Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/DataCollectionHealthMonitor...

6326 строки
257 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "06dc7f3f-e2c6-445e-83a8-f20c990ac319",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "WorkspaceInfo",
"style": "link"
},
{
"id": "1797baab-64cc-4a91-bbc0-0963239440ee",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Data collection anomalies",
"subTarget": "anomalies",
"style": "link"
},
{
"id": "9aeefefa-b950-47fe-9e29-f21aa3e300e6",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Agents info",
"subTarget": "agents",
"style": "link"
}
]
},
"name": "links - 19"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "ccd5adcd-8d59-4cfe-99ec-98075de2e253",
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "1ca69445-60fc-4806-b43d-ac7e6aad630a",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\r\n",
"crossComponentResources": [
"value::selected"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": "/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05"
},
{
"id": "e94aafa3-c5d9-4523-89f0-4e87aa754511",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\n| project id",
"crossComponentResources": [
"{Subscription}"
],
"value": "/subscriptions/<subs_ID>/resourcegroups/<rg_name>/providers/microsoft.operationalinsights/workspaces/<workspace_name>",
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "eafaa0ec-7c3a-4ee5-babe-9850080c909d",
"version": "KqlParameterItem/1.0",
"name": "resourceGroup",
"type": 1,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where id == \"{Workspace}\"\r\n| project resourceGroup",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "c4b69c01-2263-4ada-8d9c-43433b739ff3",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": false
},
"value": {
"durationMs": 604800000
}
},
{
"id": "27308a9d-46a2-4fca-8035-e813201fb4f8",
"version": "KqlParameterItem/1.0",
"name": "GiBperday",
"type": 1,
"query": "union withsource = tt *\r\n| where TimeGenerated > startofday({TimeRange:start}) and TimeGenerated < startofday({TimeRange:end})\r\n// Only look at chargeable Tables\r\n| where _IsBillable == True\r\n| summarize\r\nTotalGBytes =round(sum(_BilledSize/(1024*1024*1024)),2)\r\nby bin(TimeGenerated, 1d)//, Solution=tt\r\n| summarize round(avg(TotalGBytes),2)\r\n",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "c71f3009-a3f4-4aa5-aaf0-d0f667100e56",
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "Show Help",
"type": 10,
"description": "This will show some help information to help you understand the page you are on",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces' \r\n| where id has \"{Workspace}\"\r\n| extend state = trim(' ', tostring(properties.provisioningState))\r\n\t\t,sku = trim(' ', tostring(properties.sku.name))\r\n ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\r\n\t\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\r\n\t\t,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\r\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\"Not set\")\r\n| extend skuUpdate = iif(strlen(skuUpdate) > 0, skuUpdate,\"Unknown\")\r\n| extend sentinel = iif(toint(retentionDays) < 90,\"If you have Sentinel, you can change your retention to 90days (free)?\",\"\")\r\n| project ['Workspace Name']=id, ['Resource Group']=resourceGroup, location, ['Data Retention(days)']=retentionDays, ['Last known SKU update']=skuUpdate, ['Daily Data Cap']=dailyquotaGB, ['License']=sku, ['Notes'] = sentinel",
"size": 4,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Data Retention(days)",
"formatter": 0,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Last known SKU update",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "is Empty",
"thresholdValue": "\" \"",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Daily Data Cap",
"formatter": 18,
"formatOptions": {
"showIcon": true,
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "not set",
"representation": "Unavailable",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "1",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Data Retention",
"formatter": 0,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
],
"sortBy": [
{
"itemKey": "$gen_link_Workspace Name_0",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "$gen_link_Workspace Name_0",
"sortOrder": 1
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"name": "query - 18"
},
{
"type": 1,
"content": {
"json": "# Overview"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"showPin": true,
"name": "text - 0 - Copy"
},
{
"type": 1,
"content": {
"json": "\r\nThis section shows the general status of data ingestion in the selected workspace.\r\n\r\nPlease select the *Subscription* and *Workspace* you wish to view, and the *TimeRange* to define the scope."
},
"conditionalVisibilities": [
{
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
{
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
}
],
"showPin": true,
"name": "text - 0 - Copy - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "### Columns explained\r\n- **Table name**: the name of the Log Analytics workspace table. The list of tables is updated dynamically.\r\n- **Table size**: the total size of the data stored in the table for the specified time range.\r\n- **Table entries**: the total number of events stored in the table for the specified time range. \r\n- **Size per entry**: Average size of each event.\r\n- **Is billable**: indicates if the table is billable or free (True/False).\r\n\r\nSelect a table name from the list in order to filter the charts below.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=_TableName *\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by _TableName, _IsBillable\r\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\r\n ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\r\n| order by ['Table Size'] desc\r\n\r\n ",
"size": 0,
"showAnalytics": true,
"title": "{Workspace:name} workspace status for {TimeRange:label}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Table Name",
"exportParameterName": "Table",
"exportDefaultValue": "All Tables",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Table Name",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "15%"
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "purpleRed",
"customColumnWidthSetting": "24%"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "grayBlue",
"customColumnWidthSetting": "24%"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Size per Entry",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "turquoise",
"customColumnWidthSetting": "24%"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "IsBillable",
"formatter": 1,
"formatOptions": {
"customColumnWidthSetting": "10%"
}
},
{
"columnMatch": "Last Record Received",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 2
}
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Trend",
"formatter": 10,
"formatOptions": {
"palette": "redGreen"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Table Name",
"label": "Table name"
},
{
"columnId": "Table Size",
"label": "Table size",
"comment": "Capacity of the Table"
},
{
"columnId": "Table Entries",
"label": "Table entries",
"comment": "Count of Rows in the Table"
},
{
"columnId": "Size per Entry",
"label": "Size per entry",
"comment": "Capacity of the Rows"
},
{
"columnId": "IsBillable",
"label": "Is billable"
}
]
},
"sortBy": []
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"showPin": true,
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource = _TableName *\r\n| where '{Table}' == 'All Tables' or _TableName == '{Table}'\r\n| make-series TableSize = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n| mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000\r\n| project TimeGenerated, ['{Table}'] = TableSize",
"size": 0,
"showAnalytics": true,
"title": "{TimeRange:label}: number of events",
"color": "green",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Namespace",
"exportParameterName": "Namespace",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart",
"gridSettings": {
"formatters": [
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true
}
}
],
"filter": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource = _TableName *\r\n| where '{Table}' == 'All Tables' or _TableName == '{Table}'\r\n| make-series TableSize = sum(_BilledSize) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} \r\n| mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000\r\n| project TimeGenerated, ['{Table}'] = TableSize",
"size": 0,
"showAnalytics": true,
"title": "{TimeRange:label}: table volume ",
"color": "blue",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Namespace",
"exportParameterName": "Namespace",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart",
"gridSettings": {
"formatters": [
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true
}
}
],
"filter": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource= _TableName *\r\n| where '{Table}' == 'All Tables' or _TableName == '{Table}'\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), Type\r\n| project Type, TimeGenerated, count_\r\n\r\n\r\n",
"size": 1,
"showAnalytics": true,
"title": "{TimeRange:label}: number of events, by table (Time Brush enabled)",
"color": "blue",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "tbMthlyUsage",
"exportFieldName": "Namespace",
"exportParameterName": "Namespace",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "barchart",
"gridSettings": {
"formatters": [
{
"columnMatch": "Average Events per Second (eps)",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Minimum eps",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Maximum eps",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"filter": true
},
"sortBy": [],
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Other",
"color": "green"
}
],
"xSettings": {},
"ySettings": {}
}
},
"customWidth": "100",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"name": "query - 7 - mthly table usage "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource = _TableName *\r\n| where '{Table}' == 'All Tables' or _TableName == '{Table}'\r\n| summarize count() by bin(TimeGenerated, {tbMthlyUsage:grain}), Type\r\n| project ['Table name'] = Type, ['Time generated'] = TimeGenerated, ['Number of events'] = count_\r\n\r\n\r\n",
"size": 1,
"showAnalytics": true,
"title": "Number of events over selected time: {tbMthlyUsage:label}",
"color": "blue",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "tbMthlyUsage",
"timeBrushParameterName": "tbMthlyUsage",
"exportFieldName": "Namespace",
"exportParameterName": "Namespace",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Number of events",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "greenBlue"
}
},
