.0.0",
+    "analyticRuleVersion3": "1.0.1",
     "analyticRulecontentId3": "b7643904-5081-4920-917e-a559ddc3448f",
     "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
     "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
@@ -139,7 +139,7 @@
         "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
       ],
       "properties": {
-        "description": "Azure Web Application Firewall (WAF) data connector with template version 2.0.3",
+        "description": "Azure Web Application Firewall (WAF) data connector with template version 2.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -345,7 +345,7 @@
         "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
       ],
       "properties": {
-        "description": "MaliciousWAFSessions_AnalyticalRules Analytics Rule with template version 2.0.3",
+        "description": "MaliciousWAFSessions_AnalyticalRules Analytics Rule with template version 2.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleVersion1')]",
@@ -359,10 +359,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.",
+                "description": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code and should be altered to fit the environment.",
                 "displayName": "A potentially malicious web request was executed against a web server",
                 "enabled": false,
-                "query": "let queryperiod = 1d;\nlet mode = 'Blocked';\nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\nlet sessionBin = 30m;\nAzureDiagnostics\n| where TimeGenerated > ago(queryperiod)\n| where Category == 'ApplicationGatewayFirewallLog' and action_s == mode\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\n| mv-expand TimeKey to typeof(datetime)\n| join kind = inner(\n    AzureDiagnostics\n    | where TimeGenerated > ago(queryperiod)\n    | where Category == 'ApplicationGatewayAccessLog' and (isempty(httpStatus_d) or httpStatus_d in (successCode))\n    | extend TimeKey = bin(TimeGenerated, sessionBin)\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\n| extend\n    originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"),\n    serverStatus_s = column_ifexists(\"serverStatus_s\", \"\")\n| summarize\n    SuccessfulAccessCount = count(),\n    UserAgents = make_set(userAgent_s, 250),\n    RequestURIs = make_set(requestUri_s, 250),\n    OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\n    SuccessCodes = make_set(httpStatus_d, 250),\n    SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\n    take_any(SessionBlockedEnded, SessionBlockedCount)\n    by hostname_s, clientIp_s, SessionBlockedStarted\n| where SessionBlockedCount > SuccessfulAccessCount\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\n| sort by BlockvsSuccessRatio desc, timestamp asc\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\n",
+                "query": "let queryperiod = 1d;\nlet mode = 'Blocked';\nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\nlet sessionBin = 30m;\nAzureDiagnostics\n| where TimeGenerated > ago(queryperiod)\n| where Category =~ 'ApplicationGatewayFirewallLog' and action_s == mode\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\n| mv-expand TimeKey to typeof(datetime)\n| join kind = inner(\n    AzureDiagnostics\n    | where TimeGenerated > ago(queryperiod)\n    | where Category =~ 'ApplicationGatewayAccessLog' and (isempty(httpStatus_d) or httpStatus_d in (successCode))\n    | extend TimeKey = bin(TimeGenerated, sessionBin)\n    | extend hostname_s = coalesce(hostname_s,host_s), clientIp_s = coalesce(clientIp_s,clientIP_s)\n) on TimeKey, hostname_s , clientIp_s\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\n| extend\n    originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"),\n    serverStatus_s = column_ifexists(\"serverStatus_s\", \"\")\n| summarize\n    SuccessfulAccessCount = count(),\n    UserAgents = make_set(userAgent_s, 250),\n    RequestURIs = make_set(requestUri_s, 250),\n    OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\n    SuccessCodes = make_set(httpStatus_d, 250),\n    SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\n    take_any(SessionBlockedEnded, SessionBlockedCount)\n    by hostname_s, clientIp_s, SessionBlockedStarted\n| where SessionBlockedCount > SuccessfulAccessCount\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\n| sort by BlockvsSuccessRatio desc, timestamp asc\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\n",
                 "queryFrequency": "P1D",
                 "queryPeriod": "P1D",
                 "severity": "Medium",
@@ -373,10 +373,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "WAF",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ],
-                    "connectorId": "WAF"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -389,8 +389,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "clientIp_s"
                       }
                     ],
                     "entityType": "IP"
@@ -456,7 +456,7 @@
         "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
       ],
       "properties": {
-        "description": "AFD-Premium-WAF-SQLiDetection_AnalyticalRules Analytics Rule with template version 2.0.3",
+        "description": "AFD-Premium-WAF-SQLiDetection_AnalyticalRules Analytics Rule with template version 2.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleVersion2')]",
@@ -470,10 +470,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies a match for SQL Injection attack in the Front Door Premium WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\n References: https://owasp.org/Top10/A03_2021-Injection/",
+                "description": "Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\nReferences: https://owasp.org/Top10/A03_2021-Injection/",
                 "displayName": "Front Door Premium WAF - SQLi Detection",
                 "enabled": false,
-                "query": "let Threshold = 1;\nAzureDiagnostics\n| where Category == \"FrontDoorWebApplicationFirewallLog\"\n| where action_s == \"AnomalyScoring\"\n| where details_msg_s contains \"SQL Injection\"\n| parse details_data_s with MessageText \"Matched Data:\" MatchedData \"AND \" * \"table_name FROM \" TableName \" \" *\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\n| join kind = inner(\nAzureDiagnostics\n| where Category == \"FrontDoorWebApplicationFirewallLog\"\n| where action_s == \"Block\") on trackingReference_s\n| summarize URI_s = make_set(requestUri_s), Table = make_set(TableName), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s), Matched_Data = make_set(MatchedData), Detail_Data = make_set(details_data_s), Detail_Message = make_set(details_msg_s), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\n| where Total_TrackingReference >= Threshold\n",
+                "query": "let Threshold = 1;\nAzureDiagnostics\n| where Category =~ \"FrontDoorWebApplicationFirewallLog\"\n| where action_s =~ \"AnomalyScoring\"\n| where details_msg_s has \"SQL Injection\"\n| parse details_data_s with MessageText \"Matched Data:\" MatchedData \"AND \" * \"table_name FROM \" TableName \" \" *\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\n| join kind = inner(\nAzureDiagnostics\n| where Category =~ \"FrontDoorWebApplicationFirewallLog\"\n| where action_s =~ \"Block\") on trackingReference_s\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\n| where Total_TrackingReference >= Threshold\n",
                 "queryFrequency": "PT6H",
                 "queryPeriod": "PT6H",
                 "severity": "High",
@@ -484,10 +484,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "WAF",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ],
-                    "connectorId": "WAF"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -506,8 +506,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "URI_s",
-                        "identifier": "Url"
+                        "identifier": "Url",
+                        "columnName": "URI_s"
                       }
                     ],
                     "entityType": "URL"
@@ -515,8 +515,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "clientIP_s",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "clientIP_s"
                       }
                     ],
                     "entityType": "IP"
@@ -582,7 +582,7 @@
         "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
       ],
       "properties": {
-        "description": "AFD-Premium-WAF-XSSDetection_AnalyticalRules Analytics Rule with template version 2.0.3",
+        "description": "AFD-Premium-WAF-XSSDetection_AnalyticalRules Analytics Rule with template version 2.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleVersion3')]",
@@ -596,10 +596,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies a match for XSS attack in the Front Door Premium WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)",
+                "description": "Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)",
                 "displayName": "Front Door Premium WAF - XSS Detection",
                 "enabled": false,
-                "query": "let Threshold = 1;\nAzureDiagnostics\n| where Category == \"FrontDoorWebApplicationFirewallLog\"\n| where action_s == \"AnomalyScoring\"\n| where details_msg_s contains \"XSS\"\n| parse details_data_s with MessageText \"Matched Data:\" MatchedData \"AND \" * \"table_name FROM \" TableName \" \" *\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\n| join kind = inner(\nAzureDiagnostics\n| where Category == \"FrontDoorWebApplicationFirewallLog\"\n| where action_s == \"Block\") on trackingReference_s\n| summarize URI_s = make_set(requestUri_s), Table = make_set(TableName), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s), Matched_Data = make_set(MatchedData), Detail_Data = make_set(details_data_s), Detail_Message = make_set(details_msg_s), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\n| where Total_TrackingReference >= Threshold\n",
+                "query": "let Threshold = 1;\nAzureDiagnostics\n| where Category =~ \"FrontDoorWebApplicationFirewallLog\"\n| where action_s =~ \"AnomalyScoring\"\n| where details_msg_s has \"XSS\"\n| parse details_data_s with MessageText \"Matched Data:\" MatchedData \"AND \" * \"table_name FROM \" TableName \" \" *\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\n| join kind = inner(\nAzureDiagnostics\n| where Category =~ \"FrontDoorWebApplicationFirewallLog\"\n| where action_s =~ \"Block\") on trackingReference_s\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\n| where Total_TrackingReference >= Threshold\n",
                 "queryFrequency": "PT6H",
                 "queryPeriod": "PT6H",
                 "severity": "High",
@@ -610,10 +610,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "WAF",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ],
-                    "connectorId": "WAF"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -629,8 +629,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "URI_s",
-                        "identifier": "Url"
+                        "identifier": "Url",
+                        "columnName": "URI_s"
                       }
                     ],
                     "entityType": "URL"
@@ -638,8 +638,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "clientIP_s",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "clientIP_s"
                       }
                     ],
                     "entityType": "IP"
@@ -705,7 +705,7 @@
         "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
       ],
       "properties": {
-        "description": "WebApplicationFirewallFirewallEventsWorkbook Workbook with template version 2.0.3",
+        "description": "WebApplicationFirewallFirewallEventsWorkbook Workbook with template version 2.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -723,7 +723,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Application gateway firewall events\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Lable = strcat(Resource, \\\" - \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where action_s == \\\"Blocked\\\" or action_s == \\\"Detected\\\" \\r\\n| summarize count() by requestUri_s \\r\\n| top 10 by count_ desc \",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Blocked URL addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| summarize number = count() by action_s\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"WAF actions\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where  (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\" \\r\\n| summarize number = count() by instanceId_s, TimeGenerated\\r\\n| where instanceId_s contains \\\"role\\\"\\r\\n| extend roulenumber = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\", 1, instanceId_s) \\r\\n| project roulenumber , number , TimeGenerated \\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Role use, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| summarize count() by Message\\r\\n| top 10 by count_ \\r\\n\",\"size\":0,\"exportFieldName\":\"Message\",\"exportParameterName\":\"Selected\",\"exportDefaultValue\":\"*\",\"exportToExcelOptions\":\"visible\",\"title\":\"Event trigger\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true}}],\"labelSettings\":[{\"columnId\":\"Message\"},{\"columnId\":\"count_\",\"label\":\"\"}]}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where ('{Selected}' == Message) or '{Selected}'==\\\"*\\\"\\r\\n| summarize count() by Message, TimeGenerated\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Messages, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where '{Selected}' == Message or '{Selected}' == \\\"*\\\"\\r\\n| extend Role =  extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| project Message, TimeGenerated, SourceSystem, hostname_s, ResourceId, ResourceGroup, ResourceProvider, Category, Role, action_s, site_s, details_message_s, details_file_s, clientIp_s, requestUri_s\\r\\n| sort by TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Message, full details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"name\":\"query - 11\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where Message contains \\\"attack\\\"\\r\\n| extend Role =  extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| summarize Amount = count() by Message, bin(TimeGenerated, 1h), hostName = hostname_s, ResourceId, Category, Role\\r\\n| project Amount, Message, TimeGenerated, hostName, ResourceId, Category, Role\\r\\n| order by Amount desc\",\"size\":0,\"exportFieldName\":\"\",\"exportParameterName\":\"MessageFilter\",\"exportDefaultValue\":\"{\\\"Message\\\":\\\"*\\\"}\",\"exportToExcelOptions\":\"visible\",\"title\":\"Attacks events, by messages\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":8,\"formatOptions\":{\"showIcon\":true,\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"hostName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Category\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Role\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"$gen_group\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TenantId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SourceSystem\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"MG\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ManagementGroupName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Computer\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleGroup_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"transactionId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"originalHost_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"_schema_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"error_code_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"error_message_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"instanceId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientIp_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientPort_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"requestUri_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleSetType_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleSetVersion_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"action_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"site_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_message_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_data_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_file_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_line_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"hostname_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientIP_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientPort_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpMethod_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"requestQuery_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"userAgent_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpStatus_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpVersion_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"receivedBytes_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"sentBytes_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"timeTaken_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"sslEnabled_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"host_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_clientTrackingId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"tags__type_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"msg_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_originRunId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_actionName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_actionTrackingId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"workflowId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Level\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"OperationName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"status_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"tags_LogicAppsCategory_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_resourceGroupName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_workflowName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_runId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_location_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_triggerName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SubscriptionId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceProvider\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Resource\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceType\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"code_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_clientTrackingId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_subscriptionId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_workflowId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"startTime_t\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"endTime_t\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"_ResourceId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Message\"],\"expandTopLevel\":false}}},\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.childRows; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where Message contains \\\"attack\\\"\\r\\n| where SelectedMS.Message == Message or SelectedMS.Message == \\\"*\\\" or Message == Child[0].Message\\r\\n| summarize count() by Message, TimeGenerated\",\"size\":0,\"exportParameterName\":\"Message\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"exportToExcelOptions\":\"visible\",\"title\":\"Attack events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"70\",\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Message contains \\\"SQL Injection\\\" \\r\\n| summarize count() by hostname_s, Message\\r\\n| order by count_ desc \",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"SQL injection, by host name\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"query - 15\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallFirewallEvents\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Application gateway firewall events\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Lable = strcat(Resource, \\\" - \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where action_s == \\\"Blocked\\\" or action_s == \\\"Detected\\\" \\r\\n| summarize count() by requestUri_s \\r\\n| top 10 by count_ desc \",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Blocked URL addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| summarize number = count() by action_s\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"WAF actions\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where  (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\" \\r\\n| summarize number = count() by instanceId_s, TimeGenerated\\r\\n| where instanceId_s has \\\"role\\\"\\r\\n| extend rolenumber = extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\", 1, instanceId_s) \\r\\n| project rolenumber , number , TimeGenerated \\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Role use, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| summarize count() by Message\\r\\n| top 10 by count_ \\r\\n\",\"size\":0,\"exportFieldName\":\"Message\",\"exportParameterName\":\"Selected\",\"exportDefaultValue\":\"*\",\"exportToExcelOptions\":\"visible\",\"title\":\"Event trigger\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true}}],\"labelSettings\":[{\"columnId\":\"Message\"},{\"columnId\":\"count_\",\"label\":\"\"}]}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where ('{Selected}' == Message) or '{Selected}'==\\\"*\\\"\\r\\n| summarize count() by Message, TimeGenerated\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Messages, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where \\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF})\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where '{Selected}' == Message or '{Selected}' == \\\"*\\\"\\r\\n| extend Role =  extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| project Message, TimeGenerated, SourceSystem, hostname_s, ResourceId, ResourceGroup, ResourceProvider, Category, Role, action_s, site_s, details_message_s, details_file_s, clientIp_s, requestUri_s\\r\\n| sort by TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Message, full details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"name\":\"query - 11\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where Message has \\\"attack\\\"\\r\\n| extend Role =  extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| summarize Amount = count() by Message, bin(TimeGenerated, 1h), hostName = hostname_s, ResourceId, Category, Role\\r\\n| project Amount, Message, TimeGenerated, hostName, ResourceId, Category, Role\\r\\n| order by Amount desc\",\"size\":0,\"exportFieldName\":\"\",\"exportParameterName\":\"MessageFilter\",\"exportDefaultValue\":\"{\\\"Message\\\":\\\"*\\\"}\",\"exportToExcelOptions\":\"visible\",\"title\":\"Attacks events, by messages\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":8,\"formatOptions\":{\"showIcon\":true,\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"hostName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Category\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Role\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"$gen_group\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TenantId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SourceSystem\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"MG\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ManagementGroupName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Computer\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleGroup_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"transactionId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"originalHost_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"_schema_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"error_code_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"error_message_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"instanceId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientIp_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientPort_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"requestUri_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleSetType_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleSetVersion_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ruleId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"action_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"site_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_message_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_data_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_file_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"details_line_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"hostname_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientIP_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"clientPort_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpMethod_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"requestQuery_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"userAgent_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpStatus_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"httpVersion_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"receivedBytes_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"sentBytes_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"timeTaken_d\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"sslEnabled_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"host_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_clientTrackingId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"tags__type_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"msg_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_originRunId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_actionName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_actionTrackingId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"workflowId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Level\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"OperationName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"status_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"tags_LogicAppsCategory_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_resourceGroupName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_workflowName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_runId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_location_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_triggerName_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SubscriptionId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceProvider\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Resource\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceType\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"code_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"correlation_clientTrackingId_s\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_subscriptionId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"resource_workflowId_g\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"startTime_t\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"endTime_t\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"_ResourceId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Message\"],\"expandTopLevel\":false}}},\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.childRows; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where OperationName == \\\"ApplicationGatewayFirewall\\\"\\r\\n| where Message has \\\"attack\\\"\\r\\n| where SelectedMS.Message == Message or SelectedMS.Message == \\\"*\\\" or Message == Child[0].Message\\r\\n| summarize count() by Message, TimeGenerated\",\"size\":0,\"exportParameterName\":\"Message\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"exportToExcelOptions\":\"visible\",\"title\":\"Attack events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"70\",\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" and (\\\"{WAF:lable}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Message has \\\"SQL Injection\\\" \\r\\n| summarize count() by hostname_s, Message\\r\\n| order by count_ desc \",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"SQL injection, by host name\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"query - 15\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallFirewallEvents\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -800,7 +800,7 @@
         "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName2'))]"
       ],
       "properties": {
-        "description": "WebApplicationFirewallGatewayAccessEventsWorkbook Workbook with template version 2.0.3",
+        "description": "WebApplicationFirewallGatewayAccessEventsWorkbook Workbook with template version 2.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -895,7 +895,7 @@
         "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName3'))]"
       ],
       "properties": {
-        "description": "WebApplicationFirewallOverviewWorkbook Workbook with template version 2.0.3",
+        "description": "WebApplicationFirewallOverviewWorkbook Workbook with template version 2.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion3')]",
@@ -913,7 +913,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook3-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Lable = strcat(Resource, \\\" - \\\", Count)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b1a1c99d-4498-4e02-82f0-d52c276d5657\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Events\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count = count() by OperationName\\r\\n| order by Count desc, OperationName asc\\r\\n| project value = OperationName, Label = strcat(OperationName, ' - ', Count)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\n| summarize count() by Resource, TimeGenerated\",\"size\":1,\"exportToExcelOptions\":\"visible\",\"title\":\"Resource events, by time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Resource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"70\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by Resource\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Resource use\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by OperationName, TimeGenerated\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Firewall and access events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"70\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by OperationName\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Events, by operation\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 6\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Lable = strcat(Resource, \\\" - \\\", Count)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b1a1c99d-4498-4e02-82f0-d52c276d5657\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Events\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| summarize Count = count() by OperationName\\r\\n| order by Count desc, OperationName asc\\r\\n| project value = OperationName, Label = strcat(OperationName, ' - ', Count)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\n| summarize count() by Resource, TimeGenerated\",\"size\":1,\"exportToExcelOptions\":\"visible\",\"title\":\"Resource events, by time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Resource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"70\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\"\\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by Resource\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Resource use\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by OperationName, TimeGenerated\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Firewall and access events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"70\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" \\r\\n| where \\\"{WAF:lable}\\\"==\\\"All\\\" or Resource in ({WAF})\\r\\n| where \\\"{Events:lable}\\\"==\\\"All\\\" or OperationName in ({Events})\\r\\n| summarize number = count() by OperationName\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Events, by operation\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 6\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -990,7 +990,7 @@
         "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName4'))]"
       ],
       "properties": {
-        "description": "WebApplicationFirewallWAFTypeEventsWorkbook Workbook with template version 2.0.3",
+        "description": "WebApplicationFirewallWAFTypeEventsWorkbook Workbook with template version 2.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion4')]",
@@ -1008,7 +1008,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook4-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure WAF Events\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"afd56a69-16a5-436d-850e-16c24e839503\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::all\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e38cad87-ff16-40e6-9384-f6fd24fa9d6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value=strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"value\":[\"/subscriptions/6b1ceacd-5731-4780-8f96-2078dd96fd96\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a125fc08-be6d-4b8b-87e2-7e0cd957db47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultWorkspace_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n|take 1\\r\\n|project id\",\"crossComponentResources\":[\"{Subscription}\"],\"isHiddenWhenLocked\":true,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"65674a40-2869-4867-a24d-f86f05fd0354\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspaces\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id, selected = iff(id =~ '{DefaultWorkspace_Internal}', true, false)\\r\\n\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000}],\"allowCustom\":true}},{\"id\":\"604a42a0-deca-4a95-a15f-8977646a7fac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAFType\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\"\\r\\n| summarize Count=count() by ResourceType\\r\\n| extend ResourceTypeImproved = iif(ResourceType == \\\"APPLICATIONGATEWAYS\\\", \\\"Application Gateway\\\", ResourceType)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"FRONTDOORS\\\", \\\"Azure Front Door\\\", ResourceTypeImproved)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"PROFILES\\\", \\\"Azure Front Door Premium\\\", ResourceTypeImproved)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"Azure CDN\\\", ResourceTypeImproved)\\r\\n| order by Count desc, ResourceTypeImproved asc\\r\\n| project ResourceTypeImproved\",\"crossComponentResources\":[\"{Workspaces}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"WAF Type\"},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"label\":\"WAF Items\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or  (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\"))\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Label = strcat(Resource, \\\" - \\\", Count)\",\"crossComponentResources\":[\"{Workspaces}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n// Application Gateway has Matched, Blocked, Detected : translates to Matched, Block, Log\\r\\n// Azure Front Door has Matched, Block, Log : translates to Matched, Block, Log\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| summarize number = count() by Action\",\"size\":3,\"showAnalytics\":true,\"title\":\"WAF actions filter\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"SelectedAction\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"27\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where Action == \\\"Block\\\"\\r\\n| where requestUri_s <> \\\"/\\\"\\r\\n| summarize count() by requestUri_s \\r\\n| top 40 by count_ desc \",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 40 Blocked Request URI addresses, filter to single URI address\",\"noDataMessage\":\"The current data has no \\\"Blocked\\\" results\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"requestUri_s\",\"exportParameterName\":\"RequestURI\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"requestUri_s\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":5}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"requestUri_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"63\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule contains \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\",1),\\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule contains \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule,\\\"):\\\",1)),\\\"\\\"),Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 50 event triggers, filter by rule name\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Rule\",\"exportParameterName\":\"Selected\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"$gen_bar_count__1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_count__1\",\"sortOrder\":2}]},\"customWidth\":\"30\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize count() by Rule, bin(TimeGenerated, 1h)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages, by time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"timeBrushUpperSection\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"70\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,requestUri_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,instanceId_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\" \\r\\n| extend Role =  extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| extend RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s, Site = site_s\\r\\n| project Rule, TimeGenerated, SourceSystem, Hostname, ResourceId, ResourceGroup, ResourceProvider, Category, Role, Action, Site, Message_Details, File_Details, ClientIP, RequestUri\\r\\n| sort by TimeGenerated\",\"size\":0,\"showAnalytics\":true,\"title\":\"Message, full details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushUpperSection\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 11\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\" \\r\\n| summarize Amount = count() by Rule\\r\\n| order by Amount desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Attacks events, by messages and filterable by rule name\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"\",\"exportParameterName\":\"MessageFilter\",\"exportDefaultValue\":\"{\\\"Rule\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true,\"aggregation\":\"Sum\"}}],\"filter\":true}},\"customWidth\":\"20\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\" \\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize Amount = count() by Rule, bin(TimeGenerated, 1h), ResourceId\\r\\n| project Amount, Rule, TimeGenerated, ResourceId\\r\\n| order by Amount desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Attack events, by time\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"timeBrushLowerSection\",\"exportParameterName\":\"Message\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"80\",\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where Rule == Child or Child == \\\"*\\\" \\r\\n| summarize count() by TrackingID\\r\\n| top 50 by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"TrackingID filter\",\"noDataMessage\":\"You have over-filtered or you are missing this data.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"exportFieldName\":\"TrackingID\",\"exportParameterName\":\"SelectedTrackingID\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TrackingID\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TrackingID\",\"sortOrder\":2}]},\"customWidth\":\"20\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\\r\\n| project TrackingID, TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category\",\"size\":0,\"showAnalytics\":true,\"title\":\"TrackingID Messages\",\"noDataMessage\":\"You have over-filtered or you are missing this data.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50}},\"customWidth\":\"80\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize count() by ClientIP\\r\\n| top 10 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Attacking IP Addresses, filter to single IP address\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"exportFieldName\":\"x\",\"exportParameterName\":\"ClientIP\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"ClientIP\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ClientIP\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"25\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,requestUri_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" contains \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" contains \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message contains \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where ('{ClientIP}' == ClientIP or '{ClientIP}' == \\\"*\\\")\\r\\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\\r\\n| project TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category\",\"size\":0,\"title\":\"Attack messages of IP address\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"75\",\"showPin\":true,\"name\":\"query - 13\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallWAFTypeEvents\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure WAF Events\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"afd56a69-16a5-436d-850e-16c24e839503\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::all\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e38cad87-ff16-40e6-9384-f6fd24fa9d6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value=strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"value\":[\"/subscriptions/6b1ceacd-5731-4780-8f96-2078dd96fd96\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a125fc08-be6d-4b8b-87e2-7e0cd957db47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultWorkspace_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n|take 1\\r\\n|project id\",\"crossComponentResources\":[\"{Subscription}\"],\"isHiddenWhenLocked\":true,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"65674a40-2869-4867-a24d-f86f05fd0354\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspaces\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id, selected = iff(id =~ '{DefaultWorkspace_Internal}', true, false)\\r\\n\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"49e2f511-592f-4d7f-8fda-d686803f3dbf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000}],\"allowCustom\":true}},{\"id\":\"604a42a0-deca-4a95-a15f-8977646a7fac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAFType\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\"\\r\\n| summarize Count=count() by ResourceType\\r\\n| extend ResourceTypeImproved = iif(ResourceType == \\\"APPLICATIONGATEWAYS\\\", \\\"Application Gateway\\\", ResourceType)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"FRONTDOORS\\\", \\\"Azure Front Door\\\", ResourceTypeImproved)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"PROFILES\\\", \\\"Azure Front Door Premium\\\", ResourceTypeImproved)\\r\\n| extend ResourceTypeImproved = iif(ResourceTypeImproved == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"Azure CDN\\\", ResourceTypeImproved)\\r\\n| order by Count desc, ResourceTypeImproved asc\\r\\n| project ResourceTypeImproved\",\"crossComponentResources\":[\"{Workspaces}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"WAF Type\"},{\"id\":\"d54c1639-d46c-4655-9d76-d5416926a453\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WAF\",\"label\":\"WAF Items\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or  (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\"))\\r\\n| summarize Count=count() by Resource\\r\\n| order by Count desc, Resource asc\\r\\n| project Value = Resource, Label = strcat(Resource, \\\" - \\\", Count)\",\"crossComponentResources\":[\"{Workspaces}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n// Application Gateway has Matched, Blocked, Detected : translates to Matched, Block, Log\\r\\n// Azure Front Door has Matched, Block, Log : translates to Matched, Block, Log\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| summarize number = count() by Action\",\"size\":3,\"showAnalytics\":true,\"title\":\"WAF actions filter\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"SelectedAction\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"27\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where Action == \\\"Block\\\"\\r\\n| where requestUri_s <> \\\"/\\\"\\r\\n| summarize count() by requestUri_s \\r\\n| top 40 by count_ desc \",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 40 Blocked Request URI addresses, filter to single URI address\",\"noDataMessage\":\"The current data has no \\\"Blocked\\\" results\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"requestUri_s\",\"exportParameterName\":\"RequestURI\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"requestUri_s\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":5}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"requestUri_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"63\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule has \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\",1),\\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule has \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule,\\\"):\\\",1)),\\\"\\\"),Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 50 event triggers, filter by rule name\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Rule\",\"exportParameterName\":\"Selected\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"$gen_bar_count__1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_count__1\",\"sortOrder\":2}]},\"customWidth\":\"30\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize count() by Rule, bin(TimeGenerated, 1h)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages, by time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"timeBrushUpperSection\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"70\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,requestUri_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,instanceId_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\" \\r\\n| extend Role =  extract(\\\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\\\",1,instanceId_s) \\r\\n| extend RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s, Site = site_s\\r\\n| project Rule, TimeGenerated, SourceSystem, Hostname, ResourceId, ResourceGroup, ResourceProvider, Category, Role, Action, Site, Message_Details, File_Details, ClientIP, RequestUri\\r\\n| sort by TimeGenerated\",\"size\":0,\"showAnalytics\":true,\"title\":\"Message, full details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushUpperSection\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 11\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\" \\r\\n| summarize Amount = count() by Rule\\r\\n| order by Amount desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Attacks events, by messages and filterable by rule name\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"\",\"exportParameterName\":\"MessageFilter\",\"exportDefaultValue\":\"{\\\"Rule\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true,\"aggregation\":\"Sum\"}}],\"filter\":true}},\"customWidth\":\"20\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\" \\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize Amount = count() by Rule, bin(TimeGenerated, 1h), ResourceId\\r\\n| project Amount, Rule, TimeGenerated, ResourceId\\r\\n| order by Amount desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Attack events, by time\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"timeBrushLowerSection\",\"exportParameterName\":\"Message\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"80\",\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or  (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where Rule == Child or Child == \\\"*\\\" \\r\\n| summarize count() by TrackingID\\r\\n| top 50 by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"TrackingID filter\",\"noDataMessage\":\"You have over-filtered or you are missing this data.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"exportFieldName\":\"TrackingID\",\"exportParameterName\":\"SelectedTrackingID\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TrackingID\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TrackingID\",\"sortOrder\":2}]},\"customWidth\":\"20\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\\r\\n| project TrackingID, TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category\",\"size\":0,\"showAnalytics\":true,\"title\":\"TrackingID Messages\",\"noDataMessage\":\"You have over-filtered or you are missing this data.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50}},\"customWidth\":\"80\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\"\\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| summarize count() by ClientIP\\r\\n| top 10 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Attacking IP Addresses, filter to single IP address\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"exportFieldName\":\"x\",\"exportParameterName\":\"ClientIP\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"ClientIP\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ClientIP\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"25\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\\r\\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\\r\\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,requestUri_s:string) [ \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\" ]);\\r\\nFakeData | union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"PROFILES\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"{WAFType:label}\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"{WAFType:label}\\\" has \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and  \\\"{WAFType:label}\\\" has \\\"azure front door\\\") or (ResourceType == \\\"PROFILES\\\" and \\\"{WAFType:label}\\\" has \\\"azure front door premium\\\") or (ResourceType==\\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"{WAFType:label}\\\" has \\\"cdn\\\")) and (\\\"{WAF:label}\\\" == \\\"All\\\" or Resource in ({WAF}))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or Category == \\\"FrontDoorWebApplicationFirewallLog\\\" or (OperationName == \\\"ApplicationGatewayFirewall\\\" and Message has \\\"attack\\\") or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| where Rule == Child or Child == \\\"*\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\\r\\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \\\"*\\\" \\r\\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \\\"*\\\" \\r\\n| where '{Selected}' == Rule or '{Selected}' == \\\"*\\\"\\r\\n| where ('{ClientIP}' == ClientIP or '{ClientIP}' == \\\"*\\\")\\r\\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\\r\\n| project TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category\",\"size\":0,\"title\":\"Attack messages of IP address\",\"noDataMessage\":\"Filtered messages are not attack events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"timeBrushLowerSection\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"75\",\"showPin\":true,\"name\":\"query - 13\"}],\"fromTemplateId\":\"sentinel-WebApplicationFirewallWAFTypeEvents\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -1063,7 +1063,7 @@
       "apiVersion": "2022-01-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "2.0.3",
+        "version": "2.0.4",
         "kind": "Solution",
         "contentSchemaVersion": "2.0.0",
         "contentId": "[variables('_solutionId')]",
diff --git a/Solutions/Azure Web Application Firewall (WAF)/SolutionMetadata.json b/Solutions/Azure Web Application Firewall (WAF)/SolutionMetadata.json
index 73ca419a03..9e924e42a3 100644
--- a/Solutions/Azure Web Application Firewall (WAF)/SolutionMetadata.json	
+++ b/Solutions/Azure Web Application Firewall (WAF)/SolutionMetadata.json	
@@ -4,7 +4,7 @@
 	"firstPublishDate": "2022-05-18",
 	"providers": [ "Microsoft" ],
 	"categories": {
-		"domains": [ "Security – Network" ]
+		"domains": [ "Security - Network" ]
 	},
 	"support": {
 		"tier": "Microsoft",