Update InformationProtection.json

Update queries for Information protection usage report
2019-10-02 17:31:49 +03:00 · 2019-10-02 17:31:49 +03:00 · cca3ad0a30
--- a/Workbooks/AzureInformationProtection.json
+++ b/Workbooks/AzureInformationProtection.json
@ -22,7 +22,7 @@
            "type": 4,
            "isRequired": true,
            "value": {
-              "durationMs": 5184000000
+              "durationMs": 2592000000
            },
            "typeSettings": {
              "selectableValues": [
@ -86,7 +86,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "let minTime = toscalar(InformationProtectionEvents | where isnotempty(MachineName) | summarize min(Time));\r\nlet dates = range [\"date\"] from bin(minTime, {TimeRange:grain}) to now() step {TimeRange:grain};\r\nInformationProtectionEvents\r\n| where isnotempty(MachineName)\r\n| summarize labels=countif(isnotempty(ItemPath) and Activity in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\") and isnotempty(LabelId)),             protected=countif(isnotempty(ItemPath) and Activity in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\") and IsProtected) by bin(Time, {TimeRange:grain})\r\n| join kind= rightouter (\r\n    dates\r\n)\r\non $left.Time == $right.[\"date\"]\r\n| project [\"date\"], Labels = coalesce(labels, 0), [\"Protected Labels\"] = coalesce(protected, 0)\r\n",
+        "query": "let Logs = InformationProtectionLogs_CL | extend MachineName_s = columnifexists(\"MachineName_s\",\"\"), ObjectId_s = columnifexists(\"ObjectId_s\",\"\"), Activity_s = columnifexists(\"Activity_s\",\"\"), LabelId_g = columnifexists(\"LabelId_g\",\"\"), Protected_b = columnifexists(\"Protected_b\",false);\r\nlet minTime = toscalar(Logs | where isnotempty(MachineName_s) | summarize min(TimeGenerated));\r\nlet dates = range [\"date\"] from bin(minTime, {TimeRange:grain}) to now() step {TimeRange:grain};\r\nLogs\r\n| where isnotempty(MachineName_s)\r\n| summarize labels=countif(isnotempty(ObjectId_s) and Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\") and isnotempty(LabelId_g)),\r\nprotected=countif(isnotempty(ObjectId_s) and Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\") and Protected_b) by bin(TimeGenerated, {TimeRange:grain})\r\n| join kind= rightouter (\r\n    dates\r\n)\r\non $left.TimeGenerated == $right.[\"date\"]\r\n| project [\"date\"], Labels = coalesce(labels, 0), [\"Protected Labels\"] = coalesce(protected, 0)",
        "size": 0,
        "exportToExcelOptions": "visible",
        "title": "Label and protect activity",
@ -105,7 +105,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "let minTime = toscalar(InformationProtectionEvents | where isnotempty(MachineName) | summarize min(Time));\r\nlet dates = range [\"date\"] from bin(minTime, {TimeRange:grain}) to now() step {TimeRange:grain};\r\nInformationProtectionEvents\r\n| where isnotempty(MachineName)\r\n| summarize users=dcount(User), devices = dcount(MachineName) by bin(Time, {TimeRange:grain})\r\n| join kind= rightouter\r\n(\r\n    dates\r\n)\r\non $left.Time == $right.[\"date\"]\r\n| project [\"date\"], users = coalesce(users, 0), devices = coalesce(devices, 0)\r\n\r\n",
+        "query": "let Logs = InformationProtectionLogs_CL | extend MachineName_s = columnifexists(\"MachineName_s\",\"\"), UserId_s = columnifexists(\"UserId_s\",\"\");\r\nlet minTime = toscalar(Logs | where isnotempty(MachineName_s) | summarize min(TimeGenerated));\r\nlet dates = range [\"date\"] from bin(minTime, {TimeRange:grain}) to now() step {TimeRange:grain};\r\nLogs\r\n| where isnotempty(MachineName_s)\r\n| summarize users=dcount(UserId_s), devices = dcount(MachineName_s) by bin(TimeGenerated, {TimeRange:grain})\r\n| join kind= rightouter\r\n(\r\n    dates\r\n)\r\non $left.TimeGenerated == $right.[\"date\"]\r\n| project [\"date\"], users = coalesce(users, 0), devices = coalesce(devices, 0)\r\n\r\n",
        "size": 0,
        "exportToExcelOptions": "visible",
        "title": "Users and devices",
@ -124,7 +124,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "InformationProtectionEvents\r\n| where isnotempty(LabelId)\r\n| where isnotempty(ItemPath)\r\n| where Activity in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\")\r\n| summarize value=count() by LabelName\r\n| order by value\r\n",
+        "query": "let Logs = InformationProtectionLogs_CL | extend LabelName_s = columnifexists(\"LabelName_s\",\"\"), LabelId_g = columnifexists(\"LabelId_g\",\"\"), ObjectId_s = columnifexists(\"ObjectId_s\",\"\"), Activity_s = columnifexists(\"Activity_s\",\"\");\r\nLogs\r\n| where isnotempty(LabelId_g)\r\n| where isnotempty(ObjectId_s)\r\n| where Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\")\r\n| summarize value=count() by LabelName_s\r\n| order by value\r\n",
        "size": 0,
        "exportToExcelOptions": "visible",
        "title": "Labels",
@ -143,7 +143,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "InformationProtectionEvents\r\n| where isnotempty(LabelId)\r\n| where isnotempty(ItemPath)\r\n| where Activity in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\")\r\n| summarize value=count() by ApplicationName\r\n| order by value\r\n",
+        "query": "let Logs = InformationProtectionLogs_CL | extend ApplicationName_s = columnifexists(\"ApplicationName_s\",\"\"), LabelId_g = columnifexists(\"LabelId_g\",\"\"), ObjectId_s = columnifexists(\"ObjectId_s\",\"\"), Activity_s = columnifexists(\"Activity_s\",\"\");\r\nLogs\r\n| where isnotempty(LabelId_g)\r\n| where isnotempty(ObjectId_s)\r\n| where Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\")\r\n| summarize value=count() by ApplicationName_s\r\n| order by value\r\n",
        "size": 0,
        "exportToExcelOptions": "visible",
        "title": "Labels by application",
@ -162,4 +162,4 @@
  "styleSettings": {},
  "fromTemplateId": "sentinel-AzureInformationProtection",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
+}