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Average Events per Second (eps)",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Minimum eps",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Maximum eps",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"filter": true
},
"sortBy": [],
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Other",
"color": "green"
}
],
"xSettings": {},
"ySettings": {}
}
},
"customWidth": "100",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"name": "query - 7 - mthly table usage - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"name": "group - workspaceInfo"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Events per second (EPS)"
},
"name": "text - 30"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "b170eaf0-d2d9-4a9b-ab4a-bed71b6347bc",
"version": "KqlParameterItem/1.0",
"name": "EPStimerange",
"label": "Select EPS time range",
"type": 4,
"description": "Used to calculate Events Per Second (EPS) over a selected time range",
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
}
],
"allowCustom": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.insights/components"
},
"customWidth": "20",
"name": "parameters - 29"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=_TableName *\r\n| where _TimeReceived {EPStimerange:Label}\r\n| summarize count() , Size = sum(_BilledSize) by bin(_TimeReceived, 1m), Type, _IsBillable\r\n| extend counttemp =count_ / 60\r\n| summarize \r\n ['Average Events per Second (eps)'] = avg(counttemp), ['Minimum eps']=min (counttemp),\r\n ['Maximum eps']=max(counttemp)\r\n by ['Table Name']=Type\r\n| order by ['Average Events per Second (eps)'] desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "{EPStimerange:label}: events per second (EPS), by table",
"color": "blue",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Table Name",
"exportParameterName": "Table",
"exportDefaultValue": "All Tables",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Table Name",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20%"
}
},
{
"columnMatch": "Average Events per Second (eps)",
"formatter": 3,
"formatOptions": {
"palette": "greenBlue",
"customColumnWidthSetting": "25%"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Minimum eps",
"formatter": 3,
"formatOptions": {
"palette": "greenBlue",
"customColumnWidthSetting": "25%"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Maximum eps",
"formatter": 3,
"formatOptions": {
"palette": "greenBlue",
"customColumnWidthSetting": "25%"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "$gen_bar_Average Events per Second (eps)_1",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "Table Name",
"label": "Table name"
},
{
"columnId": "Average Events per Second (eps)",
"label": "Average events per second (EPS)"
},
{
"columnId": "Minimum eps",
"label": "Lowest EPS",
"comment": "Lowest EPS measured over the specified time period"
},
{
"columnId": "Maximum eps",
"label": "Highest EPS",
"comment": "Highest EPS measured over the specified time period"
}
]
},
"sortBy": [
{
"itemKey": "$gen_bar_Average Events per Second (eps)_1",
"sortOrder": 2
}
]
},
"customWidth": "100",
"name": "query - 7 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where _TimeReceived {EPStimerange:Label}\r\n| summarize count() by bin(_TimeReceived, 1m), Type, DeviceVendor\r\n| extend counttemp = todouble(count_ / 60)\r\n| summarize ['Events per Second (eps)'] = avg(counttemp) by DeviceVendor\r\n| order by ['Events per Second (eps)'] desc",
"size": 1,
"showAnalytics": true,
"title": "{EPStimerange:label}: average EPS in CommonSecurityLog (CEF), by device vendor",
"color": "blue",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "EPStimerange",
"exportFieldName": "Namespace",
"exportParameterName": "Namespace",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Events per Second (eps)",
"formatter": 3,
"formatOptions": {
"palette": "turquoise",
"customColumnWidthSetting": "50%"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "$gen_bar_Events per Second (eps)_1",
"sortOrder": 1
}
],
"labelSettings": [
{
"columnId": "DeviceVendor",
"label": "Device Vendor"
},
{
"columnId": "Events per Second (eps)",
"label": "Events per second (EPS)"
}
]
},
"sortBy": [
{
"itemKey": "$gen_bar_Events per Second (eps)_1",
"sortOrder": 1
}
]
},
"customWidth": "50",
"name": "query - 7 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where _TimeReceived {EPStimerange:Label}\r\n| summarize count() by bin(_TimeReceived, 1m), Type, _ResourceId\r\n| extend counttemp =count_ / 60\r\n| summarize ['Events per Second (eps)'] = avg(counttemp) by Computer = _ResourceId\r\n| order by ['Events per Second (eps)'] desc",
"size": 1,
"showAnalytics": true,
"title": "{EPStimerange:label}: average EPS in CommonSecurityLog (CEF), by computer",
"color": "blue",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "EPStimerange",
"exportFieldName": "Namespace",
"exportParameterName": "Namespace",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Events per Second (eps)",
"formatter": 3,
"formatOptions": {
"palette": "blue",
"customColumnWidthSetting": "20%"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Events per Second (eps)",
"label": "Events per second (EPS)"
}
]
},
"sortBy": []
},
"customWidth": "50",
"name": "query - 7 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where _TimeReceived {EPStimerange:Label}\r\n| summarize count() by bin(_TimeReceived, 1m), Type, _ResourceId\r\n| extend counttemp =count_ / 60\r\n| summarize ['Events per Second (eps)'] = avg(counttemp) by Computer = _ResourceId\r\n| order by ['Events per Second (eps)'] desc",
"size": 1,
"showAnalytics": true,
"title": "{EPStimerange:label}: average EPS in Syslog, by computer",
"color": "blue",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "EPStimerange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Events per Second (eps)",
"formatter": 3,
"formatOptions": {
"palette": "gray",
"customColumnWidthSetting": "50%"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Events per Second (eps)",
"label": "Events per second (EPS)"
}
]
},
"sortBy": []
},
"customWidth": "50",
"name": "query - 7 - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource = _TableName *\r\n| where '{Table}' == 'All Tables' or _TableName == '{Table}'\r\n| where _TimeReceived > startofday(ago(7d))\r\n| summarize count() by bin(_TimeReceived, {TimeRange:grain}), Type\r\n| project Type, _TimeReceived, count_\r\n\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Total events collected over time, by table name, for the last 7 days",
"color": "blue",
"timeContext": {
"durationMs": 604800000
},
"exportFieldName": "Namespace",
"exportParameterName": "Namespace",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart",
"gridSettings": {
"formatters": [
{
"columnMatch": "Average Events per Second (eps)",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Minimum eps",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Maximum eps",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"filter": true
},
"sortBy": [],
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Other",
"color": "green"
}
],
"xSettings": {},
"ySettings": {}
}
},
"customWidth": "100",
"name": "query - 7 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource = _TableName *\r\n| where '{Table}' == 'All Tables' or _TableName == '{Table}'\r\n| summarize count() by bin(_TimeReceived, {TimeRange:grain}), Type\r\n| project Type, _TimeReceived, count_\r\n\r\n\r\n",
"size": 1,
"showAnalytics": true,
"title": "Total events collected over time, by table name, for the last 30 days",
"color": "blue",
"timeContext": {
"durationMs": 2592000000
},
"exportFieldName": "Namespace",
"exportParameterName": "Namespace",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart",
"gridSettings": {
"formatters": [
{
"columnMatch": "Average Events per Second (eps)",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Minimum eps",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Maximum eps",
"formatter": 3,
"formatOptions": {
"palette": "redGreen"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumSignificantDigits": 3
}
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "blue"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"rowLimit": 1000,
"filter": true,
"sortBy": [
{
"itemKey": "Type",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "Type",
"sortOrder": 1
}
],
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Other",
"color": "green"
}
],
"xSettings": {},
"ySettings": {}
}
},
"customWidth": "100",
"name": "query - 7 - Copy - Copy - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"name": "group - eps"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "---\r\n## Last event received"
},
"name": "text - 4"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "7e985447-1426-44cc-9c80-75aad9458b93",
"version": "KqlParameterItem/1.0",
"name": "LastLogRecivedThreshold",
"label": "Last log received threshold",
"type": 2,
"description": "Select the last log recived threshold, to filter the table below",
"isRequired": true,
"value": "3600",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[{\"value\":\"0\",\"label\":\"None\"},{\"value\":\"3600\",\"label\":\"1h\"},{\"value\":\"21600\",\"label\":\"6h\"},{\"value\":\"43200\",\"label\":\"12h\"}, {\"value\":\"86400\",\"label\":\"1d\"},{\"value\":\"172800\",\"label\":\"2d\"},{\"value\":\"604800\",\"label\":\"7d\"}]",
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource = _TableName *\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by _TableName\r\n| where last_log > {LastLogRecivedThreshold}\r\n| project ['Table Name'] = _TableName, ['Last Record Received'] = last_log \r\n | order by ['Last Record Received'] desc\r\n\r\n ",
"size": 0,
"showAnalytics": true,
"title": "Last data received, by table",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Table Name",
"exportParameterName": "Table",
"exportDefaultValue": "All Tables",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Last Record Received",
"formatter": 8,
"formatOptions": {
"palette": "orangeRed"
},
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 2
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "coldHot"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Size per Entry",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "orange"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "IsBillable",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "blueDark",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Trend",
"formatter": 10,
"formatOptions": {
"palette": "redGreen"
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "$gen_heatmap_Last Record Received_1",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "Table Name",
"label": "Table name"
},
{
"columnId": "Last Record Received",
"label": "Last record received",
"comment": "When did the last record arrive?"
}
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Last Record Received_1",
"sortOrder": 2
}
]
},
"customWidth": "50",
"showPin": true,
"name": "query - 2 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by DeviceVendor\r\n| where last_log > {LastLogRecivedThreshold}\r\n| project ['Device Vendor'] = DeviceVendor, ['Last Record Received'] = last_log \r\n | order by ['Last Record Received'] desc\r\n\r\n ",
"size": 0,
"showAnalytics": true,
"title": "Last data received, by CEF device vendor",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Table Name",
"exportParameterName": "Table",
"exportDefaultValue": "All Tables",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Last Record Received",
"formatter": 8,
"formatOptions": {
"palette": "orangeRed"
},
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 2
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "coldHot"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Size per Entry",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "orange"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "IsBillable",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "blueDark",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Trend",
"formatter": 10,
"formatOptions": {
"palette": "redGreen"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Device Vendor",
"label": "Device vendor"
},
{
"columnId": "Last Record Received",
"label": "Last record received",
"comment": "When did the last record arrive?"
}
]
},
"sortBy": []
},
"customWidth": "50",
"showPin": true,
"name": "query - 2 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by _ResourceId, Computer\r\n| where last_log > {LastLogRecivedThreshold}\r\n| project ['Azure resource'] = _ResourceId, Computer, ['Last Record Received'] = last_log \r\n | order by ['Last Record Received'] desc\r\n ",
"size": 0,
"showAnalytics": true,
"title": "CommonSecurityLog (CEF): Last data received, by computer",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Table Name",
"exportParameterName": "Table",
"exportDefaultValue": "All Tables",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Last Record Received",
"formatter": 8,
"formatOptions": {
"palette": "orangeRed"
},
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 2
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "coldHot"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Size per Entry",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "orange"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "IsBillable",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "blueDark",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Trend",
"formatter": 10,
"formatOptions": {
"palette": "redGreen"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Computer"
},
{
"columnId": "Last Record Received",
"label": "Last record received"
}
]
},
"sortBy": []
},
"customWidth": "50",
"showPin": true,
"name": "query - 2 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by _ResourceId, Computer\r\n| where last_log > {LastLogRecivedThreshold}\r\n| project ['Azure resource'] = _ResourceId, Computer, ['Last Record Received'] = last_log \r\n | order by ['Last Record Received'] desc\r\n\r\n ",
"size": 0,
"showAnalytics": true,
"title": "Syslog: Last data received, by computer",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Table Name",
"exportParameterName": "Table",
"exportDefaultValue": "All Tables",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Last Record Received",
"formatter": 8,
"formatOptions": {
"palette": "orangeRed"
},
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 2
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "coldHot"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Size per Entry",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "orange"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "IsBillable",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "blueDark",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Trend",
"formatter": 10,
"formatOptions": {
"palette": "redGreen"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Computer"
},
{
"columnId": "Last Record Received",
"label": "Last record received"
}
]
},
"sortBy": []
},
"customWidth": "50",
"showPin": true,
"name": "query - 2 - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by _ResourceId, Computer\r\n| where last_log > {LastLogRecivedThreshold}\r\n| project ['Azure resource'] = _ResourceId, Computer, ['Last Record Received'] = last_log \r\n | order by ['Last Record Received'] desc\r\n ",
"size": 0,
"showAnalytics": true,
"title": "SecurityEvent: Last data received, by computer",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Table Name",
"exportParameterName": "Table",
"exportDefaultValue": "All Tables",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Last Record Received",
"formatter": 8,
"formatOptions": {
"palette": "orangeRed"
},
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumSignificantDigits": 2
}
}
},
{
"columnMatch": "Table Size",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "coldHot"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Entries",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "green"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Size per Entry",
"formatter": 3,
"formatOptions": {
"min": 0,
"palette": "orange"
},
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "IsBillable",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "True",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "False",
"representation": "blueDark",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Estimated Table Price",
"formatter": 3,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Table Trend",
"formatter": 10,
"formatOptions": {
"palette": "redGreen"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Computer"
},
{
"columnId": "Last Record Received",
"label": "Last record received",
"comment": "When did the last record arrive?"
}
]
},
"sortBy": []
},
"customWidth": "50",
"showPin": true,
"name": "query - 2 - Copy - Copy - Copy - Copy - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WorkspaceInfo"
},
"name": "group - latency"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "---"
},
"name": "text - 7"
},
{
"type": 1,
"content": {
"json": "# Data collection anomalies view:\r\n"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "anomalies"
},
"name": "text - 10"
},
{
"type": 1,
"content": {
"json": "In this section you will be able to detect anomalies in the data collection process. \r\nEach tab presents anomalies for a particular table.\r\nThe anomlies are calculated using the **series_decompose_anomalies()** function that returns an **anomaly score**. [Learn more about this function](https://docs.microsoft.com/azure/data-explorer/kusto/query/series-decompose-anomaliesfunction).\r\n\r\n#### Parameters:\r\n- **AnomaliesTimeRange**: This time picker applies only to the data collection anomalies view.\r\n- **SampleInterval**: The time interval in which data is sampled in the given time range. The anomaly score is calculated only on the last interval's data.\r\n- **PositiveAlertThreshold**: This value defines the positive **anomaly score** threshold. Accepts decimal values.\r\n- **NegativeAlertThreshold**: This value defines the negative **anomaly score** threshold. Accepts decimal values.\r\n\r\n",
"style": "info"
},
"conditionalVisibilities": [
{
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "anomalies"
},
{
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
}
],
"name": "text - 10 - Copy"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "2308c1ae-92f4-44c9-a6e2-a09a8302f4ca",
"version": "KqlParameterItem/1.0",
"name": "AnomaliesTimeRange",
"label": "Time Range",
"type": 4,
"description": "This time picker applies only to the data collection anomalies view.",
"isRequired": true,
"value": {
"durationMs": 1209600000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "EPStimerange"
},
{
"id": "8991a3f1-5fb9-4f6b-b140-f573c9300e7c",
"version": "KqlParameterItem/1.0",
"name": "SampleInterval",
"label": "Sample Interval",
"type": 2,
"description": "The time interval in which data is sampled in the given time range. The anomaly score is calculated only on the last interval's data.",
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[{ \"value\": \"5m\", \"label\": \"5m\" }, { \"value\": \"1h\", \"label\": \"1h\" }, { \"value\": \"1d\", \"label\": \"1d\" , \"selected\":true }, { \"value\": \"7d\", \"label\": \"7d\" , \"selected\":true },{ \"value\": \"14d\", \"label\": \"14d\"}]",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "EPStimerange"
},
{
"id": "1961884d-dc42-4a2d-9462-bf0f183063b2",
"version": "KqlParameterItem/1.0",
"name": "PositiveAlertThreshold",
"label": "Positive Alert Threshold",
"type": 1,
"description": "This value defines the positive anomaly score threshold. Accepts decimal values. ",
"isRequired": true,
"value": "2.0",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "EPStimerange"
},
{
"id": "7b805478-0db9-4fe8-b0b0-90e6a5332451",
"version": "KqlParameterItem/1.0",
"name": "NegativeAlertThreshold",
"label": "Negative Alert Threshold",
"type": 1,
"description": "This value defines the negative anomaly score threshold. Accepts decimal values. ",
"isRequired": true,
"value": "-2.0",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "EPStimerange"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "fe57bc7c-82df-4d94-bcfd-7f5713db71fc",
"cellValue": "AnomaliesTab",
"linkTarget": "parameter",
"linkLabel": "General",
"subTarget": "General",
"style": "link"
},
{
"id": "68179146-d2dc-4b53-8091-4fefee8dee00",
"cellValue": "AnomaliesTab",
"linkTarget": "parameter",
"linkLabel": "Common Event Format (CEF)",
"subTarget": "CEF",
"style": "link"
},
{
"id": "c2f485d4-a9b2-489b-b1cc-fa211de20bd2",
"cellValue": "AnomaliesTab",
"linkTarget": "parameter",
"linkLabel": "Security Event",
"subTarget": "SecurityEvents",
"style": "link"
},
{
"id": "6808e012-fd1e-451c-8036-3cf97571cde7",
"cellValue": "AnomaliesTab",
"linkTarget": "parameter",
"linkLabel": "Syslog",
"subTarget": "Syslog",
"style": "link"
},
{
"id": "b996ab73-96a2-4c0d-9fe7-7f326178e602",
"cellValue": "AnomaliesTab",
"linkTarget": "parameter",
"linkLabel": "Azure Activity",
"subTarget": "AzureActivity",
"style": "link"
},
{
"id": "ceaf1500-6658-4ce0-aa65-35eac464706d",
"cellValue": "AnomaliesTab",
"linkTarget": "parameter",
"linkLabel": "Azure Diagnostics",
"subTarget": "AzureDiagnostics",
"style": "link"
},
{
"id": "3a161dfa-3b19-41bf-a82c-f3e69a0dede3",
"cellValue": "AnomaliesTab",
"linkTarget": "parameter",
"linkLabel": "Office Activity",
"subTarget": "OfficeActivity",
"style": "link"
},
{
"id": "dbc065b2-644e-408b-a085-9b07a45e1d3c",
"cellValue": "AnomaliesTab",
"linkTarget": "parameter",
"linkLabel": "AWS CloudTrail",
"subTarget": "CloudTrail",
"style": "link"
}
]
},
"name": "links - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Tables detected anomalies",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource = _TableName *\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by _TableName\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project [\"Table Name\"] = _TableName, expectedCounts=baseline[-1], actualCount=count_[-1], Score = score[-1]",
"size": 0,
"showAnalytics": true,
"title": "Click on the table name to drill down",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"exportFieldName": "Table Name",
"exportParameterName": "Table",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Score",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "score",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "expectedCounts",
"label": "Excepted amount of events"
},
{
"columnId": "actualCount",
"label": "Actual amount of events"
},
{
"columnId": "Score"
}
]
}
},
"customWidth": "50",
"showPin": true,
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource = _TableName *\r\n| where _TableName == '{Table}'\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value}\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project-away anomalies, score\r\n| render timechart ",
"size": 0,
"title": "Anomaly graph for the selected table",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "Table",
"comparison": "isNotEqualTo",
"value": "All"
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource= _TableName *\r\n| where _TableName == '{Table}'\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by _TableName, _ResourceId, SourceSystem\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project _ResourceId, SourceSystem, expectedCounts=baseline[-1], actualCount=Trend[-1], score = round(todouble(score[-1]),2), Trend, Baselaine = baseline",
"size": 0,
"title": "Anomalies by source system and resource",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "score",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "2",
"text": "{0}{1}"
}
]
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
{
"columnMatch": "Baselaine",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "purple"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "_ResourceId",
"label": "Resource ID"
},
{
"columnId": "SourceSystem",
"label": "Source system"
},
{
"columnId": "expectedCounts",
"label": "Excepted amount of events"
},
{
"columnId": "actualCount",
"label": "Actual amount of events"
},
{
"columnId": "score",
"label": "Score"
},
{
"columnId": "Trend"
},
{
"columnId": "Baselaine",
"label": "Baseline"
}
]
}
},
"conditionalVisibility": {
"parameterName": "Table",
"comparison": "isNotEqualTo",
"value": "All"
},
"name": "query - 1 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n| make-series Sum = sum(Quantity) on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by DataType\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Sum, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project TableName = DataType, expectedCounts=baseline[-1], actualCount=Sum[-1], Score = score[-1]",
"size": 0,
"showAnalytics": true,
"title": "Click on the table name to drill down",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"exportFieldName": "TableName",
"exportParameterName": "TableName",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Score",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "score",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "TableName",
"label": "Table name"
},
{
"columnId": "expectedCounts",
"label": "Excepted amount of events"
},
{
"columnId": "actualCount",
"label": "Actual amount of events"
},
{
"columnId": "Score"
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "display",
"comparison": "isEqualTo",
"value": "1"
},
"showPin": true,
"name": "query - 1 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "AnomaliesTab",
"comparison": "isEqualTo",
"value": "General"
},
"name": "Tables detected anomalies"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Common Event Format (CEF) anomalies",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} \r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project-away anomalies, score\r\n| render timechart ",
"size": 0,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by DeviceVendor\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project ['Device Vendor'] = DeviceVendor, ['Expected counts']=baseline[-1], ['Actual count']=Trend[-1], Score = score[-1], Trend, Baseline = baseline",
"size": 0,
"showAnalytics": true,
"title": "Detections by vendor",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
{
"columnMatch": "Baseline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "turquoise"
}
}
]
}
},
"customWidth": "50",
"showPin": true,
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by DeviceVendor, DeviceProduct, _ResourceId, Computer\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project DeviceVendor, DeviceProduct, Machime = _ResourceId, [\"Computer Name\"] = Computer, expectedCounts=baseline[-1], actualCount=Trend[-1], score = score[-1], Trend, Baseline = baseline",
"size": 0,
"showAnalytics": true,
"title": "Detections by vendor, product and machine",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "actualCount",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "score",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"max": 0,
"palette": "pink"
}
},
{
"columnMatch": "Baseline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "purple"
}
}
],
"labelSettings": [
{
"columnId": "DeviceVendor",
"label": "Device vendor"
},
{
"columnId": "DeviceProduct",
"label": "Device product"
},
{
"columnId": "Machime",
"label": "Machine"
},
{
"columnId": "expectedCounts",
"label": "Expected count"
},
{
"columnId": "actualCount",
"label": "Actual count"
},
{
"columnId": "score",
"label": "Score"
},
{
"columnId": "Trend"
},
{
"columnId": "Baseline"
}
]
}
},
"showPin": true,
"name": "query - 2"
}
]
},
"conditionalVisibility": {
"parameterName": "AnomaliesTab",
"comparison": "isEqualTo",
"value": "CEF"
},
"name": "CEF"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Security Events anomalies",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} \r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project-away anomalies, score\r\n| render timechart ",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by _ResourceId, Computer\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project Machine = _ResourceId, [\"Computer Name\"] = Computer, expectedCounts=baseline[-1], actualCount=Trend[-1], score = score[-1], Trend, Baseline = baseline",
"size": 0,
"showAnalytics": true,
"title": "Detections by machine",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "actualCount",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"max": 0,
"palette": "pink"
}
},
{
"columnMatch": "Baseline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "purple"
}
}
],
"labelSettings": [
{
"columnId": "Machine"
},
{
"columnId": "expectedCounts",
"label": "Expected event count"
},
{
"columnId": "actualCount",
"label": "Actual event count"
},
{
"columnId": "score",
"label": "Score"
},
{
"columnId": "Trend"
},
{
"columnId": "Baseline"
}
]
}
},
"showPin": true,
"name": "query - 2"
}
]
},
"conditionalVisibility": {
"parameterName": "AnomaliesTab",
"comparison": "isEqualTo",
"value": "SecurityEvents"
},
"name": "Security Events"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Syslog anomalies",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} \r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project-away anomalies, score\r\n| render timechart ",
"size": 0,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Syslog\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by _ResourceId, Computer, SourceSystem\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project Machine = _ResourceId, [\"Computer Name\"] = Computer, ['Source System'] = SourceSystem, expectedCounts=baseline[-1], actualCount=Trend[-1], Score = score[-1], Trend, Baseline = baseline",
"size": 0,
"showAnalytics": true,
"title": "Detections by machine",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "actualCount",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "Score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
{
"columnMatch": "Baseline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "turquoise"
}
},
{
"columnMatch": "score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "Machine"
},
{
"columnId": "expectedCounts",
"label": "Expected event count"
},
{
"columnId": "actualCount",
"label": "Actual event count"
},
{
"columnId": "Score"
},
{
"columnId": "Trend"
},
{
"columnId": "Baseline"
}
]
}
},
"showPin": true,
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "AnomaliesTab",
"comparison": "isEqualTo",
"value": "Syslog"
},
"name": "Syslog"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Azure activity anomalies",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by _ResourceId, ResourceGroup\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project ['Resource group'] = ResourceGroup, ['Resource'] = _ResourceId, expectedCounts=baseline[-1], actualCount=Trend[-1], Score = score[-1], Trend, Baseline = baseline",
"size": 0,
"showAnalytics": true,
"title": "Detections by resource - select a row to filter the graph",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"exportFieldName": "Resource",
"exportParameterName": "ResourceID",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "actualCount",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "Score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
{
"columnMatch": "Baseline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "turquoise"
}
},
{
"columnMatch": "score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "expectedCounts",
"label": "Expected event count"
},
{
"columnId": "actualCount",
"label": "Actual event count"
},
{
"columnId": "Score"
},
{
"columnId": "Trend"
},
{
"columnId": "Baseline"
}
]
}
},
"showPin": true,
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureActivity\r\n| where _ResourceId == '{ResourceID}' or '{ResourceID}' == \"All\"\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} \r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project-away anomalies, score\r\n| render timechart ",
"size": 0,
"showAnalytics": true,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"showPin": true,
"name": "query - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "AnomaliesTab",
"comparison": "isEqualTo",
"value": "AzureActivity"
},
"name": "AzureActivity"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Azure activity anomalies",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by ResourceType\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project ['Resource type'] = ResourceType, expectedCounts=baseline[-1], actualCount=Trend[-1], Score = score[-1], Trend, Baseline = baseline",
"size": 0,
"showAnalytics": true,
"title": "Detections by resource type - select a row to filter the graph",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"exportFieldName": "Resource type",
"exportParameterName": "ResourceType",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "actualCount",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "Score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
{
"columnMatch": "Baseline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "turquoise"
}
},
{
"columnMatch": "score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "expectedCounts",
"label": "Expected event count"
},
{
"columnId": "actualCount",
"label": "Actual event count"
},
{
"columnId": "Score"
},
{
"columnId": "Trend"
},
{
"columnId": "Baseline"
}
]
}
},
"showPin": true,
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == '{ResourceType}' or 'All' == '{ResourceType}'\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} \r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project-away anomalies, score\r\n| render timechart ",
"size": 0,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureDiagnostics\r\n| where ResourceType == '{ResourceType}'\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by _ResourceId, ResourceType\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project ['Resource'] = _ResourceId, ['Resource type'] = ResourceType, expectedCounts=baseline[-1], actualCount=Trend[-1], Score = score[-1], Trend, Baseline = baseline",
"size": 0,
"showAnalytics": true,
"title": "Detections by resource",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"exportFieldName": "Resource Type",
"exportParameterName": "ResourceType",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "actualCount",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "Score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
{
"columnMatch": "Baseline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "turquoise"
}
},
{
"columnMatch": "score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "expectedCounts",
"label": "Expected event count"
},
{
"columnId": "actualCount",
"label": "Actual event count"
},
{
"columnId": "Score"
},
{
"columnId": "Trend"
},
{
"columnId": "Baseline"
}
]
}
},
"conditionalVisibility": {
"parameterName": "ResourceType",
"comparison": "isNotEqualTo",
"value": "All"
},
"showPin": true,
"name": "query - 1 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "AnomaliesTab",
"comparison": "isEqualTo",
"value": "AzureDiagnostics"
},
"name": "AzureActivity - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Office activity anomalies",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} \r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project-away anomalies, score\r\n| render timechart ",
"size": 0,
"showAnalytics": true,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"showPin": true,
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by OfficeWorkload\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project ['Office workload'] = OfficeWorkload, expectedCounts=baseline[-1], actualCount=Trend[-1], Score = score[-1], Trend, Baseline = baseline",
"size": 0,
"showAnalytics": true,
"title": "Detections by Office workload type",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"exportFieldName": "OfficeWorkload",
"exportParameterName": "OfficeWorkload",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "actualCount",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "Score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
{
"columnMatch": "Baseline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "turquoise"
}
},
{
"columnMatch": "score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "expectedCounts",
"label": "Expected event count"
},
{
"columnId": "actualCount",
"label": "Actual event count"
},
{
"columnId": "Score"
},
{
"columnId": "Trend"
},
{
"columnId": "Baseline"
}
]
}
},
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "AnomaliesTab",
"comparison": "isEqualTo",
"value": "OfficeActivity"
},
"name": "Office Activity"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "AWS CloudTrail anomalies",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AWSCloudTrail\r\n| make-series count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} \r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project-away anomalies, score\r\n| render timechart ",
"size": 0,
"showAnalytics": true,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"showPin": true,
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AWSCloudTrail\r\n| make-series Trend = count() on TimeGenerated from {AnomaliesTimeRange:start} to {AnomaliesTimeRange:end} step {SampleInterval:value} by AWSRegion\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score >= {PositiveAlertThreshold:value} or Score <= {NegativeAlertThreshold:value}\r\n| project ['AWS region'] = AWSRegion, expectedCounts=baseline[-1], actualCount=Trend[-1], Score = score[-1], Trend, Baseline = baseline",
"size": 0,
"showAnalytics": true,
"title": "Detections by AWS region",
"noDataMessage": "No anomalies found",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "AnomaliesTimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "expectedCounts",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "actualCount",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "Score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
{
"columnMatch": "Baseline",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "turquoise"
}
},
{
"columnMatch": "score",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "expectedCounts",
"label": "Expected event count"
},
{
"columnId": "actualCount",
"label": "Actual event count"
},
{
"columnId": "Score"
},
{
"columnId": "Trend"
},
{
"columnId": "Baseline"
}
]
}
},
"showPin": true,
"name": "query - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "AnomaliesTab",
"comparison": "isEqualTo",
"value": "CloudTrail"
},
"name": "AWS CloudTrail"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "anomalies"
},
"name": "Data collection anomalies - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "# Agent information view"
},
"name": "text - 13"
},
{
"type": 1,
"content": {
"json": "### Make sure to select your machines' enviroment: \r\n- Azure managed machines - show statistics for Azure VMs or Azure Arc managed servers\r\n- All machines - show statistics for all machines, including non-Azure servers reporting via the Microsoft Monitoring Agent (MMA)"
},
"name": "text - 5"
},
{
"type": 1,
"content": {
"json": "#### This tab shows you information about the health of the Log Analytics agents installed on your various machines, whether Azure VM, other cloud VM, on-premises VM, or physical. You can see the following information:\r\n- Location\r\n- Heartbeat status\r\n- Available memory and disk space\r\n- Action audit\r\n\r\n### You can filter any of these displays by log type (table name) and by specific machines."
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 13 - Copy"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "4cfd60bb-7de0-46c1-9cae-7a933948bf8d",
"cellValue": "OnPrem",
"linkTarget": "parameter",
"linkLabel": "Azure managed machines",
"subTarget": "No",
"preText": "Azure VMs",
"style": "link"
},
{
"id": "d2fed116-caff-483f-bbad-ba07302f1777",
"cellValue": "OnPrem",
"linkTarget": "parameter",
"linkLabel": "All machines",
"subTarget": "Yes",
"style": "link"
}
]
},
"name": "links - 19"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "d2922a2e-e093-47eb-862f-50a647e3f30d",
"version": "KqlParameterItem/1.0",
"name": "TableName",
"label": "Table name filter",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "union withsource=_TableName *\r\n| summarize by _TableName",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "",
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "c6e118c5-f30b-4d06-a5a6-59645318df64",
"version": "KqlParameterItem/1.0",
"name": "VMfilter",
"label": "Machine name filter",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "union withsource=_TableName *\r\n| where _TableName in ({TableName})\r\n| where _ResourceId contains \"virtualmachines\"\r\n| where _ResourceId != \" \"\r\n| summarize by value = _ResourceId\r\n| extend label = extract(\".*/([^/]+)\",1, value) ",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 11"
},
{
"type": 1,
"content": {
"json": "Select a location to filter the display below.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat\r\n| where tolower(ResourceId) in ({VMfilter})\r\n| summarize dcount(Computer) by RemoteIPCountry, Computer",
"size": 0,
"title": "Computers' location",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "regionName",
"exportParameterName": "regionName",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "RemoteIPCountry",
"sizeSettings": "dcount_Computer",
"sizeAggregation": "Sum",
"legendMetric": "dcount_Computer",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "dcount_Computer",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "orangeBlue",
"heatmapMin": 0
}
}
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat\r\n| where tolower(ResourceId) in ({VMfilter})\r\n| where RemoteIPCountry == \"{regionName}\" or \"{regionName}\" == \"All\"\r\n| summarize AggregatedValue = dcount(Computer) by [\"OS\"]=iff(isempty(OSName), OSType, OSName)",
"size": 0,
"title": "Computer OS",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "OS",
"formatter": 1
},
"leftContent": {
"columnMatch": "AggregatedValue",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 9"
},
{
"type": 1,
"content": {
"json": "## Computer heartbeat tracking: {TimeRange}"
},
"name": "text - 11"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "e0fb3c9a-f42f-4dfb-a86c-f4dd36584904",
"version": "KqlParameterItem/1.0",
"name": "UnhealthyCriteria",
"label": "Unhealthy definition",
"type": 2,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\":\"1m\", \"label\":\"1 minute without heartbeat\", \"selected\":false },\r\n { \"value\":\"5m\", \"label\":\"5 minutes without heartbeat\", \"selected\":false },\r\n { \"value\":\"30m\", \"label\":\"30 minutes without heartbeat\", \"selected\":false },\r\n { \"value\":\"1h\", \"label\":\"1 hour without heartbeat\", \"selected\":true },\r\n { \"value\":\"2h\", \"label\":\"2 hours without heartbeat\", \"selected\":false },\r\n { \"value\":\"8h\", \"label\":\"8 hours without heartbeat\", \"selected\":false },\r\n { \"value\":\"1d\", \"label\":\"1 day without heartbeat\", \"selected\":false },\r\n { \"value\":\"2d\", \"label\":\"2 days without heartbeat\", \"selected\":false },\r\n { \"value\":\"7d\", \"label\":\"7 days without heartbeat\", \"selected\":false }\r\n]",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"value": "30m"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 13"
},
{
"type": 1,
"content": {
"json": "Select a computer from the table to measure the heartbeat and latency of a specific computer. The latency is measured by comparing the result of the **ingestion_time()** function to the value of the **TimeGenerated** property.",
"style": "info"
},
"name": "text - 15 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat\r\n| where tolower(ResourceId) in ({VMfilter})\r\n| where TimeGenerated {TimeRange:query}\r\n| where RemoteIPCountry == \"{regionName}\" or \"{regionName}\" == \"All\"\r\n| summarize LastHeartbeat = max(TimeGenerated) by Computer\r\n| extend State = iff(LastHeartbeat < ago({UnhealthyCriteria}), 'Unhealthy', 'Healthy')\r\n| extend TimeFromNow = now() - LastHeartbeat\r\n| extend [\"TimeAgo\"] = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n| join (\r\nHeartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| extend Packed = pack_all()\r\n) on Computer\r\n| where TimeGenerated == LastHeartbeat\r\n| join (\r\nHeartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| make-series InternalTrend=iff(count() > 0, 1, 0) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {UnhealthyCriteria} by Computer\r\n| extend Trend=array_slice(InternalTrend, array_length(InternalTrend) - 30, array_length(InternalTrend)-1)\r\n| extend (s_min, s_minId, s_max, s_maxId, s_avg, s_var, s_stdev) = series_stats(Trend)\r\n| project Computer, Trend, s_avg\r\n) on Computer\r\n| order by State, s_avg asc, TimeAgo\r\n| project [\"_ComputerName_\"] = Computer, [\"Computer\"]=strcat('🖥️ ', Computer), State, [\"Environment\"] = iff(ComputerEnvironment == \"Azure\", ComputerEnvironment, Category), [\"OS\"]=iff(isempty(OSName), OSType, OSName), [\"Azure Resource\"]=ResourceId, [\"Time\"]=strcat('🕒 ', TimeAgo), [\"Heartbeat Trend\"]=Trend, [\"Details\"]=Packed, [\"Computer Region\"] = RemoteIPCountry",
"size": 0,
"showAnalytics": true,
"title": "{TimeRange:label}: all agent heartbeat data ",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "_ComputerName_",
"exportParameterName": "ComputerName",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "_ComputerName_",
"formatter": 5
},
{
"columnMatch": "Computer",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "State",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Healthy",
"representation": "Available",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Unhealthy",
"representation": "warning",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": null,
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Environment",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Azure",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Direct Agent",
"representation": "magenta",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "SCOM Agent",
"representation": "purple",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "SCOM Management Server",
"representation": "gray",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Heartbeat Trend",
"formatter": 10,
"formatOptions": {
"palette": "redGreen"
}
},
{
"columnMatch": "Details",
"formatter": 5
}
],
"filter": true,
"sortBy": [
{
"itemKey": "$gen_thresholds_State_2",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "_ComputerName_"
},
{
"columnId": "Computer"
},
{
"columnId": "State",
"label": "Health status"
},
{
"columnId": "Environment"
},
{
"columnId": "OS"
},
{
"columnId": "Azure Resource",
"label": "Azure resource"
},
{
"columnId": "Time",
"label": "Time of last heartbeat"
},
{
"columnId": "Heartbeat Trend",
"label": "Heartbeat history"
},
{
"columnId": "Details"
},
{
"columnId": "Computer Region",
"label": "Computer region"
}
]
},
"sortBy": [
{
"itemKey": "$gen_thresholds_State_2",
"sortOrder": 2
}
]
},
"showPin": true,
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat \r\n| where Computer startswith \"{ComputerName}\"\r\n| summarize ['Heartbeats per hour'] = count() by bin(TimeGenerated,1h) ",
"size": 0,
"title": "Heartbeats per hour: {ComputerName}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "categoricalbar",
"chartSettings": {
"showLegend": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "ComputerName",
"comparison": "isNotEqualTo",
"value": "All"
},
"name": "query - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat \r\n| where Computer startswith \"{ComputerName}\"\r\n| extend E2EIngestionLatency = todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 \r\n| extend AgentLatency = todouble(datetime_diff(\"Second\",_TimeReceived,TimeGenerated))/60 \r\n| summarize avg(E2EIngestionLatency),avg(AgentLatency) by bin(TimeGenerated,1h) \r\n| project TimeGenerated, ['End-to-end latency'] = avg_E2EIngestionLatency, ['Agent Latency'] = avg_AgentLatency\r\n",
"size": 0,
"title": "Average heartbeat latency: {ComputerName}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "timechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "avgE2E",
"formatter": 0,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
}
]
},
"tileSettings": {
"showBorder": false
},
"chartSettings": {
"showLegend": true,
"ySettings": {
"unit": 24,
"min": null,
"max": null
}
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "ComputerName",
"comparison": "isNotEqualTo",
"value": "All"
},
"name": "query - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Operation\r\n| where tolower(_ResourceId) in ({VMfilter})\r\n| where Computer != \"\" and Computer == \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n| summarize Failers = countif(OperationStatus == \"Failed\" or OperationStatus == \"Failure\"), Errors = countif(OperationStatus == \"Error\"), Warnings = countif(OperationStatus == \"Warning\") by Computer\r\n| order by Failers, Errors, Warnings",
"size": 0,
"title": "Operation status",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Computer",
"exportParameterName": "SelectedComputer",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Failers",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Errors",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Warnings",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "OperationStatus",
"formatter": 0,
"formatOptions": {
"aggregation": "Count"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"aggregation": "Sum"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Computer"
},
{
"columnId": "Failers",
"label": "Failures"
},
{
"columnId": "Errors"
},
{
"columnId": "Warnings"
}
]
},
"chartSettings": {
"showLegend": true
}
},
"customWidth": "50",
"name": "query - 13 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Operation\r\n| where tolower(_ResourceId) in ({VMfilter})\r\n| where Computer != \"\" and Computer startswith \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n| where Computer == \"{SelectedComputer}\" or \"{SelectedComputer}\" == \"All\"\r\n| summarize count() by OperationStatus, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Operation status over time for computer: {SelectedComputer}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart",
"gridSettings": {
"formatters": [
{
"columnMatch": "Failers",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Errors",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Warnings",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "OperationStatus",
"formatter": 0,
"formatOptions": {
"aggregation": "Count"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"aggregation": "Sum"
}
}
],
"filter": true
},
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Warning",
"color": "orange"
},
{
"seriesName": "Error",
"color": "grayBlue"
},
{
"seriesName": "Succeeded",
"color": "lightBlue"
},
{
"seriesName": "Failed",
"label": "Failure",
"color": "magenta"
},
{
"seriesName": "Success",
"label": "Succeeded",
"color": "lightBlue"
},
{
"seriesName": "Failure",
"color": "magenta"
}
]
}
},
"customWidth": "50",
"name": "query - 13 - Copy - Copy"
},
{
"type": 1,
"content": {
"json": "---\r\n\r\n## Computer and agent activity status \r\nBased on Log Analytics **Operation** table"
},
"name": "text - 15 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Operation\r\n| where tolower(_ResourceId) in ({VMfilter})\r\n| where Computer != \"\" and Computer startswith \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n| where Computer == \"{SelectedComputer}\" or \"{SelectedComputer}\" == \"All\"\r\n| project TimeGenerated, Computer, OperationStatus, OperationCategory, Detail, Solution\r\n| order by TimeGenerated",
"size": 0,
"showAnalytics": true,
"title": "Operations full info over selected time: {TimeBrush:label}",
"timeContext": {
"durationMs": 604800000,
"endTime": "2020-11-02T09:00:00.000Z"
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "OperationStatus",
"formatter": 0,
"formatOptions": {
"aggregation": "Count"
}
},
{
"columnMatch": "Failers",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Errors",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Warnings",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"aggregation": "Sum"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time generated"
},
{
"columnId": "Computer"
},
{
"columnId": "OperationStatus",
"label": "Activity status"
},
{
"columnId": "OperationCategory",
"label": "Activity category"
},
{
"columnId": "Detail"
},
{
"columnId": "Solution"
}
]
},
"chartSettings": {
"showLegend": true
}
},
"showPin": true,
"name": "query - 13 - Copy - Copy"
},
{
"type": 1,
"content": {
"json": "---\r\n\r\n## Machine resources status"
},
"name": "text - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Perf\r\n| where tolower(_ResourceId) in ({VMfilter})\r\n| where Computer != \"\" and Computer == \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n//| where TimeGenerated > ago(1h)\r\n| where ObjectName == \"Memory\" and\r\n(CounterName == \"Available MBytes Memory\" or // the name used in Linux records\r\nCounterName == \"Available MBytes\") // the name used in Windows records\r\n| project TimeGenerated, CounterName, CounterValue, Computer\r\n| make-series Trend = avg(CounterValue) default = 0 on TimeGenerated from ago(30d) to now() step 1d by Computer\r\n| project Computer, [\"Current Available Space MBytes\"] = todouble(Trend[-1]), Trend\r\n| order by [\"Current Available Space MBytes\"] asc\r\n",
"size": 0,
"title": "Available memory in MB",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Current Available Space MBytes",
"formatter": 8,
"formatOptions": {
"palette": "turquoise"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"sortBy": [
{
"itemKey": "$gen_heatmap_Current Available Space MBytes_1",
"sortOrder": 1
}
],
"labelSettings": [
{
"columnId": "Computer"
},
{
"columnId": "Current Available Space MBytes",
"label": "Current available memory (MB)"
},
{
"columnId": "Trend"
}
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Current Available Space MBytes_1",
"sortOrder": 1
}
]
},
"customWidth": "50",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Perf\r\n| where tolower(_ResourceId) in ({VMfilter})\r\n| where Computer != \"\" and Computer == \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n//| where TimeGenerated > ago(1h)\r\n| where ObjectName == \"LogicalDisk\" or // the object name used in Windows records\r\nObjectName == \"Logical Disk\" // the object name used in Linux records\r\n| where CounterName == \"Free Megabytes\"\r\n| project TimeGenerated, CounterName, CounterValue, Computer, InstanceName\r\n| make-series Trend = avg(CounterValue) default = 0 on TimeGenerated from ago(30d) to now() step 1d by Computer, InstanceName\r\n| project Computer, [\"Current Available Space MBytes\"] = todouble(Trend[-1]), Trend, InstanceName\r\n| order by [\"Current Available Space MBytes\"] asc\r\n",
"size": 0,
"title": "Available disk / filesystem space in MB",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Computer",
"formatter": 5
},
{
"columnMatch": "Current Available Space MBytes",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "green",
"aggregation": "Sum"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Sum"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Computer"
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Current Available Space MBytes_2",
"sortOrder": 1
}
],
"labelSettings": [
{
"columnId": "Computer"
},
{
"columnId": "Current Available Space MBytes",
"label": "Current available disk space (MB)"
},
{
"columnId": "Trend"
},
{
"columnId": "InstanceName",
"label": "Disk / filesystem"
}
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Current Available Space MBytes_2",
"sortOrder": 1
}
]
},
"customWidth": "50",
"name": "query - 10 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "OnPrem",
"comparison": "isEqualTo",
"value": "No"
},
"name": "Azure VMs"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "d2922a2e-e093-47eb-862f-50a647e3f30d",
"version": "KqlParameterItem/1.0",
"name": "TableName",
"label": "Table name filter",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "union withsource= _TableName *\r\n| where Computer != \"\"\r\n| summarize by [\"Table name\"] = _TableName",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "",
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "c6e118c5-f30b-4d06-a5a6-59645318df64",
"version": "KqlParameterItem/1.0",
"name": "VMfilter",
"label": "Machine name filter",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "union withsource= _TableName *\r\n| where _TableName in ({TableName})\r\n| where Computer != \"\"\r\n| summarize by value = Computer\r\n| extend label = value",
"crossComponentResources": [
"{Workspace}"
],
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 11"
},
{
"type": 1,
"content": {
"json": "Select a location to filter the display below.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat\r\n| where Computer in ({VMfilter})\r\n| summarize dcount(Computer) by RemoteIPCountry, Computer",
"size": 0,
"title": "Computers' location",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "regionName",
"exportParameterName": "regionName",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "RemoteIPCountry",
"sizeSettings": "dcount_Computer",
"sizeAggregation": "Sum",
"legendMetric": "dcount_Computer",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "dcount_Computer",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "orangeBlue",
"heatmapMin": 0
}
}
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat\r\n| where Computer in ({VMfilter})\r\n| where RemoteIPCountry == \"{regionName}\" or \"{regionName}\" == \"All\"\r\n| summarize AggregatedValue = dcount(Computer) by [\"OS\"]=iff(isempty(OSName), OSType, OSName)",
"size": 0,
"title": "Computer OS",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "OS",
"formatter": 1
},
"leftContent": {
"columnMatch": "AggregatedValue",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 9"
},
{
"type": 1,
"content": {
"json": "## Computer heartbeat tracking: {TimeRange}"
},
"name": "text - 11"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "e0fb3c9a-f42f-4dfb-a86c-f4dd36584904",
"version": "KqlParameterItem/1.0",
"name": "UnhealthyCriteria",
"label": "Unhealthy definition",
"type": 2,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\":\"1m\", \"label\":\"1 minute without heartbeat\", \"selected\":false },\r\n { \"value\":\"5m\", \"label\":\"5 minutes without heartbeat\", \"selected\":false },\r\n { \"value\":\"30m\", \"label\":\"30 minutes without heartbeat\", \"selected\":false },\r\n { \"value\":\"1h\", \"label\":\"1 hour without heartbeat\", \"selected\":true },\r\n { \"value\":\"2h\", \"label\":\"2 hours without heartbeat\", \"selected\":false },\r\n { \"value\":\"8h\", \"label\":\"8 hours without heartbeat\", \"selected\":false },\r\n { \"value\":\"1d\", \"label\":\"1 day without heartbeat\", \"selected\":false },\r\n { \"value\":\"2d\", \"label\":\"2 days without heartbeat\", \"selected\":false },\r\n { \"value\":\"7d\", \"label\":\"7 days without heartbeat\", \"selected\":false }\r\n]",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"value": "30m"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 13"
},
{
"type": 1,
"content": {
"json": "Select a computer from the table to measure the heartbeat and latency of a specific computer. The latency is measured by comparing the result of the **ingestion_time()** function to the value of the **TimeGenerated** property.",
"style": "info"
},
"name": "text - 15 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat\r\n| where Computer in ({VMfilter})\r\n| where TimeGenerated {TimeRange:query}\r\n| where RemoteIPCountry == \"{regionName}\" or \"{regionName}\" == \"All\"\r\n| summarize LastHeartbeat = max(TimeGenerated) by Computer\r\n| extend State = iff(LastHeartbeat < ago({UnhealthyCriteria}), 'Unhealthy', 'Healthy')\r\n| extend TimeFromNow = now() - LastHeartbeat\r\n| extend [\"TimeAgo\"] = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n| join (\r\nHeartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| extend Packed = pack_all()\r\n) on Computer\r\n| where TimeGenerated == LastHeartbeat\r\n| join (\r\nHeartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| make-series InternalTrend=iff(count() > 0, 1, 0) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {UnhealthyCriteria} by Computer\r\n| extend Trend=array_slice(InternalTrend, array_length(InternalTrend) - 30, array_length(InternalTrend)-1)\r\n| extend (s_min, s_minId, s_max, s_maxId, s_avg, s_var, s_stdev) = series_stats(Trend)\r\n| project Computer, Trend, s_avg\r\n) on Computer\r\n| order by State, s_avg asc, TimeAgo\r\n| project [\"_ComputerName_\"] = Computer, [\"Computer\"]=strcat('🖥️ ', Computer), State, [\"Environment\"] = iff(ComputerEnvironment == \"Azure\", ComputerEnvironment, Category), [\"OS\"]=iff(isempty(OSName), OSType, OSName), [\"Azure Resource\"]=ResourceId, [\"Time\"]=strcat('🕒 ', TimeAgo), [\"Heartbeat Trend\"]=Trend, [\"Details\"]=Packed, [\"Computer Region\"] = RemoteIPCountry",
"size": 0,
"showAnalytics": true,
"title": "{TimeRange:label}: all agent heartbeat data ",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "_ComputerName_",
"exportParameterName": "ComputerName",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "_ComputerName_",
"formatter": 5
},
{
"columnMatch": "Computer",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "State",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Healthy",
"representation": "Available",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Unhealthy",
"representation": "warning",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": null,
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Environment",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Azure",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Direct Agent",
"representation": "magenta",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "SCOM Agent",
"representation": "purple",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "SCOM Management Server",
"representation": "gray",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "Heartbeat Trend",
"formatter": 10,
"formatOptions": {
"palette": "redGreen"
}
},
{
"columnMatch": "Details",
"formatter": 5
}
],
"filter": true,
"sortBy": [
{
"itemKey": "$gen_thresholds_State_2",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "_ComputerName_"
},
{
"columnId": "Computer"
},
{
"columnId": "State",
"label": "Health status"
},
{
"columnId": "Environment"
},
{
"columnId": "OS"
},
{
"columnId": "Azure Resource",
"label": "Azure resource"
},
{
"columnId": "Time",
"label": "Time of last heartbeat"
},
{
"columnId": "Heartbeat Trend",
"label": "Heartbeat history"
},
{
"columnId": "Details"
},
{
"columnId": "Computer Region",
"label": "Computer region"
}
]
},
"sortBy": [
{
"itemKey": "$gen_thresholds_State_2",
"sortOrder": 2
}
]
},
"showPin": true,
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat \r\n| where Computer startswith \"{ComputerName}\"\r\n| summarize ['Heartbeats per hour'] = count() by bin(TimeGenerated,1h) ",
"size": 0,
"title": "Heartbeats per hour: {ComputerName}",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "categoricalbar",
"chartSettings": {
"showLegend": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "ComputerName",
"comparison": "isNotEqualTo",
"value": "All"
},
"name": "query - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat \r\n| where Computer startswith \"{ComputerName}\"\r\n| extend E2EIngestionLatency = todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 \r\n| extend AgentLatency = todouble(datetime_diff(\"Second\",_TimeReceived,TimeGenerated))/60 \r\n| summarize avg(E2EIngestionLatency),avg(AgentLatency) by bin(TimeGenerated,1h) \r\n| project TimeGenerated, ['End-to-end latency'] = avg_E2EIngestionLatency, ['Agent Latency'] = avg_AgentLatency\r\n",
"size": 0,
"title": "Average heartbeat latency: {ComputerName}",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "timechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "avgE2E",
"formatter": 0,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
}
]
},
"tileSettings": {
"showBorder": false
},
"chartSettings": {
"showLegend": true,
"ySettings": {
"unit": 24,
"min": null,
"max": null
}
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "ComputerName",
"comparison": "isNotEqualTo",
"value": "All"
},
"name": "query - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Operation\r\n| where Computer in ({VMfilter})\r\n| where Computer != \"\" and Computer == \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n| summarize Failers = countif(OperationStatus == \"Failed\" or OperationStatus == \"Failure\"), Errors = countif(OperationStatus == \"Error\"), Warnings = countif(OperationStatus == \"Warning\") by Computer\r\n| order by Failers, Errors, Warnings",
"size": 0,
"title": "Operation status",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Computer",
"exportParameterName": "SelectedComputer",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Failers",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Errors",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Warnings",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "OperationStatus",
"formatter": 0,
"formatOptions": {
"aggregation": "Count"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"aggregation": "Sum"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Computer"
},
{
"columnId": "Failers",
"label": "Failures"
},
{
"columnId": "Errors"
},
{
"columnId": "Warnings"
}
]
},
"chartSettings": {
"showLegend": true
}
},
"customWidth": "50",
"name": "query - 13 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Operation\r\n| where Computer in ({VMfilter})\r\n| where Computer != \"\" and Computer startswith \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n| where Computer == \"{SelectedComputer}\" or \"{SelectedComputer}\" == \"All\"\r\n| summarize count() by OperationStatus, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Operation status over time for computer: {SelectedComputer}",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart",
"gridSettings": {
"formatters": [
{
"columnMatch": "Failers",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Errors",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "Warnings",
"formatter": 8,
"formatOptions": {
"palette": "purple"
}
},
{
"columnMatch": "OperationStatus",
"formatter": 0,
"formatOptions": {
"aggregation": "Count"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"aggregation": "Sum"
}
}
],
"filter": true
},
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Warning",
"color": "orange"
},
{
"seriesName": "Error",
"color": "grayBlue"
},
{
"seriesName": "Succeeded",
"color": "lightBlue"
},
{
"seriesName": "Failed",
"label": "Failure",
"color": "magenta"
},
{
"seriesName": "Success",
"label": "Succeeded",
"color": "lightBlue"
},
{
"seriesName": "Failure",
"color": "magenta"
}
]
}
},
"customWidth": "50",
"name": "query - 13 - Copy - Copy"
},
{
"type": 1,
"content": {
"json": "---\r\n\r\n## Computer and agent activity status \r\nBased on Log Analytics **Operation** table"
},
"name": "text - 15 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Operation\r\n| where Computer in ({VMfilter})\r\n| where Computer != \"\" and Computer startswith \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n| where Computer == \"{SelectedComputer}\" or \"{SelectedComputer}\" == \"All\"\r\n| project TimeGenerated, Computer, OperationStatus, OperationCategory, Detail, Solution\r\n| order by TimeGenerated",
"size": 0,
"showAnalytics": true,
"title": "Operations full info over selected time: {TimeBrush:label}",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "OperationStatus",
"formatter": 0,
"formatOptions": {
"aggregation": "Count"
}
},
{
"columnMatch": "Failers",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Errors",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Warnings",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"aggregation": "Sum"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time generated"
},
{
"columnId": "Computer"
},
{
"columnId": "OperationStatus",
"label": "Activity status"
},
{
"columnId": "OperationCategory",
"label": "Activity category"
},
{
"columnId": "Detail"
},
{
"columnId": "Solution"
}
]
},
"chartSettings": {
"showLegend": true
}
},
"showPin": true,
"name": "query - 13 - Copy - Copy"
},
{
"type": 1,
"content": {
"json": "---\r\n\r\n## Machine resources status"
},
"name": "text - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Perf\r\n| where Computer in ({VMfilter})\r\n| where Computer != \"\" and Computer == \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n//| where TimeGenerated > ago(1h)\r\n| where ObjectName == \"Memory\" and\r\n(CounterName == \"Available MBytes Memory\" or // the name used in Linux records\r\nCounterName == \"Available MBytes\") // the name used in Windows records\r\n| project TimeGenerated, CounterName, CounterValue, Computer\r\n| make-series Trend = avg(CounterValue) default = 0 on TimeGenerated from ago(30d) to now() step 1d by Computer\r\n| project Computer, [\"Current Available Space MBytes\"] = todouble(Trend[-1]), Trend\r\n| order by [\"Current Available Space MBytes\"] asc\r\n",
"size": 0,
"title": "Available memory in MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Current Available Space MBytes",
"formatter": 8,
"formatOptions": {
"palette": "turquoise"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "blue"
}
}
],
"sortBy": [
{
"itemKey": "$gen_heatmap_Current Available Space MBytes_1",
"sortOrder": 1
}
],
"labelSettings": [
{
"columnId": "Computer"
},
{
"columnId": "Current Available Space MBytes",
"label": "Current available memory (MB)"
},
{
"columnId": "Trend"
}
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Current Available Space MBytes_1",
"sortOrder": 1
}
]
},
"customWidth": "50",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Perf\r\n| where Computer in ({VMfilter})\r\n| where Computer != \"\" and Computer == \"{ComputerName}\" or \"{ComputerName}\" == \"All\"\r\n//| where TimeGenerated > ago(1h)\r\n| where ObjectName == \"LogicalDisk\" or // the object name used in Windows records\r\nObjectName == \"Logical Disk\" // the object name used in Linux records\r\n| where CounterName == \"Free Megabytes\"\r\n| project TimeGenerated, CounterName, CounterValue, Computer, InstanceName\r\n| make-series Trend = avg(CounterValue) default = 0 on TimeGenerated from ago(30d) to now() step 1d by Computer, InstanceName\r\n| project Computer, [\"Current Available Space MBytes\"] = todouble(Trend[-1]), Trend, InstanceName\r\n| order by [\"Current Available Space MBytes\"] asc\r\n",
"size": 0,
"title": "Available disk / filesystem space in MB",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Computer",
"formatter": 5
},
{
"columnMatch": "Current Available Space MBytes",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "green",
"aggregation": "Sum"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Trend",
"formatter": 21,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Sum"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Computer"
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Current Available Space MBytes_2",
"sortOrder": 1
}
],
"labelSettings": [
{
"columnId": "Computer"
},
{
"columnId": "Current Available Space MBytes",
"label": "Current available disk space (MB)"
},
{
"columnId": "Trend"
},
{
"columnId": "InstanceName",
"label": "Disk / filesystem"
}
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Current Available Space MBytes_2",
"sortOrder": 1
}
]
},
"customWidth": "50",
"name": "query - 10 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "OnPrem",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "All machins"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "agents"
},
"name": "Agents info"
}
],
"fromTemplateId": "Data-collection-health-monitoring",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку