Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/IncidentOverview.json

1391 строка
61 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "# Incident Overview"
},
"customWidth": "35",
"name": "Headline"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "9a199167-2dde-49dd-8f01-23e9d1fa8151",
"version": "KqlParameterItem/1.0",
"name": "InternalWSs",
"type": 1,
"isRequired": true,
"query": "SecurityIncident\r\n| take 1\r\n| parse IncidentUrl with * \"/workspaces/\" Workspace \"/\" *\r\n| project Workspace",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "7806fefd-432f-4828-9756-8c0be5c08d07",
"version": "KqlParameterItem/1.0",
"name": "InternalSub",
"type": 1,
"isRequired": true,
"query": "SecurityIncident\r\n| take 1\r\n| parse IncidentUrl with * \"/subscriptions/\" subscriptions \"/\" *\r\n| project subscriptions",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "55d3ab63-6e1f-4d02-8d9e-2225526689c7",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"query": "summarize by subscriptionId\r\n| project subscriptionId, Subscription=strcat(\"/subscriptions/\", subscriptionId)\r\n| extend selected = iff(subscriptionId =~ '{InternalSub}', true, false)\r\n",
"crossComponentResources": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": ""
},
{
"id": "95a45501-31b5-4ea2-bcb3-eb208e0080e2",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "//resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains //'SecurityInsights' | project id //= tostring(properties.workspaceResourceId)\r\n\r\nwhere type =~ 'microsoft.operationalinsights/workspaces'\r\n| project value =id, label = name, selected = iff(name =~ '{InternalWSs}', true, false)\r\n\r\n\r\n",
"crossComponentResources": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "7d597ad7-4a2a-45ed-a4fe-7ee32de0fc22",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Incident Creation Time",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2592000000
}
],
"allowCustom": true
}
},
{
"id": "3a87d4f7-42cc-4c62-b543-6b5d9ab8cf27",
"version": "KqlParameterItem/1.0",
"name": "Severity",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityIncident\r\n| summarize Count = count(IncidentNumber) by Severity\r\n| project Value = Severity, Label = strcat(Severity, \": \", Count)",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "81085d3a-5aca-488e-b7c6-ecf1167e59f7",
"version": "KqlParameterItem/1.0",
"name": "Tactics",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityIncident\r\n| extend Tactics = todynamic(AdditionalData.tactics)\r\n| mv-expand Tactics to typeof(string)\r\n| summarize Count=count(IncidentNumber) by Tactics\r\n| project Value = Tactics, Label = strcat(Tactics, \": \", Count)",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "0f9efb0d-ac34-41d0-8a19-165840eb2a71",
"version": "KqlParameterItem/1.0",
"name": "Owner",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityIncident\r\n| extend owner = tostring(Owner.assignedTo) \r\n| summarize Count=count(IncidentNumber) by Owner= case(owner==\"\", \"Unassigned\",owner)\r\n| project Value = Owner, Label = strcat(Owner, \": \", Count)",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "cf86113b-59ad-4fc9-aeb7-9b44e230641e",
"version": "KqlParameterItem/1.0",
"name": "Product",
"label": "Product Name",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityIncident\r\n| extend Product = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0]) \r\n| summarize Count=count(IncidentNumber) by Product\r\n| project Value = Product, Label = strcat(Product, \": \", Count)\r\n",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*"
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "1fea48e7-99b2-4664-8eb6-bd35fc4efaf0",
"version": "KqlParameterItem/1.0",
"name": "resourceGroup",
"type": 1,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where id == \"{Workspace:lable}\"\r\n| project resourceGroup",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "2908f26a-6238-43ed-9aa0-546c9041d918",
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "Show Help",
"type": 10,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "100",
"name": "parameters - 6"
},
{
"type": 1,
"content": {
"json": "The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:\r\n* General information\r\n* Entity data\r\n* Triage time (time between incident creation and first response)\r\n* Mitigation time (time between incident creation and closing)\r\n* Comments\r\n* Remediation information from the Alerts or from a Watchlist - setup readme: https://github.com/Azure/Azure-Sentinel/wiki/SOC-Process-Framework\r\n\r\nCustomize this workbook by saving and editing it. \r\nYou can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"customWidth": "100",
"name": "Info"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "9aec751b-07bd-43ba-80b9-f711887dce45",
"version": "KqlParameterItem/1.0",
"name": "IncidentNumber",
"label": "Incident Number",
"type": 1,
"isRequired": true,
"value": "",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange"
},
{
"id": "9ef1a34d-5c8e-42ad-b1d7-1353e0091060",
"version": "KqlParameterItem/1.0",
"name": "testRemediation",
"type": 1,
"isRequired": true,
"query": "SecurityIncident\r\n| where IncidentNumber == '{IncidentNumber:value}' \r\n| summarize arg_max(LastModifiedTime,*) by tostring(IncidentNumber)\r\n| extend Alerts = extract(\"\\\\[(.*?)\\\\]\", 1, tostring(AlertIds))\r\n| mv-expand AlertIds to typeof(string)\r\n| join \r\n(\r\n SecurityAlert\r\n | extend Remediation_ = parse_json(RemediationSteps)\r\n | mv-expand Remediation_\r\n) on $left.AlertIds == $right.SystemAlertId\r\n| summarize Remediation=make_set(tostring(Remediation_)) by IncidentNumber, Title, Severity\r\n| mv-expand Remediation to typeof(string)\r\n| project value=iif(isempty(Remediation),'0','1')",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "e5d4131c-43a9-4f92-87c9-dbf647530c9c",
"version": "KqlParameterItem/1.0",
"name": "watchListExists",
"type": 1,
"isRequired": true,
"query": "_GetWatchlist('SocRA')\r\n| limit 1",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "parameters - 6 - Copy"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "f978edb2-9886-4bff-8e12-8280800321c3",
"version": "KqlParameterItem/1.0",
"name": "IncidentID",
"label": "Incident Name",
"type": 1,
"query": "SecurityIncident\r\n| where IncidentNumber == {IncidentNumber}\r\n| take 1\r\n| project IncidentName\r\n",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "3b8e6cdd-4578-49cb-a515-1f9dec104fd7",
"version": "KqlParameterItem/1.0",
"name": "RuleId",
"label": "Rule Id",
"type": 1,
"query": "SecurityIncident\r\n| where IncidentNumber == {IncidentNumber}\r\n| summarize arg_max(TimeGenerated, RelatedAnalyticRuleIds) by IncidentNumber\r\n| project RelatedAnalyticRuleIds",
"crossComponentResources": [
"{Workspace}"
],
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "IncidentNumber",
"comparison": "isEqualTo",
"value": "e"
},
"customWidth": "50",
"name": "Invisible parameters"
},
{
"type": 1,
"content": {
"json": "## General Incident Information "
},
"customWidth": "67",
"name": "Headline - general info"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let incidentNumberToCheck = '{IncidentNumber}';\r\nlet incidentWithNoAlertsQuery = SecurityIncident\r\n| where IncidentNumber == incidentNumberToCheck\r\n| summarize arg_max(TimeGenerated,CreatedTime,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification,ClassificationReason, ClassificationComment,Labels, Title, AlertIds) by IncidentNumber\r\n| where array_length(AlertIds) == 0\r\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\r\n| extend Tactics = todynamic(AdditionalData.tactics)\r\n| extend Owner = todynamic(Owner.assignedTo), IncidentCreated = format_datetime(CreatedTime,'yy-MM-dd HH:mm')\r\n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0]))\r\n| where Product in ({Product}) or '{Product:label}' == \"All\"\r\n| extend Tags = extract_all('labelName\":\"(.*?)\"',tostring(Labels))\r\n| extend Owner = case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner)), Products = strcat_array(AdditionalData.alertProductNames, \", \"), Alerts = tostring(AdditionalData.alertsCount), Bookmarks = tostring(AdditionalData.bookmarksCount), Comments = tostring(AdditionalData.commentsCount), Tactics = strcat_array(AdditionalData.tactics, \", \"), Labels = strcat_array(Tags, \", \")\r\n;\r\nlet incidentWithAlertsQuery = SecurityIncident\r\n| where IncidentNumber == incidentNumberToCheck\r\n| summarize arg_max(TimeGenerated,CreatedTime,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification,ClassificationReason, ClassificationComment,Labels, Title, AlertIds) by IncidentNumber\r\n| where array_length(AlertIds) > 0\r\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\r\n| extend Tactics = todynamic(AdditionalData.tactics)\r\n| extend Owner = todynamic(Owner.assignedTo), IncidentCreated = format_datetime(CreatedTime,'yy-MM-dd HH:mm')\r\n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0]))\r\n| where Product in ({Product}) or '{Product:label}' == \"All\"\r\n| extend Tags = extract_all('labelName\":\"(.*?)\"',tostring(Labels))\r\n| extend Owner = case(tostring(Owner)==\"\", \"Unassigned\",tostring(Owner)), Products = strcat_array(AdditionalData.alertProductNames, \", \"), Alerts = tostring(AdditionalData.alertsCount), Bookmarks = tostring(AdditionalData.bookmarksCount), Comments = tostring(AdditionalData.commentsCount), Tactics = strcat_array(AdditionalData.tactics, \", \"), Labels = strcat_array(Tags, \", \")\r\n| mv-expand AlertIds to typeof(string)\r\n| join kind=leftouter\r\n(SecurityAlert\r\n| summarize arg_max(TimeGenerated,AlertName, Description, AlertType, Entities) by SystemAlertId) on $left.AlertIds == $right.SystemAlertId\r\n| summarize AlertName = makelist(AlertName), AlertType = makelist(AlertType) by Comments, Labels, Title, Products, AlertsCount = Alerts, Bookmarks, Status, Severity, Owner, IncidentCreated, ClassificationComment, Classification, ClassificationReason\r\n| extend AlertNames = strcat_array(AlertName, \", \"), AlertTypes = strcat_array(AlertType, \", \")\r\n;\r\nincidentWithNoAlertsQuery\r\n| union incidentWithAlertsQuery\r\n| project packed = pack_all()\r\n| mv-expand packed\r\n| parse tostring(packed) with * '\"' Field '\":\"' Value '\"}'\r\n| where Field in ('Severity', 'Owner','Status', 'AlertsCount','Products','Title', 'IncidentCreated', 'Labels','Bookmarks', 'AlertNames', 'AlertsType', 'Classification','ClassificationComment','ClassificationReason')\r\n| extend Field1 = case(Field== \"IncidentCreated\", \"Time created\", Field == \"AlertsCount\", \"Alert count\", Field == \"ClassificationComment\", \"Classification Comment\", Field == \"ClassificationReason\", \"Classification Reason\", Field == \"AlertNames\", \"Alert Names\", Field)\r\n| extend Order = case(Field==\"Title\", 1,Field==\"IncidentCreated\", 2,Field==\"Severity\", 3,Field==\"Status\", 4,Field==\"Owner\", 5,Field==\"Products\", 6,Field==\"AlertsType\",6,Field==\"AlertsCount\", 7,Field==\"Bookmarks\", 8, Field==\"Labels\", 9,Field==\"Classification\", 10,Field==\"ClassificationReason\",11, 100)",
"size": 0,
"noDataMessage": "Enter an incident number",
"noDataMessageStyle": 5,
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "Field1",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
"leftContent": {
"columnMatch": "Value",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Low",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "High",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "New",
"representation": "blue",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Active",
"representation": "lightBlue",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Closed",
"representation": "gray",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"text": "{0}{1}"
}
]
}
},
"secondaryContent": {
"columnMatch": "Remediation_",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
},
"showBorder": false,
"sortCriteriaField": "Order",
"sortOrderField": 1,
"size": "auto"
}
},
"customWidth": "67",
"name": "general info"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Closing Classifications of Similar Incidents"
},
"name": "Headline - classification"
},
{
"type": 1,
"content": {
"json": "Closing classifications of incidents that where created from the same rule in the past month",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "Info - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let alertText = strcat_array(dynamic([{RuleId}]),\",\");\r\nlet getAmountOfIncidentForRuleId = (classification:string){\r\n SecurityIncident\r\n | where TimeGenerated >= ago(30d)\r\n | where Classification == classification\r\n | mv-expand AlertId=AlertIds\r\n | extend AlertId=tostring(AlertId)\r\n | join (SecurityAlert| where TimeGenerated >=ago(30d)) on $left.AlertId==$right.SystemAlertId\r\n | mv-expand RuleId=RelatedAnalyticRuleIds\r\n | extend RuleId=iff(ProductName!= 'Azure Sentinel', ProductName,RuleId)\r\n | summarize counter=count() by RuleIdentifier=tostring(RuleId)\r\n | extend RuleId=RuleIdentifier\r\n | project-away RuleIdentifier\r\n};\r\nlet falsePositiveClassificationTable = getAmountOfIncidentForRuleId(\"FalsePositive\") | extend FalsePositiveCounter=counter | project-away counter;\r\nlet undeterminedClassificationTable = getAmountOfIncidentForRuleId(\"Undetermined\") | extend UndeterminedCounter=counter | project-away counter;\r\nlet benignPositiveClassificationTable = getAmountOfIncidentForRuleId(\"BenignPositive\") | extend BenignPositiveCounter=counter | project-away counter;\r\nlet truePositiveClassificationTable = getAmountOfIncidentForRuleId(\"TruePositive\") | extend TruePositiveCounter=counter | project-away counter;\r\nlet closedIncidentTable = SecurityIncident| where TimeGenerated >= ago(30d) |where Status == \"Closed\" | mv-expand AlertId=AlertIds| extend AlertId=tostring(AlertId)| join SecurityAlert on $left.AlertId==$right.SystemAlertId| mv-expand RelatedAnalyticRuleIds| extend RuleId= iff(ProductName == 'Azure Sentinel', tostring(RelatedAnalyticRuleIds), ProductName);\r\nlet joinByRuleId = (T:(RuleId:string), S:(RuleId:string)){\r\n T \r\n | join kind=fullouter S on $left.RuleId == $right.RuleId\r\n | extend RuleId= iff(RuleId == '', RuleId1,RuleId)\r\n | project-away RuleId1\r\n};\r\njoinByRuleId(joinByRuleId(joinByRuleId(joinByRuleId(falsePositiveClassificationTable, undeterminedClassificationTable) , benignPositiveClassificationTable), truePositiveClassificationTable),closedIncidentTable)\r\n| join kind=leftouter (SecurityAlert\r\n| where TimeGenerated >= ago(30d)\r\n| where ProductName == 'Azure Sentinel'\r\n| extend RuleId = parsejson( tostring(todynamic(ExtendedProperties)['Analytic Rule Ids']))\r\n| mv-expand RuleId=RuleId\r\n| extend RuleId=tostring(RuleId)\r\n| extend RuleName= tostring(todynamic(ExtendedProperties)['Analytic Rule Name'])\r\n| project RuleId,RuleName\r\n| distinct RuleId,RuleName)\r\n on $left.RuleId==$right.RuleId\r\n| extend RuleName=iff(isempty(RuleName),RuleId,RuleName)\r\n| project-away RuleId1\r\n| where alertText has RuleId \r\n| summarize dcount(IncidentNumber) by Classification",
"size": 0,
"noDataMessage": "No recent closed incident were found",
"noDataMessageStyle": 4,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "Field1",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"leftContent": {
"columnMatch": "Value",
"formatter": 1
},
"showBorder": false,
"sortCriteriaField": "Order",
"sortOrderField": 1,
"size": "auto"
},
"chartSettings": {
"createOtherGroup": null
}
},
"name": "Closing classification"
}
]
},
"customWidth": "33",
"name": "Similar"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "⚠️ Remediations - click to Open",
"expandable": true,
"expanded": true,
"items": [
{
"type": 1,
"content": {
"json": "## Recommended Actions"
},
"name": "text - 15"
},
{
"type": 1,
"content": {
"json": "### Remediations and Actions Help\r\nIn this section of the Workbook, which only is visiable if an Alert has remediation entries, the default Remediations that are contained in the Alert data will be shown (Basic view). \r\nNote, not all Alerts have this data. \r\nHowever you can provide you own set of Alerts mapped to the Alert \"Title\". This enhanced feature, uses a Watchlist which has an alias name of: SocRA when you import it (Advanced view).\r\n\r\n \r\n### WatchList Instructions\r\n\r\n* You must download the Watchlist file called:\r\n### SOCAnalystActionsByAlert.csv \r\n\r\n<svg xmlns=\"http://www.w3.org/2000/svg\" id=\"a75e3f3a-2661-410b-82fb-d300d37dea2d\" width=\"18\" height=\"18\" viewBox=\"0 0 18 18\"><defs><linearGradient id=\"aff60ddf-eec1-40bf-8bf5-f3e3b50e8818\" x1=\"9\" y1=\"16.21\" x2=\"9\" y2=\"0.62\" gradientUnits=\"userSpaceOnUse\"><stop offset=\"0\" stop-color=\"#1b93eb\"/><stop offset=\"0.21\" stop-color=\"#2095eb\"/><stop offset=\"0.44\" stop-color=\"#2e9ced\"/><stop offset=\"0.69\" stop-color=\"#45a7ef\"/><stop offset=\"0.95\" stop-color=\"#64b6f1\"/><stop offset=\"1\" stop-color=\"#6bb9f2\"/></linearGradient></defs><title>Icon-security-248</title><path d=\"M16,8.44c0,4.57-5.53,8.25-6.73,9a.43.43,0,0,1-.46,0C7.57,16.69,2,13,2,8.44V2.94a.44.44,0,0,1,.43-.44C6.77,2.39,5.78.5,9,.5s2.23,1.89,6.53,2a.44.44,0,0,1,.43.44Z\" fill=\"#1b93eb\"/><path d=\"M15.38,8.48c0,4.2-5.07,7.57-6.17,8.25a.4.4,0,0,1-.42,0c-1.1-.68-6.17-4.05-6.17-8.25v-5A.41.41,0,0,1,3,3c3.94-.11,3-1.83,6-1.83S11.05,2.93,15,3a.41.41,0,0,1,.39.4Z\" fill=\"url(#aff60ddf-eec1-40bf-8bf5-f3e3b50e8818)\"/><path d=\"M9,6.53A2.88,2.88,0,0,1,11.84,9a.49.49,0,0,0,.49.4h1.4a.49.49,0,0,0,.5-.53,5.26,5.26,0,0,0-10.46,0,.49.49,0,0,0,.5.53h1.4A.49.49,0,0,0,6.16,9,2.88,2.88,0,0,1,9,6.53Z\" fill=\"#c3f1ff\"/><circle cx=\"9\" cy=\"9.4\" r=\"1.91\" fill=\"#fff\"/></svg>(https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv)\r\n \r\n * Name the Watchlist alias as: \r\n ### SocRA \r\n * Note: SocRA is case sensitive, you need an uppercase S, R and A.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - ra Help text"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n| where IncidentNumber == '{IncidentNumber:value}' \r\n| summarize arg_max(LastModifiedTime,*) by tostring(IncidentNumber)\r\n| extend Alerts = extract(\"\\\\[(.*?)\\\\]\", 1, tostring(AlertIds))\r\n| mv-expand AlertIds to typeof(string)\r\n| join \r\n(\r\n SecurityAlert\r\n | extend Remediation_ = parse_json(RemediationSteps)\r\n | mv-expand Remediation_\r\n) on $left.AlertIds == $right.SystemAlertId\r\n| summarize Remediation=make_set(tostring(Remediation_)) by IncidentNumber, Title, Severity\r\n| mv-expand Remediation to typeof(string)\r\n// extract URL from the string \r\n| extend url_ = iif(Remediation contains 'https://',extract (\"https://([a-zA-Z0-9-_://@.?%=&# +]*)\",0,tostring(Remediation)),\"\")\r\n| serialize\r\n| extend IncidentNumber = iif(prev(IncidentNumber) == IncidentNumber,'',IncidentNumber), Title = iif(prev(Title) == Title,'',Title)\r\n",
"size": 1,
"title": "Incident and Remediations - Basic View (from Alert) ",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "gray",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Remediation",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
},
"tooltipFormat": {
"tooltip": "Click to see more details about the Remediation step"
}
},
{
"columnMatch": "url_",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": "",
"linkIsContextBlade": false
},
"tooltipFormat": {
"tooltip": "Open this link (in another Tab)"
}
},
{
"columnMatch": "entityList",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
}
],
"labelSettings": [
{
"columnId": "url_",
"label": "URL",
"comment": "Show a URL if available "
}
]
},
"tileSettings": {
"titleContent": {
"columnMatch": "IncidentNumber"
},
"subtitleContent": {
"columnMatch": "Title"
},
"leftContent": {
"columnMatch": "Remediation"
},
"secondaryContent": {
"columnMatch": "url_",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkIsContextBlade": false
}
},
"showBorder": false
},
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "IncidentNumber"
},
"leftContent": {
"columnMatch": "Title"
},
"centerContent": {
"columnMatch": "url_",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
},
"hivesContent": {
"columnMatch": "Title",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
},
"nodeIdField": "Remediation",
"sourceIdField": "Title",
"targetIdField": "Remediation",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "url_",
"type": 1,
"colorPalette": "default"
},
"groupByField": "Title",
"hivesMargin": 5
}
},
"conditionalVisibility": {
"parameterName": "watchListExists",
"comparison": "isEqualTo"
},
"name": "query - basic View "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_GetWatchlist('SocRA')\r\n| join\r\n (\r\n SecurityIncident | where IncidentNumber == '{IncidentNumber}' \r\n | summarize arg_max(TimeGenerated, CreatedTime, Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification, ClassificationReason, ClassificationComment, Labels, Title, AlertIds) by IncidentNumber\r\n ) on $left.Alert == $right.Title\r\n| project-keep A*, Status, Severity //, A1, A2, A3, A4, A5, A6, A7, A8, A9, A10, A11, A12, A13, A14, A15, A16, A17, A18, A19\r\n| project-reorder Alert, Status, Severity, A* asc\r\n| project-away AlertIds, AdditionalData\r\n| evaluate narrow()\r\n| extend url_ = iif(Value contains 'https://',extract (\"https://([a-zA-Z0-9-_://@.?%=&# +]*)\",0,Value),\"\")\r\n| extend r = iif(Column startswith 'A', extract(@\"\\d+\",0,tostring(Column)),\"\")\r\n| where isnotempty(Value)\r\n| project tostring(Column), RemediationStep =Value, URLtoOpen=url_,toint(r)\r\n| order by Column desc, r asc \r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"size": 0,
"title": "Incident and Remediations - Advanced View (from Watchlist, \"SocRA\") Incident Number:{IncidentNumber}",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Remediation",
"formatter": 18,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true,
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Low",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "High",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"text": "{0}{1}"
}
]
},
"tooltipFormat": {
"tooltip": "Click to see more details about the Remediation step"
}
},
{
"columnMatch": "URLtoOpen",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
},
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "gray",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "url_",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": "",
"linkIsContextBlade": false
},
"tooltipFormat": {
"tooltip": "Open this link (in another Tab)"
}
},
{
"columnMatch": "entityList",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "r",
"sortOrder": 1
}
],
"labelSettings": [
{
"columnId": "r",
"label": "AlertOrder"
}
]
},
"sortBy": [
{
"itemKey": "r",
"sortOrder": 1
}
],
"tileSettings": {
"titleContent": {
"columnMatch": "IncidentNumber"
},
"subtitleContent": {
"columnMatch": "Title"
},
"leftContent": {
"columnMatch": "Remediation"
},
"secondaryContent": {
"columnMatch": "url_",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkIsContextBlade": false
}
},
"showBorder": false
},
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "IncidentNumber"
},
"leftContent": {
"columnMatch": "Title"
},
"centerContent": {
"columnMatch": "url_",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
},
"hivesContent": {
"columnMatch": "Title",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
},
"nodeIdField": "Remediation",
"sourceIdField": "Title",
"targetIdField": "Remediation",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "url_",
"type": 1,
"colorPalette": "default"
},
"groupByField": "Title",
"hivesMargin": 5
}
},
"conditionalVisibility": {
"parameterName": "watchListExists",
"comparison": "isNotEqualTo"
},
"name": "query - advanced View"
}
]
},
"name": "RecActions"
},
{
"type": 1,
"content": {
"json": "## Incident Entities"
},
"name": "text - 2 - Copy - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"POST\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/entities\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2021-04-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.metaData\",\"columns\":[]}}]}",
"size": 2,
"noDataMessage": "No entities were found",
"noDataMessageStyle": 4,
"queryType": 12,
"visualization": "piechart",
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "entityKind",
"formatter": 12,
"formatOptions": {
"palette": "blue"
}
},
"leftContent": {
"columnMatch": "count",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"showBorder": false,
"sortCriteriaField": "Order",
"sortOrderField": 1,
"size": "auto"
}
},
"customWidth": "30",
"name": "Entities"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"POST\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/entities\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2021-04-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.entities\",\"columns\":[{\"path\":\"$.kind\",\"columnid\":\"Kind\"},{\"path\":\"$.properties.friendlyName\",\"columnid\":\"Name\"}]}}]}",
"size": 2,
"noDataMessage": "No entities were found",
"noDataMessageStyle": 4,
"queryType": 12,
"visualization": "table",
"gridSettings": {
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Kind"
],
"expandTopLevel": true
}
},
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "kind",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"subtitleContent": {
"columnMatch": "properties",
"formatter": 1
},
"showBorder": false,
"sortCriteriaField": "kind",
"sortOrderField": 1,
"size": "auto"
}
},
"customWidth": "70",
"name": "Entities List"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Recent activities"
},
"name": "text - 2 - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| where IncidentNumber == '{IncidentNumber}' or '{IncidentNumber}' == ''\n| order by LastModifiedTime \n| project LastModifiedTime,IncidentNumber, Title, Product, IncidentUrl, ModifiedBy,Status, Severity, Owner\n| take 250\n\n\n",
"size": 1,
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "IncidentUrl",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": "Go to incident >"
}
}
],
"labelSettings": [
{
"columnId": "LastModifiedTime",
"label": "Last Modified Time"
},
{
"columnId": "IncidentNumber",
"label": "Incident Number"
},
{
"columnId": "IncidentUrl",
"label": "Link to incident"
},
{
"columnId": "ModifiedBy",
"label": "Modified By"
}
]
},
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Column1",
"formatter": 1
},
"leftContent": {
"columnMatch": "IncidentNumber",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 2 - Copy - Copy - Copy - Copy"
}
]
},
"name": "Incidents tactic over time"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Incident's Comments"
},
"name": "text - 2 - Copy - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\n| where IncidentNumber == '{IncidentNumber}' or '{IncidentNumber}' == ''\n| summarize arg_max(TimeGenerated,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments) by IncidentNumber\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| mv-expand Comments to typeof(string)\n| extend Message = extract('message\":\"(.*?)\"',1,tostring(Comments)), Author = extract('name\":\"(.*?)\"',1,tostring(Comments)), CreatedTimeUTC = extract('createdTimeUtc\":\"(.*?)\"',1,tostring(Comments))\n| project CreatedTimeUTC, Author, Message, IncidentNumber, Owner\n| take 250\n\n\n",
"size": 1,
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "IncidentUrl",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": "Go to incident >"
}
}
],
"sortBy": [
{
"itemKey": "IncidentNumber",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "IncidentNumber",
"sortOrder": 2
}
],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Column1",
"formatter": 1
},
"leftContent": {
"columnMatch": "IncidentNumber",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 2 - Copy - Copy - Copy - Copy"
}
]
},
"name": "Incidents tactic over time - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Time to closure\r\n"
},
"name": "text - 2 - Copy"
},
{
"type": 1,
"content": {
"json": "The mean time between the incident creation and first modification by owner\r\n\r\n",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 2 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\n| where IncidentNumber == '{IncidentNumber}' or '{IncidentNumber}' == ''\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| summarize arg_max(TimeGenerated,Title, ClosedTime, CreatedTime) by IncidentNumber \n| where isnotnull(ClosedTime)\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\n",
"size": 1,
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "series",
"exportParameterName": "Status",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "IncidentNumber",
"formatter": 1
},
"leftContent": {
"columnMatch": "TimeToClosure",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 26,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 3
}
}
},
"showBorder": false
}
},
"name": "query - 2 - Copy"
}
]
},
"name": "Time to mitigate",
"styleSettings": {
"margin": "0",
"padding": "0"
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Time to triage \r\n"
},
"name": "text - 2 - Copy"
},
{
"type": 1,
"content": {
"json": "The mean time between the incident creation and first modification by owner\r\n\r\n",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 2 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\n| where IncidentNumber == '{IncidentNumber}' or '{IncidentNumber}' == ''\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or '{Severity:label}' == \"All\"\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or '{Tactics:label}' == \"All\"\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or '{Product:label}' == \"All\"\n| where ModifiedBy != 'Incident created from alert'\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| where isnotnull(FirstModifiedTime)\n| extend TimeToTriage = FirstModifiedTime - CreatedTime\n| project IncidentNumber, MeanToTriage = TimeToTriage/1h\n",
"size": 1,
"timeContext": {
"durationMs": 94608000000,
"endTime": "2023-06-01T17:13:00.000Z"
},
"exportFieldName": "series",
"exportParameterName": "Status",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "IncidentNumber",
"formatter": 1
},
"leftContent": {
"columnMatch": "MeanToTriage",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 26,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 3
}
}
},
"showBorder": false
}
},
"name": "query - 2 - Copy"
}
]
},
"name": "Time to close",
"styleSettings": {
"margin": "0",
"padding": "0"
}
}
],
"fromTemplateId": "sentinel-IncidentOverview",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку