Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AutomationHealth.json

2085 строки
92 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "193018ae-9d71-428b-97c9-567bc424b446",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"includeAll": true,
"showDefault": false
},
"value": [
"value::all"
]
},
{
"id": "56adbf21-6ff1-472e-a1bc-0080686fac66",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::all"
]
},
{
"id": "482be6d3-096d-4546-bbdc-a4bbae626160",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time range",
"type": 4,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "28ea2c0a-97e1-4978-b7bd-6de29f7c550b",
"version": "KqlParameterItem/1.0",
"name": "ShowIntro",
"label": "Show workbook introduction?",
"type": 10,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\"}\r\n]",
"value": "Yes"
},
{
"id": "f4167f82-9569-42c2-ad15-4c48f5816cfe",
"version": "KqlParameterItem/1.0",
"name": "ShowHelp",
"label": "Show help?",
"type": 10,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\"}\r\n]",
"value": "Yes"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 1,
"content": {
"json": "This workbook utilizes the `SentinelHealth` and `AzureDiagnostics` tables. Please make sure to enable Sentinel Health for Microsoft Sentinel Automation, and Diagnostic settings for each playbook you want to monitor.<br><br>\r\n\r\nThe `SentinelHealth` table contains the following information:<br><br>\r\n\r\n1. Automation rule runs\r\nAny run of an automation rule is logged, except those for which their conditions were not met, hence no action performed<br>\r\nPlaybooks triggered by the automation rules, including trigger status, not including the run result\r\n\r\n2. Playbook demand triggers<br>\r\nAny trigger of a playbook on an incident from portal or API, including trigger status, but *not* including the run result<br><br>\r\n\r\nTo enable Sentinel Health for automation, please go to Microsoft Sentinel -> Settings blade -> Settings tab -> *Auditing and monitoring*. Select *Enable* to enable health monitoring for all resources, or select *Configure diagnostic settings* for advanced configuration. Health monitoring includes monitoring of Analytics, Automation, and Data Collection - Connectors.\r\n\r\nLearn more - https://learn.microsoft.com/azure/sentinel/enable-monitoring.\r\n\r\nSample KQL for automation health details:\r\n\r\n`SentinelHealth`\r\n<br>`| where SentinelResourceType in (\"Playbook\", \"Automation rule\")`\r\n<br><br><br><br>\r\nThe `AzureDiagnostics` table includes details of each playbook run, and you can compare playbook trigger data with playbook run data using a run ID field that is unique for each playbook run.\r\n\r\nTo enable diagnostic settings *for each playbook you want to monitor*, please follow these steps - https://docs.microsoft.com/azure/logic-apps/monitor-logic-apps-log-analytics#set-up-azure-monitor-logs.<br>\r\n\r\nMake sure to select *Send to Log Analytics workspace* as the destination, and choose your Microsoft Sentinel workspace.\r\n\r\nSample KQL for diagnostics details:\r\n\r\n`AzureDiagnostics`\r\n<br>`| where OperationName = \"Microsoft.Logic/workflows/workflowRunCompleted\"`\r\n\r\n<br><br>Tables used per tab:\r\n\r\n- Automation Health: `SentinelHealth`<br>\r\n- Playbook Health (Azure Diagnostics): `AzureDiagnostics`<br>\r\n- Playbooks run by Automation Rules: `SentinelHealth`<br>\r\n- Automation per Incident: `SentinelHealth`<br>\r\n- Playbooks Billable Info: *Azure Resource Graph* (doesn't rely on Microsoft Sentinel tables)<br><br>\r\n\r\nHelp information on how to utilize this workbook is positioned below fields where we can show more details.\r\nIf you want to show or hide help information, please change parameter 'Show help?' above to 'Yes' or 'No'\r\n\r\nIf you want to hide this introduction page, please change parameter 'Show workbook introduction?' above to 'No'",
"style": "success"
},
"conditionalVisibility": {
"parameterName": "ShowIntro",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 20"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "21bca600-cdf0-45d3-b8b4-f4fdd4791a27",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Automation Health",
"subTarget": "AutomationHealth",
"preText": "Autmation health",
"style": "link"
},
{
"id": "9c9519fc-9c40-4329-be20-13bd37bd4400",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Playbook Health (Azure Diagnostics)",
"subTarget": "PlaybookHealthAD",
"style": "link"
},
{
"id": "55a16002-e96e-4e60-a5d3-27b7798e1451",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Playbooks run by Automation Rules",
"subTarget": "AutomationRulePlaybooks",
"style": "link"
},
{
"id": "31f4c16a-28bf-4ca6-b12c-2df54e138ee3",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Automation per Incident",
"subTarget": "PerIncident",
"style": "link"
},
{
"id": "70e4ec13-79cf-4689-b903-117a0d702a42",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Playbooks Billable Info",
"subTarget": "BillableInfo",
"style": "link"
}
]
},
"name": "links - 6"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"Automation rule\"\r\n| where Status == \"Failure\"\r\n| summarize ['Unsuccessful executions']=count(Status) by ['Display name']=SentinelResourceName\r\n| top 5 by ['Unsuccessful executions']",
"size": 1,
"title": "Top 5 failed Automation rules",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "30",
"name": "query - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"Playbook\"\r\n| where Status == \"Failure\"\r\n| summarize ['Unsuccessful executions']=count(Status) by ['Display name']=SentinelResourceName\r\n| top 5 by ['Unsuccessful executions']",
"size": 1,
"title": "Top 5 failed Playbooks on-demand (failed triggers)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "30",
"name": "query - 14"
}
]
},
"name": "Top failed automations"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Automation runs by type",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType in (\"Playbook\", \"Automation rule\")\r\n| summarize Runs=count(Status) by SentinelResourceType",
"size": 1,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "20",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType in (\"Playbook\", \"Automation rule\")\r\n| summarize ['Number of executions']=count(Status) by ['Display name']=SentinelResourceType",
"size": 4,
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Display name",
"exportParameterName": "SentinelResourceType",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"sortBy": [
{
"itemKey": "Number of executions",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "Number of executions",
"sortOrder": 1
}
]
},
"customWidth": "30",
"name": "query - 1"
}
],
"exportParameters": true
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "AutomationHealth"
},
"name": "Automation runs"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Automation runs by status for selected type",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType}\"\r\n| summarize Runs=count(SentinelResourceType) by Status",
"size": 1,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "20",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType}\"\r\n| summarize ['Number of executions']=count(SentinelResourceType) by Status",
"size": 4,
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Status",
"exportParameterName": "Status",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "30",
"name": "query - 2"
},
{
"type": 1,
"content": {
"json": "Select Playbook or Automation rule from 'Automation runs by type' to show details.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 2"
}
],
"exportParameters": true
},
"name": "runs per automation type"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType}\"\r\n| where Status == \"{Status}\" or \"{Status}\" == 'All'\r\n| project [\"Time generated\"]=TimeGenerated, ['Display name']=SentinelResourceName, Description, Reason, ['Extended properties']=ExtendedProperties, ['Workspace ID']=WorkspaceId, ['Record ID']=RecordId\r\n| sort by [\"Time generated\"] desc",
"size": 0,
"title": "List of runs per status",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Record ID",
"exportParameterName": "RecordId",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 3"
},
{
"type": 1,
"content": {
"json": "Select Status in 'Automation runs by status for selected type' to show details.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType}\"\r\n| where RecordId == \"{RecordId}\" or \"{RecordId}\" == 'All'\r\n| project ['Incident ID']=ExtendedProperties.IncidentNumber, Playbook=SentinelResourceId, Description, Reason, ['Triggered on']=ExtendedProperties.TriggeredOn, ['Triggered by']=ExtendedProperties.TriggeredByName.UserDisplayName, UPN=ExtendedProperties.TriggeredByName.UserPrincipalName, ['Playbook run ID']=ExtendedProperties.RunId",
"size": 4,
"title": "Playbook on-demand run details",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Playbook run ID",
"exportParameterName": "runIdP",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "SentinelResourceType",
"comparison": "isEqualTo",
"value": "Playbook"
},
"name": "query - 4"
},
{
"type": 1,
"content": {
"json": "Select Playbook from 'List of runs per status' to show details.",
"style": "info"
},
"conditionalVisibilities": [
{
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
{
"parameterName": "SentinelResourceType",
"comparison": "isEqualTo",
"value": "Playbook"
}
],
"name": "text - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"Playbook\"\r\n| extend RunId=tostring(ExtendedProperties.RunId)\r\n| where RunId == \"{runIdP}\"\r\n| join (AzureDiagnostics\r\n| where OperationName == \"Microsoft.Logic/workflows/workflowRunCompleted\"\r\n| project resource_runId_s, playbookName = resource_workflowName_s, playbookRunStatus = status_s, errorMessage = error_message_s) on\r\n$left.RunId == $right.resource_runId_s\r\n| project [\"Time Generated\"]=TimeGenerated, Playbook=SentinelResourceId, [\"Run status\"]=playbookRunStatus, [\"Error message\"]=errorMessage, [\"Record ID\"]=RecordId, [\"Run ID\"] = RunId",
"size": 4,
"title": "Playbook run details (Azure Diagnostic)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"sortBy": []
},
"conditionalVisibility": {
"parameterName": "SentinelResourceType",
"comparison": "isEqualTo",
"value": "Playbook"
},
"name": "query - 15"
},
{
"type": 1,
"content": {
"json": "Select Playbook from 'Playbook on-demand run details' to show Playbook run detials. Please note that Diagnostic settings must be enabled for selected playbook to see the detials!",
"style": "info"
},
"conditionalVisibilities": [
{
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
{
"parameterName": "SentinelResourceType",
"comparison": "isEqualTo",
"value": "Playbook"
}
],
"name": "text - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType}\"\r\n| where RecordId == \"{RecordId}\" or \"{RecordId}\" == 'All'\r\n| mv-expand TriggeredPlaybooks = ExtendedProperties.TriggeredPlaybooks\r\n| project ['Incident ID']=ExtendedProperties.IncidentNumber, Playbook=tostring(TriggeredPlaybooks.WorkflowId), Description, Reason, ['Triggered on']=ExtendedProperties.TriggeredOn, ['Triggered when']=ExtendedProperties.TriggeredWhen, ['Total actions']=ExtendedProperties.TotalActions, ['Playbook run ID']=tostring(TriggeredPlaybooks.RunId)",
"size": 4,
"title": "Automation rule run details",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Playbook run ID",
"exportParameterName": "runId",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "SentinelResourceType",
"comparison": "isEqualTo",
"value": "Automation rule"
},
"name": "query - 5"
},
{
"type": 1,
"content": {
"json": "Select Automation rule from 'List of runs per status' to show details.",
"style": "info"
},
"conditionalVisibilities": [
{
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
{
"parameterName": "SentinelResourceType",
"comparison": "isEqualTo",
"value": "Automation rule"
}
],
"name": "text - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"Automation rule\"\r\n| mv-expand TriggeredPlaybooks = ExtendedProperties.TriggeredPlaybooks\r\n| extend RunId=tostring(TriggeredPlaybooks.RunId)\r\n| where RunId == \"{runId}\"\r\n| join (AzureDiagnostics\r\n| where OperationName == \"Microsoft.Logic/workflows/workflowRunCompleted\"\r\n| project resource_runId_s, playbookName = resource_workflowName_s, playbookRunStatus = status_s, errorMessage = error_message_s) on\r\n$left.RunId == $right.resource_runId_s\r\n| project [\"Time Generated\"]=TimeGenerated, Playbook=tostring(TriggeredPlaybooks.WorkflowId), [\"Run status\"]=playbookRunStatus, [\"Error message\"]=errorMessage, [\"Record ID\"]=RecordId, [\"Run ID\"] = RunId",
"size": 4,
"title": "Playbook run details (Azure Diagnostic)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "SentinelResourceType",
"comparison": "isEqualTo",
"value": "Automation rule"
},
"name": "query - 14"
},
{
"type": 1,
"content": {
"json": "Select Playbook from 'Automation rule run details' to show Playbook run detials. Please note that Diagnostic settings must be enabled for selected playbook to see the detials!",
"style": "info"
},
"conditionalVisibilities": [
{
"parameterName": "SentinelResourceType",
"comparison": "isEqualTo",
"value": "Automation rule"
},
{
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
}
],
"name": "text - 12"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "AutomationHealth"
},
"name": "Automation health"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n| extend Owner = tostring(Owner.assignedTo)\r\n| summarize arg_max([\"Time generated\"]=TimeGenerated, Title, Severity, Status, [\"Provider name\"]=ProviderName, Owner, [\"Modified by\"]=ModifiedBy, [\"Incident URL\"]=IncidentUrl, [\"Workspace ID\"]=TenantId) by [\"Incident ID\"]=IncidentNumber\r\n| sort by [\"Incident ID\"] desc",
"size": 0,
"title": "List of incidents",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Incident ID",
"exportParameterName": "IncidentNumber",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Incident URL",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
}
]
}
},
"name": "query - 7"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Automations run on incident",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType in (\"Playbook\", \"Automation rule\")\r\n| extend IncidentNo = ExtendedProperties.IncidentNumber\r\n| where IncidentNo == \"{IncidentNumber}\" or \"{IncidentNumber}\" == 'All'\r\n| summarize Runs=count(Status) by SentinelResourceType\r\n",
"size": 1,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "20",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType in (\"Playbook\", \"Automation rule\")\r\n| extend IncidentNo = ExtendedProperties.IncidentNumber\r\n| where IncidentNo == \"{IncidentNumber}\" or \"{IncidentNumber}\" == 'All'\r\n| summarize ['Number of executions']=count(Status) by ['Display name']=SentinelResourceType\r\n",
"size": 4,
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Display name",
"exportParameterName": "SentinelResourceType2",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "30",
"name": "query - 9"
},
{
"type": 1,
"content": {
"json": "Select incident from 'List of incidents' to show details.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 2"
}
],
"exportParameters": true
},
"name": "Automation run on incident"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Automation run statuses",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType2}\" or \"{SentinelResourceType2}\" == 'All'\r\n| extend IncidentNo = tostring(ExtendedProperties.IncidentNumber)\r\n| where IncidentNo == \"{IncidentNumber}\" or \"{IncidentNumber}\" == 'All'\r\n| summarize Runs=count(SentinelResourceType) by Status",
"size": 4,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "20",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType2}\"\r\n| extend IncidentNo = tostring(ExtendedProperties.IncidentNumber)\r\n| where IncidentNo == \"{IncidentNumber}\" or \"{IncidentNumber}\" == 'All'\r\n| summarize ['Number of executions']=count(SentinelResourceType) by Status",
"size": 4,
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Status",
"exportParameterName": "Status2",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "20",
"name": "query - 1"
},
{
"type": 1,
"content": {
"json": "Select Playbook or Automation rule from 'Automation runs by type' to show details.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 2"
}
],
"exportParameters": true
},
"name": "status by automation type"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType2}\" or \"{SentinelResourceType2}\" == 'All'\r\n| where Status == \"{Status2}\" or \"{Status2}\" == 'All'\r\n| extend IncidentNo = tostring(ExtendedProperties.IncidentNumber)\r\n| where IncidentNo == \"{IncidentNumber}\" or \"{IncidentNumber}\" == 'All'\r\n| project [\"Time generated\"]=TimeGenerated, [\"Incident ID\"]=IncidentNo, ['Display name']=SentinelResourceName, Description, Reason, ['Extended properties']=ExtendedProperties, ['Workspace ID']=WorkspaceId, ['Record ID']=RecordId\r\n| sort by [\"Time generated\"] desc",
"size": 1,
"title": "List of runs per status",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Record ID",
"exportParameterName": "RecordId2",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 10"
},
{
"type": 1,
"content": {
"json": "Select Status in 'Automation runs by status for selected type' to show details.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType2}\" or \"{SentinelResourceType2}\" == 'All'\r\n| where RecordId == \"{RecordId2}\" or \"{RecordId2}\" == 'All'\r\n| extend IncidentNo = tostring(ExtendedProperties.IncidentNumber)\r\n| where IncidentNo == \"{IncidentNumber}\" or \"{IncidentNumber}\" == 'All'\r\n| project ['Incident ID']=ExtendedProperties.IncidentNumber, Playbook=SentinelResourceId, Description, Reason, ['Triggered on']=ExtendedProperties.TriggeredOn, ['Triggered by']=ExtendedProperties.TriggeredByName.UserDisplayName, UPN=ExtendedProperties.TriggeredByName.UserPrincipalName, ['Playbook run ID']=ExtendedProperties.RunId",
"size": 4,
"title": "Playbook on-demand run details",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Playbook run ID",
"exportParameterName": "RunIdInc",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "SentinelResourceType2",
"comparison": "isEqualTo",
"value": "Playbook"
},
"name": "query - 11"
},
{
"type": 1,
"content": {
"json": "Select Playbook from 'List of runs per status' to show details.",
"style": "info"
},
"conditionalVisibilities": [
{
"parameterName": "SentinelResourceType2",
"comparison": "isEqualTo",
"value": "Playbook"
},
{
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
}
],
"name": "text - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"Playbook\"\r\n| extend RunId=tostring(ExtendedProperties.RunId)\r\n| where RunId == \"{RunIdInc}\"\r\n| join (AzureDiagnostics\r\n| where OperationName == \"Microsoft.Logic/workflows/workflowRunCompleted\"\r\n| project resource_runId_s, playbookName = resource_workflowName_s, playbookRunStatus = status_s, errorMessage = error_message_s) on\r\n$left.RunId == $right.resource_runId_s\r\n| project [\"Time generated\"]=TimeGenerated, Playbook=SentinelResourceId, [\"Run status\"]=playbookRunStatus, [\"Error message\"]=errorMessage, [\"Record ID\"]=RecordId, [\"Run ID\"] = RunId",
"size": 4,
"title": "Playbook run details (Azure Diagnostic)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "SentinelResourceType2",
"comparison": "isEqualTo",
"value": "Playbook"
},
"name": "query - 21"
},
{
"type": 1,
"content": {
"json": "Select Playbook from 'Playbook on-demand run details' to show Playbook run detials. Please note that Diagnostic settings must be enabled for selected playbook to see the detials!",
"style": "info"
},
"conditionalVisibilities": [
{
"parameterName": "SentinelResourceType2",
"comparison": "isEqualTo",
"value": "Playbook"
},
{
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
}
],
"name": "text - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"{SentinelResourceType2}\" or \"{SentinelResourceType2}\" == 'All'\r\n| where RecordId == \"{RecordId2}\" or \"{RecordId2}\" == 'All'\r\n| extend IncidentNo = tostring(ExtendedProperties.IncidentNumber)\r\n| where IncidentNo == \"{IncidentNumber}\" or \"{IncidentNumber}\" == 'All'\r\n| mv-expand TriggeredPlaybooks = ExtendedProperties.TriggeredPlaybooks\r\n| project ['Incident ID']=ExtendedProperties.IncidentNumber, Playbook=tostring(TriggeredPlaybooks.WorkflowId), Description, Reason, ['Triggered on']=ExtendedProperties.TriggeredOn, ['Triggered when']=ExtendedProperties.TriggeredWhen, ['Total actions']=ExtendedProperties.TotalActions, ['Playbook run ID']=tostring(TriggeredPlaybooks.RunId)",
"size": 1,
"title": "Automation rule run details",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Playbook run ID",
"exportParameterName": "RunIdIcAR",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "SentinelResourceType2",
"comparison": "isEqualTo",
"value": "Automation rule"
},
"name": "query - 12"
},
{
"type": 1,
"content": {
"json": "Select Automation rule from 'List of runs per status' to show details.",
"style": "info"
},
"conditionalVisibilities": [
{
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
{
"parameterName": "SentinelResourceType2",
"comparison": "isEqualTo",
"value": "Automation rule"
}
],
"name": "text - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"Automation rule\"\r\n| mv-expand TriggeredPlaybooks = ExtendedProperties.TriggeredPlaybooks\r\n| extend RunId=tostring(TriggeredPlaybooks.RunId)\r\n| where RunId == \"{RunIdIcAR}\"\r\n| join (AzureDiagnostics\r\n| where OperationName == \"Microsoft.Logic/workflows/workflowRunCompleted\"\r\n| project resource_runId_s, playbookName = resource_workflowName_s, playbookRunStatus = status_s, errorMessage = error_message_s) on\r\n$left.RunId == $right.resource_runId_s\r\n| project [\"Time generated\"]=TimeGenerated, Playbook=tostring(TriggeredPlaybooks.WorkflowId), [\"Run status\"]=playbookRunStatus, [\"Error message\"]=errorMessage, [\"Record ID\"]=RecordId, [\"Run ID\"] = RunId",
"size": 4,
"title": "Playbook run details (Azure Diagnostic)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "SentinelResourceType2",
"comparison": "isEqualTo",
"value": "Automation rule"
},
"name": "query - 22"
},
{
"type": 1,
"content": {
"json": "Select Playbook from 'Automation rule run details' to show Playbook run detials. Please note that Diagnostic settings must be enabled for selected playbook to see the detials!",
"style": "info"
},
"conditionalVisibilities": [
{
"parameterName": "SentinelResourceType2",
"comparison": "isEqualTo",
"value": "Automation rule"
},
{
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
}
],
"name": "text - 10"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "PerIncident"
},
"name": "Automations per Incident"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType in (\"Automation rule\")\r\n| mv-expand TriggeredPlaybooks = ExtendedProperties.TriggeredPlaybooks\r\n| extend Playbooks = \"Playbooks\"\r\n| project AutomationRulePlaybook = tostring(TriggeredPlaybooks.WorkflowId), RunId = tostring(TriggeredPlaybooks.RunId), Playbooks\r\n| summarize Runs = count() by Playbooks\r\n| project Playbooks, [\"Number of executions\"]=Runs",
"size": 4,
"title": "Playbooks run by Automation rule",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType in (\"Automation rule\")\r\n| mv-expand TriggeredPlaybooks = ExtendedProperties.TriggeredPlaybooks\r\n| project Playbook = tostring(TriggeredPlaybooks.WorkflowId)\r\n| summarize Runs=count() by Playbook\r\n| project Playbook, [\"Number of executions\"]=Runs\r\n| sort by [\"Number of executions\"] desc",
"size": 0,
"title": "List of Playbooks run by Automation rules",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Playbook",
"exportParameterName": "PlaybookAR",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 19"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType in (\"Automation rule\")\r\n| mv-expand TriggeredPlaybooks = ExtendedProperties.TriggeredPlaybooks\r\n| extend Playbook = tostring(TriggeredPlaybooks.WorkflowId)\r\n| where Playbook == \"{PlaybookAR}\"\r\n| project [\"Incident ID\"] = tostring(ExtendedProperties.IncidentNumber), Playbook, [\"Triggered on\"] = ExtendedProperties.TriggeredOn, [\"Triggered when\"] = ExtendedProperties.TriggeredWhen, [\"Run ID\"] = tostring(TriggeredPlaybooks.RunId)\r\n| sort by [\"Incident ID\"] desc",
"size": 0,
"title": "Selected Playbook runs",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Run ID",
"exportParameterName": "RunIdAR",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"sortBy": []
},
"name": "query - 20"
},
{
"type": 1,
"content": {
"json": "Select Playbook from 'List of Playbooks run by Automation rules' to show detials.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SentinelHealth\r\n| where SentinelResourceType == \"Automation rule\"\r\n| mv-expand TriggeredPlaybooks = ExtendedProperties.TriggeredPlaybooks\r\n| extend RunId=tostring(TriggeredPlaybooks.RunId)\r\n| where RunId == \"{RunIdAR}\"\r\n| join (AzureDiagnostics\r\n| where OperationName == \"Microsoft.Logic/workflows/workflowRunCompleted\"\r\n| project resource_runId_s, playbookName = resource_workflowName_s, playbookRunStatus = status_s, errorMessage = error_message_s) on\r\n$left.RunId == $right.resource_runId_s\r\n| project [\"Time generated\"]=TimeGenerated, Playbook=tostring(TriggeredPlaybooks.WorkflowId), [\"Run status\"]=playbookRunStatus, [\"Error message\"]=errorMessage, [\"Record ID\"]=RecordId, [\"Run ID\"] = RunId",
"size": 4,
"title": "Playbook run details from Azure Diagnostics",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 21"
},
{
"type": 1,
"content": {
"json": "Select Playbook run from 'Selected Playbook runs' to show details. Please note that Diagnostic settings must be enabled for selected playbook to see the detials!",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 5"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "AutomationRulePlaybooks"
},
"name": "Playbooks run by Automation rule"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Billable info",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "da74f32a-dad8-412f-8cc9-e1bf53d34dc0",
"version": "KqlParameterItem/1.0",
"name": "ResourceTypes",
"label": "Resource Types",
"type": 7,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"isHiddenWhenLocked": true,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": true,
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"value": [
"microsoft.logic/workflows"
]
},
{
"id": "b0d1a353-5581-461d-9450-c0f3274703d2",
"version": "KqlParameterItem/1.0",
"name": "ResourceGroups",
"label": "Resource groups",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "Resources\r\n| where type in~ ({ResourceTypes})\r\n| summarize Count = count() by subscriptionId, resourceGroup\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project value = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), label = resourceGroup, selected = false",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::all"
]
},
{
"id": "3ec48fee-d642-418e-9be1-2b07d143001f",
"version": "KqlParameterItem/1.0",
"name": "Resources",
"label": "Playbooks",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "Resources\r\n| where type in~({ResourceTypes})\r\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\r\n| where resourceGroupId in~({ResourceGroups}) or '*' in~({ResourceGroups})\r\n| order by name asc\r\n| extend Rank = row_number()\r\n| project value = id, label = tostring(name), selected = Rank <= 10, group = resourceGroup",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::all"
]
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - Billable Info"
},
{
"type": 1,
"content": {
"json": "In this section, you can view billable information regarding your Logic Apps. The data is based on Logic Apps' build-in metrics. To view the list of Logic Apps click the \">\" icon in the subscription column.\r\nBy using the calculator link you can insert the \"Total billable executions\" to estimate the cost of your Logic Apps.\r\nAt the top of the grid, you have the total billable executions for the whole subscription. https://azure.microsoft.com/pricing/details/logic-apps/",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 0"
},
{
"type": 10,
"content": {
"chartId": "workbook31acc3db-f123-4d4a-bddb-be95869d14e3",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 0,
"resourceType": "microsoft.logic/workflows",
"metricScope": 0,
"resourceParameter": "Resources",
"resourceIds": [
"{Resources}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 604800000
},
"metrics": [
{
"namespace": "microsoft.logic/workflows",
"metric": "microsoft.logic/workflows--BillableTriggerExecutions",
"aggregation": 1
},
{
"namespace": "microsoft.logic/workflows",
"metric": "microsoft.logic/workflows--BillableActionExecutions",
"aggregation": 1
},
{
"namespace": "microsoft.logic/workflows",
"metric": "microsoft.logic/workflows--TotalBillableExecutions",
"aggregation": 1
},
{
"namespace": "microsoft.logic/workflows",
"metric": "microsoft.logic/workflows--RunsStarted",
"aggregation": 1
}
],
"gridSettings": {
"formatters": [
{
"columnMatch": "$gen_group",
"formatter": 15,
"formatOptions": {
"linkTarget": null,
"showIcon": true
}
},
{
"columnMatch": "Group",
"formatter": 15,
"formatOptions": {
"linkTarget": null,
"showIcon": true
}
},
{
"columnMatch": "Subscription",
"formatter": 15,
"formatOptions": {
"linkTarget": null,
"showIcon": true
}
},
{
"columnMatch": "Name",
"formatter": 13,
"formatOptions": {
"linkTarget": "Resource",
"showIcon": true
}
},
{
"columnMatch": "microsoft.logic/workflows--BillableTriggerExecutions",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": null
}
},
{
"columnMatch": "microsoft.logic/workflows--BillableTriggerExecutions Timeline",
"formatter": 5
},
{
"columnMatch": "microsoft.logic/workflows--BillableActionExecutions",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": null
}
},
{
"columnMatch": "microsoft.logic/workflows--BillableActionExecutions Timeline",
"formatter": 5
},
{
"columnMatch": "microsoft.logic/workflows--TotalBillableExecutions",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": null
}
},
{
"columnMatch": "microsoft.logic/workflows--TotalBillableExecutions Timeline",
"formatter": 5
},
{
"columnMatch": "microsoft.logic/workflows--RunsStarted",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": null
}
},
{
"columnMatch": "microsoft.logic/workflows--RunsStarted Timeline",
"formatter": 5
}
],
"rowLimit": 10000,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Subscription"
]
},
"labelSettings": [
{
"columnId": "microsoft.logic/workflows--BillableTriggerExecutions",
"label": "Billable Trigger Executions (Sum)"
},
{
"columnId": "microsoft.logic/workflows--BillableTriggerExecutions Timeline",
"label": "Billable Trigger Executions Timeline"
},
{
"columnId": "microsoft.logic/workflows--BillableActionExecutions",
"label": "Billable Action Executions (Sum)"
},
{
"columnId": "microsoft.logic/workflows--BillableActionExecutions Timeline",
"label": "Billable Action Executions Timeline"
},
{
"columnId": "microsoft.logic/workflows--TotalBillableExecutions",
"label": "Total Billable Executions (Sum)"
},
{
"columnId": "microsoft.logic/workflows--TotalBillableExecutions Timeline",
"label": "Total Billable Executions Timeline"
},
{
"columnId": "microsoft.logic/workflows--RunsStarted",
"label": "Runs Started (Sum)"
},
{
"columnId": "microsoft.logic/workflows--RunsStarted Timeline",
"label": "Runs Started Timeline"
}
]
}
},
"name": "metric - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "BillableInfo"
},
"name": "BillableInfo"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Playbook Health",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "da74f32a-dad8-412f-8cc9-e1bf53d34dc0",
"version": "KqlParameterItem/1.0",
"name": "ResourceTypes",
"label": "Resource Types",
"type": 7,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"isHiddenWhenLocked": true,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": true,
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"value": [
"microsoft.logic/workflows"
]
},
{
"id": "b0d1a353-5581-461d-9450-c0f3274703d2",
"version": "KqlParameterItem/1.0",
"name": "ResourceGroups",
"label": "Resource groups",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "Resources\r\n| where type in~ ({ResourceTypes})\r\n| summarize Count = count() by subscriptionId, resourceGroup\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project value = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), label = resourceGroup, selected = false",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::all"
]
},
{
"id": "3ec48fee-d642-418e-9be1-2b07d143001f",
"version": "KqlParameterItem/1.0",
"name": "Resources",
"label": "Playbooks",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "Resources\r\n| where type in~({ResourceTypes})\r\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\r\n| where resourceGroupId in~({ResourceGroups}) or '*' in~({ResourceGroups})\r\n| order by name asc\r\n| extend Rank = row_number()\r\n| project value = id, label = tostring(name), selected = Rank <= 10, group = resourceGroup",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::5",
"value::10",
"value::50",
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::50"
]
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - Billable Info"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let isResouceMatch=(ResourceToMatch:string){\r\n let resourceGroupsText = strcat_array(dynamic([{ResourceGroups}]),\",\");\r\n iff(strcat(\"\",{ResourceGroups}) has \"*\",true, resourceGroupsText contains strcat(\"/resourceGroups/\",tolower(ResourceToMatch)))\r\n};\r\nlet isLAMatch=(LAToMatch:string){\r\n let LAGroupsText = strcat_array(dynamic([{Resources}]),\",\");\r\n iff(strcat(\"\",{Resources}) has \"*\",true, LAGroupsText contains strcat(\"/workflows/\",tolower(LAToMatch)))\r\n};\r\n\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.LOGIC\" and isResouceMatch(ResourceGroup) == true \r\n| where OperationName startswith \"Microsoft.Logic/workflows/workflowRun\" and isLAMatch(resource_workflowName_s) == true\r\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by status_s\r\n|join(\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.LOGIC\" and isResouceMatch(ResourceGroup) == true\r\n| where OperationName startswith \"Microsoft.Logic/workflows/workflowRun\" and isLAMatch(resource_workflowName_s) == true\r\n| summarize count() by status_s\r\n) on status_s\r\n| where status_s != \"Running\"\r\n| order by status_s asc, count_\r\n| project status_s,Trend, count_",
"size": 0,
"title": "Success and failure over time",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "status_s",
"exportParameterName": "Status",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "status_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Succeeded",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failed",
"representation": "3",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
"leftContent": {
"columnMatch": "count_",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
},
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Succeeded",
"color": "green"
},
{
"seriesName": "Failed",
"color": "red"
}
]
}
},
"customWidth": "25",
"name": "Success and failure over time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let isResouceMatch=(ResourceToMatch:string){\r\n let resourceGroupsText = strcat_array(dynamic([{ResourceGroups}]),\",\");\r\n iff(strcat(\"\",{ResourceGroups}) has \"*\",true, resourceGroupsText contains strcat(\"/resourceGroups/\",tolower(ResourceToMatch)))\r\n};\r\nlet isLAMatch=(LAToMatch:string){\r\n let LAGroupsText = strcat_array(dynamic([{Resources}]),\",\");\r\n iff(strcat(\"\",{Resources}) has \"*\",true, LAGroupsText contains strcat(\"/workflows/\",tolower(LAToMatch)))\r\n};\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.LOGIC\" and isResouceMatch(ResourceGroup)==true\r\n| where OperationName == \"Microsoft.Logic/workflows/workflowRunCompleted\"\r\n| where isLAMatch(resource_workflowName_s) == true\r\n| summarize count() by status_s , bin(TimeGenerated, 1h)\r\n",
"size": 0,
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Succeeded",
"color": "green"
},
{
"seriesName": "Failed",
"color": "red"
}
]
}
},
"customWidth": "75",
"name": "query - 2"
},
{
"type": 10,
"content": {
"chartId": "workbook0f967a49-5d61-4b0c-96fc-dbd5646b752d",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 0,
"resourceType": "microsoft.logic/workflows",
"metricScope": 0,
"resourceParameter": "Resources",
"resourceIds": [
"{Resources}"
],
"timeContextFromParameter": "TimeBrush",
"timeContext": {
"durationMs": 0
},
"metrics": [
{
"namespace": "microsoft.logic/workflows",
"metric": "microsoft.logic/workflows--RunFailurePercentage",
"aggregation": 1
},
{
"namespace": "microsoft.logic/workflows",
"metric": "microsoft.logic/workflows--RunsStarted",
"aggregation": 1
},
{
"namespace": "microsoft.logic/workflows",
"metric": "microsoft.logic/workflows--RunsCompleted",
"aggregation": 1
},
{
"namespace": "microsoft.logic/workflows",
"metric": "microsoft.logic/workflows--RunLatency",
"aggregation": 4
},
{
"namespace": "microsoft.logic/workflows",
"metric": "microsoft.logic/workflows--RunsSucceeded",
"aggregation": 1
}
],
"title": "Failure percentage per Logic App",
"gridSettings": {
"formatters": [
{
"columnMatch": "Subscription",
"formatter": 15,
"formatOptions": {
"linkTarget": null,
"showIcon": true
}
},
{
"columnMatch": "Name",
"formatter": 13,
"formatOptions": {
"linkTarget": "Resource",
"showIcon": true
}
},
{
"columnMatch": "microsoft.logic/workflows--RunFailurePercentage",
"formatter": 8,
"formatOptions": {
"min": 10,
"max": 85,
"palette": "greenRed"
},
"numberFormat": {
"unit": 1,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "microsoft.logic/workflows--RunFailurePercentage Timeline",
"formatter": 21,
"formatOptions": {
"palette": "redBright"
}
},
{
"columnMatch": "microsoft.logic/workflows--RunsStarted",
"formatter": 8,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "microsoft.logic/workflows--RunsStarted Timeline",
"formatter": 5
},
{
"columnMatch": "microsoft.logic/workflows--RunsCompleted",
"formatter": 8,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "microsoft.logic/workflows--RunsCompleted Timeline",
"formatter": 5
},
{
"columnMatch": "microsoft.logic/workflows--RunLatency",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "microsoft.logic/workflows--RunLatency Timeline",
"formatter": 5
},
{
"columnMatch": "microsoft.logic/workflows--RunsSucceeded",
"formatter": 8,
"formatOptions": {
"palette": "green"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "microsoft.logic/workflows--RunsSucceeded Timeline",
"formatter": 21,
"formatOptions": {
"palette": "green"
}
}
],
"rowLimit": 10000,
"labelSettings": [
{
"columnId": "microsoft.logic/workflows--RunFailurePercentage",
"label": "Run Failure Percentage (Sum)"
},
{
"columnId": "microsoft.logic/workflows--RunFailurePercentage Timeline",
"label": "Run Failure Percentage Timeline"
},
{
"columnId": "microsoft.logic/workflows--RunsStarted",
"label": "Runs Started (Sum)"
},
{
"columnId": "microsoft.logic/workflows--RunsStarted Timeline",
"label": "Runs Started Timeline"
},
{
"columnId": "microsoft.logic/workflows--RunsCompleted",
"label": "Runs Completed (Sum)"
},
{
"columnId": "microsoft.logic/workflows--RunsCompleted Timeline",
"label": "Runs Completed Timeline"
},
{
"columnId": "microsoft.logic/workflows--RunLatency",
"label": "Run Latency (Average)"
},
{
"columnId": "microsoft.logic/workflows--RunLatency Timeline",
"label": "Run Latency Timeline"
},
{
"columnId": "microsoft.logic/workflows--RunsSucceeded",
"label": "Runs Succeeded (Sum)"
},
{
"columnId": "microsoft.logic/workflows--RunsSucceeded Timeline",
"label": "Runs Succeeded Timeline"
}
]
}
},
"name": "Failure percentage per Logic App"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let isResouceMatch=(ResourceToMatch:string){\r\n let resourceGroupsText = strcat_array(dynamic([{ResourceGroups}]),\",\");\r\n iff(strcat(\"\",{ResourceGroups}) has \"*\",true, resourceGroupsText contains strcat(\"/resourceGroups/\",tolower(ResourceToMatch)))\r\n};\r\nlet isLAMatch=(LAToMatch:string){\r\n let LAGroupsText = strcat_array(dynamic([{Resources}]),\",\");\r\n iff(strcat(\"\",{Resources}) has \"*\",true, LAGroupsText contains strcat(\"/workflows/\",tolower(LAToMatch)))\r\n};\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.LOGIC\" and isResouceMatch(ResourceGroup) == true \r\n| where OperationName startswith \"Microsoft.Logic/workflows/workflowRunCompleted\" and isLAMatch(resource_workflowName_s) == true\r\n| where status_s =='{Status}' or '{Status}' =='All'\r\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by resource_workflowName_s, status_s, error_code_s\r\n|join(\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.LOGIC\" and isResouceMatch(ResourceGroup) == true \r\n| where OperationName startswith \"Microsoft.Logic/workflows/workflowRunCompleted\" and isLAMatch(resource_workflowName_s) == true\r\n| where status_s =='{Status}' or '{Status}' =='All'\r\n| summarize count() by resource_workflowName_s, status_s, error_code_s,ResourceGroup\r\n) on resource_workflowName_s, status_s\r\n| order by status_s asc, count_\r\n| project ResourceGroup, LogicApp = resource_workflowName_s, Status =status_s, Count = count_, Trend, Error = error_code_s",
"size": 0,
"showAnalytics": true,
"title": "Playbooks by status",
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "LogicApp",
"exportParameterName": "Logic",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "LogicApp",
"formatter": 13,
"formatOptions": {
"linkColumn": "LogicApp",
"linkTarget": "Resource",
"showIcon": true
}
},
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Succeeded",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failed",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Skipped",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Running",
"representation": "pending",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "gray"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"name": "Playbooks by status"
},
{
"type": 1,
"content": {
"json": "Select Success or Failure in 'Success and failure over time' to show details.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let isResouceMatch=(ResourceToMatch:string){\r\n let resourceGroupsText = strcat_array(dynamic([{ResourceGroups}]),\",\");\r\n iff(strcat(\"\",{ResourceGroups}) has \"*\",true, resourceGroupsText contains strcat(\"/resourceGroups/\",tolower(ResourceToMatch)))\r\n};\r\nlet isLAMatch=(LAToMatch:string){\r\n let LAGroupsText = strcat_array(dynamic([{Resources}]),\",\");\r\n iff(strcat(\"\",{Resources}) has \"*\",true, LAGroupsText contains strcat(\"/workflows/\",tolower(LAToMatch)))\r\n};\r\n\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.LOGIC\" and isResouceMatch(ResourceGroup) == true \r\n| where OperationName startswith \"Microsoft.Logic/workflows/workflowTrigger\" and isLAMatch(resource_workflowName_s) == true\r\n| where resource_workflowName_s =='{Logic}' or '{Logic}' =='All'\r\n| make-series Trend = count() on TimeGenerated from {TimeBrush:start} to {TimeBrush:end} step {TimeBrush:grain} by resource_triggerName_s, status_s, resource_workflowName_s\r\n|join(\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.LOGIC\" and isResouceMatch(ResourceGroup) == true \r\n| where OperationName startswith \"Microsoft.Logic/workflows/workflowTrigger\" and isLAMatch(resource_workflowName_s) == true\r\n| summarize count() by resource_triggerName_s, status_s, resource_workflowName_s\r\n) on resource_triggerName_s, status_s, resource_workflowName_s\r\n| order by status_s asc, count_\r\n| where status_s != \"Running\" \r\n| project Trigger = resource_triggerName_s,LogicAppName = resource_workflowName_s,Status =status_s, Count = count_,Trend",
"size": 0,
"showAnalytics": true,
"title": "Playbooks' Trigger by status",
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "status_s",
"exportParameterName": "Status",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Succeeded",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failed",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Skipped",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Running",
"representation": "pending",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "gray"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"name": "Playbooks' Trigger by status"
},
{
"type": 1,
"content": {
"json": "Select Playbook in 'Playbooks by status' to show details.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let isResouceMatch=(ResourceToMatch:string){\r\n let resourceGroupsText = strcat_array(dynamic([{ResourceGroups}]),\",\");\r\n iff(strcat(\"\",{ResourceGroups}) has \"*\",true, resourceGroupsText contains strcat(\"/resourceGroups/\",tolower(ResourceToMatch)))\r\n};\r\nlet isLAMatch=(LAToMatch:string){\r\n let LAGroupsText = strcat_array(dynamic([{Resources}]),\",\");\r\n iff(strcat(\"\",{Resources}) has \"*\",true, LAGroupsText contains strcat(\"/workflows/\",tolower(LAToMatch)))\r\n};\r\n\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.LOGIC\" and isResouceMatch(ResourceGroup) == true \r\n| where OperationName startswith \"Microsoft.Logic/workflows/workflowAction\" and isLAMatch(resource_workflowName_s) == true\r\n| where resource_workflowName_s =='{Logic}' or '{Logic}' =='All'\r\n| make-series Trend = count() on TimeGenerated from {TimeBrush:start} to {TimeBrush:end} step {TimeBrush:grain} by Resource, status_s, resource_workflowName_s\r\n|join(\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.LOGIC\" and isResouceMatch(ResourceGroup) == true \r\n| where OperationName startswith \"Microsoft.Logic/workflows/workflowAction\" and isLAMatch(resource_workflowName_s) == true\r\n| summarize count() by Resource, status_s, resource_workflowName_s\r\n) on Resource, status_s, resource_workflowName_s\r\n| order by status_s asc, count_\r\n| where status_s != \"Running\"\r\n| project Action = Resource, LogicAppName = resource_workflowName_s, Status =status_s, Count = count_, Trend",
"size": 0,
"showAnalytics": true,
"title": "Playbooks' Action by status",
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "status_s",
"exportParameterName": "Status",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Succeeded",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failed",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Skipped",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Running",
"representation": "pending",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "gray"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"name": "Playbooks' Action by status"
},
{
"type": 1,
"content": {
"json": "Select Playbook in 'Playbooks by status' to show details.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "ShowHelp",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 9"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "PlaybookHealthAD"
},
"name": "PlaybookHealthAD"
}
],
"fallbackResourceIds": [],
"fromTemplateId": "sentinel-AutomationHealth",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку