Azure-Sentinel/Workbooks/AnomalyData.json

{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 9,
      "content": {
        "version": "KqlParameterItem/1.0",
        "parameters": [
          {
            "id": "b4bca4a8-7fef-494e-9dd0-5ccd77fee390",
            "version": "KqlParameterItem/1.0",
            "name": "Id",
            "type": 1,
            "isGlobal": true,
            "timeContext": {
              "durationMs": 86400000
            },
            "value": "85ff04bc-c150-4444-8e2a-48f39679c785"
          },
          {
            "id": "d4383faf-970a-42d3-acbb-29c0445c615b",
            "version": "KqlParameterItem/1.0",
            "name": "AnomalyTemplateName",
            "type": 1,
            "isGlobal": true,
            "timeContext": {
              "durationMs": 86400000
            },
            "value": "(Preview) UEBA Anomalous Account Creation"
          },
          {
            "id": "7fc9760f-8718-47b9-9e00-de6e7da6a6f1",
            "version": "KqlParameterItem/1.0",
            "name": "Description",
            "type": 1,
            "isGlobal": true,
            "value": "91f40573-5825-407e-90ad-32c68bbe5f5d's account Performed a UserManagement action, Add user (490826a1-e130-4d0a-b119-9501012b4bd4@contosohotelb2corgp1.onmicrosoft.com).  from quincy, united states  From IP address 40.126.26.160       "
          },
          {
            "id": "79c838d7-e4f0-46cb-bf3b-e19c52a75609",
            "version": "KqlParameterItem/1.0",
            "name": "StartTime",
            "type": 1,
            "isGlobal": true,
            "value": "2022-05-19T19:31:20Z"
          },
          {
            "id": "014cb5c1-87ca-4dd7-b081-8877734abc20",
            "version": "KqlParameterItem/1.0",
            "name": "EndTime",
            "type": 1,
            "isGlobal": true,
            "value": "2022-05-19T19:31:20Z"
          }
        ],
        "style": "pills",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "parameters - 5"
    },
    {
      "type": 1,
      "content": {
        "json": "## {AnomalyTemplateName}\r\n\r\n{Description}\r\n\r\n**Start Date**: {StartTime}  \r\n**End Date**: {EndTime}"
      },
      "name": "text - 1"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "Anomalies\r\n| where Id == '{Id}'\r\n| mv-expand Entities\r\n| project Entities\r\n| evaluate bag_unpack(Entities, columnsConflict='replace_source')",
        "size": 1,
        "title": "Entities",
        "timeContext": {
          "durationMs": 2592000000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "query - 4"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "Anomalies\r\n| where AnomalyTemplateName == '{AnomalyTemplateName}'\r\n| summarize count() by bin(TimeGenerated, 1h)",
        "size": 0,
        "title": "Anomaly Job Trend",
        "timeContext": {
          "durationMs": 2592000000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "visualization": "areachart"
      },
      "name": "query - 4"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "let fusionAlert =  SecurityAlert\r\n| extend extendedPropertiesDict = parse_json(ExtendedProperties)\r\n| extend originalSystemAlertId = extendedPropertiesDict['OriginalSystemAlertId']\r\n| where originalSystemAlertId == '{Id}';\r\nlet incidentIdList = SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join fusionAlert on $left.AlertIds == $right.SystemAlertId\r\n| summarize by ProviderIncidentId, TenantId;\r\nSecurityIncident\r\n| join kind=innerunique incidentIdList on ProviderIncidentId, TenantId\r\n| project-away ProviderIncidentId1, TenantId1\r\n| project Title, IncidentUrl, TimeGenerated, IncidentName, Description, Severity, Status, Classification, ClassificationComment, ClassificationReason, Owner, ProviderName, ProviderIncidentId, FirstActivityTime, LastActivityTime, FirstModifiedTime, LastModifiedTime, CreatedTime, ClosedTime, IncidentNumber, RelatedAnalyticRuleIds, AlertIds, BookmarkIds, Comments, Labels, AdditionalData, ModifiedBy, SourceSystem\r\n| order by TimeGenerated desc",
        "size": 0,
        "title": "Related Incidents",
        "timeContext": {
          "durationMs": 2592000000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "query - 5"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "let fusionAlert =  SecurityAlert\r\n| extend extendedPropertiesDict = parse_json(ExtendedProperties)\r\n| extend originalSystemAlertId = extendedPropertiesDict['OriginalSystemAlertId']\r\n| where originalSystemAlertId == '{Id}';\r\nlet incidentIdList = SecurityIncident \r\n| mv-expand AlertIds\r\n| extend AlertIds = tostring(AlertIds)\r\n| join fusionAlert on $left.AlertIds == $right.SystemAlertId\r\n| summarize by ProviderIncidentId, TenantId;\r\nlet uniqueIncidentIdList = SecurityIncident\r\n| join kind=innerunique incidentIdList on ProviderIncidentId, TenantId;\r\nlet incidentBookmarkIds = uniqueIncidentIdList\r\n| mv-expand BookmarkIds\r\n| project BookmarkId = tostring(BookmarkIds);\r\nHuntingBookmark\r\n| join incidentBookmarkIds on BookmarkId;",
        "size": 0,
        "title": "Related Hunting Bookmarks",
        "timeContext": {
          "durationMs": 2592000000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "query - 5"
    }
  ],
  "fromTemplateId": "sentinel-AnomalyDataWorkbook",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}