Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/Sentinel_Central.json

4217 строки
196 KiB
JSON
Исходник Ответственный История

Этот файл содержит неоднозначные символы Юникода!

Этот файл содержит неоднозначные символы Юникода, которые могут быть перепутаны с другими в текущей локали. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы подсветить эти символы.

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## View Microsoft Sentinel Incidents and details from any selected Workspaces \r\n\r\n"
},
"name": "text - 0"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "01868289-27ef-4b5e-ae83-1715cacde421",
"version": "KqlParameterItem/1.0",
"name": "region",
"label": "🌍 Region",
"type": 2,
"description": "Filter by Azure Region (location)",
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "Resources \r\n//| where type =~ \"microsoft.operationalinsights/workspaces\"\r\n| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| summarize WorkspaceCount = count(name) by location\r\n| order by location asc\r\n| project value=location, display=strcat(location,'(',WorkspaceCount,')')",
"crossComponentResources": [
"value::selected"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*",
"showDefault": false
},
"defaultValue": "value::all",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "1ca69445-60fc-4806-b43d-ac7e6aad630a",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"label": "☁️ Subscription",
"type": 6,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "resources\r\n| where '*' in ({region}) or location in ({region})\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| distinct subscriptionId, location\r\n| summarize by value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId\r\n| order by value asc\r\n",
"crossComponentResources": [
"value::selected"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"defaultValue": "value::all",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::all"
]
},
{
"id": "e94aafa3-c5d9-4523-89f0-4e87aa754511",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"label": "🗂️ Workspace",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "resources\n| where type =~ 'microsoft.operationalinsights/workspaces'\n| extend customerID = trim(' ', tostring(properties.customerId))\n| project id, customerID, name=tolower(name)\n|join \n(\n\tresources\n\t// Just show Workspaces that have Sentinel enabled\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\n\t| where name has \"SecurityInsights\"\n\t| parse name with * '(' s_workspace ')'*\n\t| project name=tolower(s_workspace)\n) on name\n| project tolower(id), customerID, name",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"defaultValue": "value::all",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "66f59acd-2628-457d-a5cd-176aa453472a",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"label": "⏱️ Time Range"
},
{
"id": "65e74c73-69f0-4eb5-a772-4fb5eae73d28",
"version": "KqlParameterItem/1.0",
"name": "WorkspaceIDguid",
"type": 1,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerID = trim(' ', tostring(properties.customerId))\r\n| project '{Workspace:name}', name, customerID\r\n| where '{Workspace:name}' has name\r\n//| project customerID, name\r\n// join two columns, seperate with a \":\"; ARG, will comma seperate each row by default\r\n| project strcat(customerID,\":\",name)",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "2af84437-b015-456b-9660-97c8415e72fd",
"version": "KqlParameterItem/1.0",
"name": "Product",
"label": "Product Name",
"type": 2,
"description": "Filter on All or a named Product",
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityIncident\r\n| extend productName_ = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0])\r\n| extend value = \r\n case(productName_ =='Microsoft Cloud App Security','Microsoft Defender for Cloud App',\r\n productName_ == 'Microsoft Defender Advanced Threat Protection','Microsoft Defender for Endpoint(ATP)',\r\n productName_ =='Microsoft Defender Advanced Threat Protection','Microsoft Defender for Endpoint',\r\n productName_ =='Office 365 Advanced Threat Protection','Microsoft Defender for Office 365',\r\n productName_ =='Azure Advanced Threat Protection','Microsoft Defender for Identity',\r\n productName_ =='Azure Sentinel','Microsoft Sentinel',\r\n productName_ =='Azure Sentinel','Microsoft Sentinel',\r\n // else\r\n productName_)\r\n| summarize by display=productName_, value\r\n| order by value asc",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
},
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "5a683c1d-5e10-4d94-bb2a-32c05b17da8e",
"version": "KqlParameterItem/1.0",
"name": "resourceGroup",
"type": 1,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n//| where name == \"{Workspace:label}\" \r\n| project resourceGroup",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "306edc18-d122-478d-97aa-ebc5a4cb88db",
"version": "KqlParameterItem/1.0",
"name": "Owner",
"type": 2,
"description": "Filter on All or a named Owner assigned to an Incident",
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "SecurityIncident\r\n| extend owner = tostring(Owner.assignedTo) \r\n| summarize Count=count(IncidentNumber) by Owner= case(owner==\"\", \"Unassigned\",owner)\r\n| project Value = Owner, Label = strcat(Owner, \": \", Count)",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*",
"showDefault": false
},
"timeContext": {
"durationMs": 2592000000
},
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "04338a2a-010c-409d-91ac-4b74a0e9d56c",
"version": "KqlParameterItem/1.0",
"name": "Help",
"type": 10,
"isRequired": true,
"typeSettings": {
"showDefault": false
},
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]",
"timeContextFromParameter": "TimeRange",
"label": "📖 Help",
"value": "Change Log"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 1"
},
{
"type": 1,
"content": {
"json": "## Sentinel Central\r\n### Change Log\r\nUse this report to view Incident and Alert data across many workspaces (works with Azure Lighthouse)\r\n\r\n\r\n|Version|Description|\r\n|---|---|\r\n|v1.2| View Alerts from multiple workspaces (Azure Lighhouse compatiable)|\r\n|v1.3| MSSP release |\r\n|v1.4| Add Workspace info |\r\n|v1.5| Add Workspace info |\r\n|v2.0| Multi workspace hunting. per Region selection from main drop down. |\r\n|v2.1| Addition of Workspace and Table specific retention. |\r\n|v2.2| Improve Hunting Tab and lookup the Workspace id automatically. Also add Table filtering in the **Retention** Tab, using the method from Sean Stark from Archive and Basic logs workbook|\r\n|v2.2.1| Directory and Azure Lighthouse info added. |\r\n|v2.3.0| SKU info added in [Ingestion] tab, and Content Hub info added from within the [Tables] tab. |\r\n|v2.3.1| Fixed issue #10465 where incidents were not being counted correctly.|"
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Change Log"
},
"name": "text - 7"
},
{
"type": 1,
"content": {
"json": "## Sentinel Central Help\r\n#### Data sources: REST api, SentinelIncident and SecurityAlert Tables\r\n\r\n## Incident Overview: \r\nUse this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to. The Workbook is not intended to replace the Multiple Incidents across Workspace view/feature in the Azure Sentinel UI, it's just a way of seeing the data in a different way.\r\n- Workspaces not linked to Azure Sentinel will not be shown.\r\n\r\n## Hunting\r\nThis option allows you to use your own KQL (which you can write within the page, or copy from an example or existing query). This will run against *any* of the Workspaces you have selected in the parameters (local or via Azure Lighthouse), please remember the more Workspaces and time range selected, the slower the results.\r\n- Use case, this allows you to enter a simple KQL query that doesnt need the prefix of\tworkspace(\"my workspace name\").my table name \r\n\r\ne.g. workspace(Demo\").Usage | limit 10\r\n\r\nor \r\n\r\n//Example query \r\nSecurityIncident\r\n| summarize High = countif(Severity ==\"High\"), Medium = countif(Severity ==\"Medium\"), MyIncidents=make_set(IncidentNumber ) by WorkspaceId=TenantId\r\n\r\n##### Note:\r\nIn your query it maybe useful to have the workspace ID returned, to do this you get the data from the TenantID column, as this name can be confusing we suggest you re-map it to WorkspaceID.\r\ne.g.\r\n•\tSecurityIncident | summarize count() by WorkspaceId=TenantId\r\n\r\n## Query Packs\r\nIf you are using Query Packs, use this Tab to open one (from any Resource Group), you can then click on a Query Pack and then on an individual query to run it. \r\n\r\n- Use case, storing queries this way enables you to share them and secure them (ARM and RBAC), this methods allows you to stay within the workbook to find and execute your queries.\r\n## Saved Searches\r\nAny Saved Searches from a selected Workspace can be run from this tab. \r\n\r\n- Use Case, you can see (if you have read rights) saved searches in a selected Workspace and click to run them. Much like the Query Pack method above.\r\n\r\n## Retention\r\nWorkspace and Table specific retention can be viewed in this tab.\r\n\r\n- Use Case, you can see (if you have read rights) the same or different level retention set on a table in a selected Workspace.\r\n\r\n\r\n"
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 7 - Copy"
}
],
"exportParameters": true
},
"customWidth": "75",
"name": "group - parameter and help"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "ad9f9173-35b3-4c1a-84e4-6f6062263c18",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Incident Overview",
"subTarget": "incidents",
"style": "link"
},
{
"id": "d3143cd8-a610-4ce9-990d-3e6674fcb5e2",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Ingestion",
"subTarget": "ingestion",
"style": "link"
},
{
"id": "18c99658-c4e7-4cef-9d25-c49056355810",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Tables",
"subTarget": "tables",
"style": "link"
},
{
"id": "f99135dc-8862-434b-ad1c-38714c1d8992",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Hunting",
"subTarget": "hunting",
"style": "link"
},
{
"id": "f99e8417-fdad-434d-98a3-9b901c273650",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Query Pack",
"subTarget": "querypack",
"style": "link"
},
{
"id": "a56b10fb-0e65-4308-9c9e-e6c56ef356c6",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Saved Searches",
"subTarget": "saved",
"style": "link"
},
{
"id": "16449876-2e6f-4c55-9931-30b5d82baead",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Retention",
"subTarget": "retention",
"style": "link"
},
{
"id": "e2582d39-3a29-41ab-9a7c-4df62e79784c",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Rules",
"subTarget": "rules",
"style": "link"
}
]
},
"name": "links - 7"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n//Filter out duplicate incidents\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n// end of get workspace name section\r\n| summarize count(IncidentName) by [\"Workspace\"] = workSpacename\r\n\r\n\r\n\r\n",
"size": 4,
"title": "Count of Security Incidents for selected {$rowCount} Workspaces",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"gridSettings": {
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"wsName"
]
},
"sortBy": [
{
"itemKey": "wsName",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "wsName",
"sortOrder": 2
}
]
},
"name": "query - 3 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ManagedServicesResources\r\n| extend managed_ = tostring(properties.registrationDefinition.properties.manageeTenantName)\r\n| extend managed2_ = trim(@\"[^\\w]+\",tostring(properties.manageeTenantName))\r\n| extend Directory = iif(isempty(managed_),managed2_, managed_)\r\n| project ManagedBy=properties.registrationDefinition.properties.registrationDefinitionName, managed_, subscriptionId, resourceGroup\r\n| where isnotempty( managed_)\r\n| summarize count() by tostring(ManagedBy), tostring(managed_), subscriptionId, resourceGroup\r\n| project Directory= managed_, ManagedBy, subscriptionId, resourceGroup, AzureLighthouse='Yes'\r\n| join kind=fullouter \r\n(\r\n\tresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project workspaceName=tolower(s_workspace), location, subscriptionId, AzureLighthouse='No'\r\n) on subscriptionId\r\n| order by ['AzureLighthouse'] asc\r\n| extend AzureLighthouse = iif(isempty(AzureLighthouse),AzureLighthouse1,AzureLighthouse)\r\n| extend subscriptionId = iif(isempty(subscriptionId),subscriptionId1,subscriptionId)",
"size": 0,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
]
},
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "query - ARG to find Azure Lighthouse"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n//Filter out duplicate incidents\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n// end of get workspace name section\r\n| summarize High= countif(Severity==\"High\"),\r\n Medium=countif(Severity==\"Medium\"),\r\n Low =countif(Severity==\"Low\"), \r\n Informational=countif(Severity==\"Informational\"),\r\n Last_record = datetime_diff(\"second\", now(), max(TimeGenerated)),\r\n Total = count()\r\n by workSpacename\r\n| join\r\n(\r\nSecurityIncident\r\n// mean time to triage Section\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n//| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\r\n| extend Owner = todynamic(Owner.assignedTo) \r\n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \r\n| where Product in ({Product}) or '{Product:label}' == \"All\"\r\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \r\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\r\n| summarize 50th_PercentileMeanTime=percentile(TimeToTriage, 50) by workSpacename\r\n) on workSpacename\r\n|project-away workSpacename1\r\n| join\r\n(\r\nSecurityIncident\r\n// mean time to close Section\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| extend iD = TenantId\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n//| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\r\n| extend Owner = todynamic(Owner.assignedTo) \r\n| where Owner in ({Owner}) or '{Owner:label}' == \"All\"\r\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \r\n| where Product in ({Product}) or '{Product:label}' == \"All\"\r\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \r\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\r\n| summarize 50th_PercentileCloseTime=percentile(TimeToClosure, 50) by workSpacename\r\n) on workSpacename\r\n|project-away workSpacename1\r\n| join\r\n(\r\nSecurityIncident\r\n // Incident Trend by Workspace\r\n // Get the Workspace Name(s) from a parameter\r\n | extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n | mv-expand stringtoSplit\r\n | where stringtoSplit has TenantId\r\n | extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n | make-series IncidentTrend=count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by workSpacename\r\n) on workSpacename\r\n|project-away workSpacename1, TimeGenerated\r\n| order by Total desc\r\n\r\n",
"size": 2,
"title": "Security Incident summary for {$rowCount} Workspaces: QueryTime {$queryTime}",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "workSpacename",
"exportParameterName": "exportworkSpacename",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "High",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Medium",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Low",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Informational",
"formatter": 4,
"formatOptions": {
"palette": "greenRed",
"customColumnWidthSetting": "150px"
}
},
{
"columnMatch": "Last_record",
"formatter": 0,
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Total",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "50th_PercentileMeanTime",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 26,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 3
}
}
},
{
"columnMatch": "50th_PercentileCloseTime",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
},
"numberFormat": {
"unit": 26,
"options": {
"style": "decimal",
"maximumFractionDigits": 3
}
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "blueDark"
}
},
{
"columnMatch": "iD",
"formatter": 5
}
],
"filter": true,
"sortBy": [
{
"itemKey": "$gen_heatmap_Total_6",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "workSpacename",
"label": "Workspace Name"
},
{
"columnId": "50th_PercentileMeanTime",
"label": "Mean time to triage"
},
{
"columnId": "50th_PercentileCloseTime",
"label": "Mean time to closure"
}
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Total_6",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "query - SecIncidents"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\",\"mergeType\":\"innerunique\",\"leftTable\":\"query - ARG to find Azure Lighthouse\",\"rightTable\":\"query - SecIncidents\",\"leftColumn\":\"workspaceName\",\"rightColumn\":\"workSpacename\"}],\"projectRename\":[{\"originalName\":\"[query - ARG to find Azure Lighthouse].Directory\",\"mergedName\":\"Directory\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].workSpacename\",\"mergedName\":\"Workspace Name\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - ARG to find Azure Lighthouse].ManagedBy\",\"mergedName\":\"ManagedBy\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - ARG to find Azure Lighthouse].AzureLighthouse\",\"mergedName\":\"AzureLighthouse\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - ARG to find Azure Lighthouse].location\",\"mergedName\":\"location\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].High\",\"mergedName\":\"High\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].Medium\",\"mergedName\":\"Medium\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].Low\",\"mergedName\":\"Low\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].Informational\",\"mergedName\":\"Informational\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].Last_record\",\"mergedName\":\"Last_record\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].Total\",\"mergedName\":\"Total\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].50th_PercentileMeanTime\",\"mergedName\":\"Mean time to triage\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].50th_PercentileCloseTime\",\"mergedName\":\"Mean time to closure\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - SecIncidents].IncidentTrend\",\"mergedName\":\"IncidentTrend\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - ARG to find Azure Lighthouse].subscriptionId\",\"mergedName\":\"subscriptionId\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - ARG to find Azure Lighthouse].resourceGroup\",\"mergedName\":\"resourceGroup\",\"fromId\":\"e3e16101-a776-4848-b21d-201c7e84f0e0\"},{\"originalName\":\"[query - ARG to find Azure Lighthouse].subscriptionId1\"},{\"originalName\":\"[query - SecIncidents].workSpacename\"},{\"originalName\":\"[query - ARG to find Azure Lighthouse].AzureLighthouse1\"},{\"originalName\":\"[query - ARG to find Azure Lighthouse].workspaceName\"}]}",
"size": 0,
"title": "Security Incident summary for {$rowCount} Workspaces: QueryTime {$queryTime}",
"queryType": 7,
"gridSettings": {
"formatters": [
{
"columnMatch": "AzureLighthouse",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "No",
"representation": "Disconnect",
"text": "{0}{1}"
},
{
"operator": "Default",
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "High",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Medium",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Low",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Informational",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Last_record",
"formatter": 0,
"numberFormat": {
"unit": 24,
"options": {
"style": "decimal",
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Total",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Mean time to triage",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Mean time to closure",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "IncidentTrend",
"formatter": 10,
"formatOptions": {
"palette": "pink"
}
}
],
"sortBy": [
{
"itemKey": "$gen_heatmap_Total_10",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Total_10",
"sortOrder": 2
}
]
},
"showPin": false,
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n | where type == \"microsoft.insights/workbooks\"\r\n | where properties.displayName has \"Security operations efficiency\" \r\n //| where properties.displayName has '{exportworkSpacename}'\r\n //| project properties.displayName, id\r\n | project id, note='Please select the Subscription and Workpsace names again in the new blade'\r\n | limit 1\r\n\r\n",
"size": 4,
"title": "Open [Security Operations Efficiency] Workbook - if the Workbook exists locally?",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "id",
"formatter": 7,
"formatOptions": {
"linkTarget": "WorkbookTemplate",
"linkLabel": "Click to Open [Security operations efficiency] workbook",
"linkIsContextBlade": true
}
},
{
"columnMatch": "note",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100ch"
}
}
],
"labelSettings": [
{
"columnId": "id",
"label": "Open"
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "exportworkSpacename",
"comparison": "isNotEqualTo"
},
"name": "query - open_SOC_workbook"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerWorkspaceID = trim(' ', tostring(properties.customerId))\r\n| project id, customerWorkspaceID, name=tolower(name), subscriptionId, tenantId\r\n|join \r\n(\r\n\tresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project name=tolower(s_workspace), subscriptionId, location, properties, resourceGroup\r\n) on name\r\n| where name =~ '{exportworkSpacename}'\r\n| project name, Open=tolower(id), tenantId, customerWorkspaceID, subscriptionId, location, properties, resourceGroup\r\n",
"size": 4,
"title": "Workspace details - click on \"name\" for more details",
"exportedParameters": [
{
"fieldName": "tenantId",
"parameterName": "exporttenantId",
"parameterType": 1
},
{
"fieldName": "subscriptionId",
"parameterName": "exportSubscriptionId",
"parameterType": 1
},
{
"fieldName": "resourceGroup",
"parameterName": "exportResourceGroup",
"parameterType": 1
},
{
"fieldName": "name",
"parameterName": "exportName",
"parameterType": 1
}
],
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Open",
"formatter": 7,
"formatOptions": {
"linkTarget": "Resource",
"linkLabel": "Workspace context blade",
"linkIsContextBlade": true
}
},
{
"columnMatch": "id",
"formatter": 7,
"formatOptions": {
"linkTarget": "WorkbookTemplate",
"linkLabel": "Click to Open [Security operations efficiency] workbook",
"linkIsContextBlade": false
}
},
{
"columnMatch": "note",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100ch"
}
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "exportworkSpacename",
"comparison": "isNotEqualTo"
},
"name": "query - Workspace Details"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/tenants?api-version=2022-12-01\",\"urlParams\":[{\"key\":\"\",\"value\":\"\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[]}}]}",
"size": 4,
"title": "Tenant details",
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "id",
"formatter": 5
},
{
"columnMatch": "domains",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "Domain name(s)",
"linkIsContextBlade": true
}
},
{
"columnMatch": "Open",
"formatter": 7,
"formatOptions": {
"linkTarget": "Resource",
"linkLabel": "Workspace context blade",
"linkIsContextBlade": true
}
},
{
"columnMatch": "note",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100ch"
}
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "exportworkSpacename",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "query - Tenant Details"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{exportSubscriptionId}/resourceGroups/{exportResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{exportworkSpacename}/providers/Microsoft.SecurityInsights/AlertRules\",\"urlParams\":[{\"key\":\"\",\"value\":\"\"},{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"type\",\"columnid\":\"type\"},{\"path\":\"kind\",\"columnid\":\"kind\"},{\"path\":\"properties\",\"columnid\":\"properties\"},{\"path\":\"properties.lastModifiedUtc\",\"columnid\":\"lastModifiedUtc\"}]}}]}",
"size": 4,
"title": "Rules details ('{exportName}' with {$rowCount} deployed Rules)",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "id",
"formatter": 5
},
{
"columnMatch": "name",
"formatter": 5
},
{
"columnMatch": "etag",
"formatter": 5
},
{
"columnMatch": "domains",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkLabel": "Domain name(s)",
"linkIsContextBlade": true
}
},
{
"columnMatch": "Open",
"formatter": 7,
"formatOptions": {
"linkTarget": "Resource",
"linkLabel": "Workspace context blade",
"linkIsContextBlade": true
}
},
{
"columnMatch": "note",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100ch"
}
}
],
"rowLimit": 500,
"filter": true,
"sortBy": [
{
"itemKey": "kind",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "kind",
"sortOrder": 2
}
]
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "exportResourceGroup",
"comparison": "isNotEqualTo",
"value": ""
},
"name": "query - Rules details"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"724f0ff2-e293-4655-9005-b25c4442a0de\",\"mergeType\":\"innerunique\",\"leftTable\":\"query - Workspace Details\",\"rightTable\":\"query - Tenant Details\",\"leftColumn\":\"tenantId\",\"rightColumn\":\"tenantId\"}],\"projectRename\":[{\"originalName\":\"[query - Workspace Details].name\",\"mergedName\":\"name\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].Open\",\"mergedName\":\"Open\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].tenantId\",\"mergedName\":\"tenantId\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].customerWorkspaceID\",\"mergedName\":\"customerWorkspaceID\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].subscriptionId\",\"mergedName\":\"subscriptionId\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].location\",\"mergedName\":\"location\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].properties\",\"mergedName\":\"properties\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].id\",\"mergedName\":\"id\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].tenantId\",\"mergedName\":\"tenantId1\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].countryCode\",\"mergedName\":\"countryCode\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].displayName\",\"mergedName\":\"displayName\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].domains\",\"mergedName\":\"domains\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].tenantCategory\",\"mergedName\":\"tenantCategory\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].defaultDomain\",\"mergedName\":\"defaultDomain\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].tenantType\",\"mergedName\":\"tenantType\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Tenant Details].tenantBrandingLogoUrl\",\"mergedName\":\"tenantBrandingLogoUrl\",\"fromId\":\"724f0ff2-e293-4655-9005-b25c4442a0de\"},{\"originalName\":\"[query - Workspace Details].resourceGroup\",\"mergedName\":\"resourceGroup\",\"fromId\":\"unknown\"}]}",
"size": 4,
"title": "Tenant Details",
"showExportToExcel": true,
"queryType": 7,
"gridSettings": {
"formatters": [
{
"columnMatch": "id",
"formatter": 5
},
{
"columnMatch": "tenantId1",
"formatter": 5
},
{
"columnMatch": "domains",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "Domain List",
"linkIsContextBlade": true
}
}
],
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "exportworkSpacename",
"comparison": "isNotEqualTo"
},
"showPin": false,
"name": "query - merged Tenant view"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Classification, Tactics and Techniques report",
"expandable": true,
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| where Status == 'Closed'\r\n| order by LastModifiedTime \r\n| summarize count(), make_set(ClassificationComment) by workSpacename, Classification , ClassificationReason \r\n| evaluate pivot(Classification, sum(count_))",
"size": 1,
"title": "Incident Classification report",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "set_ClassificationComment",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "BenignPositive",
"formatter": 4,
"formatOptions": {
"palette": "greenRed",
"customColumnWidthSetting": "150px"
}
},
{
"columnMatch": "FalsePositive",
"formatter": 4,
"formatOptions": {
"palette": "greenRed",
"customColumnWidthSetting": "150px"
}
},
{
"columnMatch": "TruePositive",
"formatter": 4,
"formatOptions": {
"palette": "greenRed",
"customColumnWidthSetting": "150px"
}
},
{
"columnMatch": "Undetermined",
"formatter": 4,
"formatOptions": {
"palette": "greenRed",
"customColumnWidthSetting": "150px"
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "workSpacename",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "set_ClassificationComment",
"label": "Reason"
}
]
},
"sortBy": [
{
"itemKey": "workSpacename",
"sortOrder": 2
}
]
},
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| extend Tactics_ = tostring(parse_json(tostring(AdditionalData.tactics)))\r\n| summarize count()\r\n by workSpacename, Tactics_\r\n| order by count_ desc\r\n| evaluate pivot(Tactics_, sum(count_))",
"size": 1,
"title": "Incident Tactics report",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "set_ClassificationComment",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "TruePositive",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "workSpacename",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "workSpacename",
"sortOrder": 1
}
],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "workSpacename",
"formatter": 1
},
"leftContent": {
"columnMatch": "[\"Collection\"]",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 10 - Tactics"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| extend Tactics_ = tostring(parse_json(tostring(AdditionalData.techniques)))\r\n| summarize count()\r\n by workSpacename, Tactics_\r\n| order by count_ desc\r\n| evaluate pivot(Tactics_, sum(count_))",
"size": 1,
"title": "Incident Techniques report, count {$rowCount}",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "set_ClassificationComment",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "TruePositive",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "workSpacename",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "workSpacename",
"sortOrder": 1
}
],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "workSpacename",
"formatter": 1
},
"leftContent": {
"columnMatch": "[\"Collection\"]",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 10 - Techniques"
}
]
},
"name": "group - classification and tactics"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mvexpand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n//Filter out duplicate incidents\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n// end of get workspace name section\r\n| summarize Total = count()\r\n by workSpacename\r\n\r\n\r\n\r\n\r\n",
"size": 1,
"title": "Count of Security Incidents for selected Workspaces and Severity",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "High",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Medium",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Low",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Informational",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
}
],
"labelSettings": [
{
"columnId": "workSpacename",
"label": "Workspace Name"
}
]
}
},
"customWidth": "40",
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "query - KQL for MAP count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n// Just show Workspaces that have Sentinel enabled\r\n| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| summarize count() by location, s_workspace",
"size": 0,
"title": "Sentinel Workspaces by Azure Region",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"visualization": "table",
"mapSettings": {
"locInfo": "AzureLoc",
"locInfoColumn": "location",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"labelSettings": "location",
"legendMetric": "location",
"legendAggregation": "Count",
"itemColorSettings": {
"nodeColorField": "count_",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "query - ARG for MAp count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\",\"mergeType\":\"innerunique\",\"leftTable\":\"query - KQL for MAP count\",\"rightTable\":\"query - ARG for MAp count\",\"leftColumn\":\"workSpacename\",\"rightColumn\":\"s_workspace\"}],\"projectRename\":[{\"originalName\":\"[query - KQL for MAP count].workSpacename\",\"mergedName\":\"Workspace Name\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"},{\"originalName\":\"[query - KQL for MAP count].Total\",\"mergedName\":\"Total\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"},{\"originalName\":\"[query - ARG for MAp count].location\",\"mergedName\":\"location\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"},{\"originalName\":\"[query - ARG for MAp count].s_workspace\",\"mergedName\":\"s_workspace\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"},{\"originalName\":\"[query - ARG for MAp count].count_\",\"mergedName\":\"count_\",\"fromId\":\"9862f923-5d48-4232-8b1d-54f18cd153d3\"}]}",
"size": 0,
"title": "Sentinel Incident Count by Region",
"exportedParameters": [
{
"fieldName": "",
"parameterName": "exportMap1"
},
{
"fieldName": "location",
"parameterName": "location",
"parameterType": 1
}
],
"queryType": 7,
"visualization": "map",
"gridSettings": {
"sortBy": [
{
"itemKey": "s_workspace",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "s_workspace",
"sortOrder": 1
}
],
"mapSettings": {
"locInfo": "AzureLoc",
"locInfoColumn": "location",
"sizeSettings": "Total",
"sizeAggregation": "Sum",
"labelSettings": "location",
"legendMetric": "Total",
"numberOfMetrics": 50,
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "Total",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "50",
"showPin": false,
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n// Just show Workspaces that have Sentinel enabled\r\n| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| summarize count() by location, s_workspace",
"size": 0,
"title": "Sentinel Workspaces by Azure Region",
"exportParameterName": "exportMap2",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"visualization": "map",
"mapSettings": {
"locInfo": "AzureLoc",
"locInfoColumn": "location",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"labelSettings": "location",
"legendMetric": "location",
"legendAggregation": "Count",
"itemColorSettings": {
"nodeColorField": "count_",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "50",
"name": "query - 10"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "5443aca4-a73d-46ad-aaea-bd391acc3f0d",
"version": "KqlParameterItem/1.0",
"name": "getMapdata1",
"type": 1,
"isRequired": true,
"query": "extend a = parse_json('{exportMap1}')\r\n| project ['region']=a.regionName, ['Incident Count']=a.legendValue\r\n| limit 1",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"version": "KqlParameterItem/1.0",
"name": "getMapdata2",
"type": 1,
"isRequired": true,
"query": "extend a = parse_json('{exportMap2}')\r\n| project ['region']=a.regionName, ['Incident Count']=a.legendValue\r\n| limit 1",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"id": "793ac0c4-7518-4e52-9509-eb1bdf97854b"
},
{
"version": "KqlParameterItem/1.0",
"name": "getMapdata1_count",
"type": 1,
"isRequired": true,
"query": "extend a = parse_json('{exportMap1}')\r\n| project ['Incident Count']=a.legendValue\r\n| limit 1",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"id": "d4349432-c9cf-436e-9ede-2cd303c4bc9c"
},
{
"version": "KqlParameterItem/1.0",
"name": "getMapdata2_count",
"type": 1,
"isRequired": true,
"query": "extend a = parse_json('{exportMap2}')\r\n| project ['Incident Count']=a.legendValue\r\n| limit 1",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"id": "88076350-2736-407f-a272-6b473dc92c6c"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 8"
},
{
"type": 1,
"content": {
"json": "### Results from clicking on the Maps above\r\n--------------\r\n\r\n|Azure Region|Location|Incident Count|Workspace Counter|\r\n|---|---|---|\r\n| Sentinel Incident Count by Region| {getMapdata1}|{getMapdata1_count}||\r\n| Sentinel Workspaces by Azure Region| {getMapdata2}||{getMapdata2_count}|\r\n\r\n-----------"
},
"name": "text - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mvexpand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of get workspace name section\r\n| extend Tactics_ = tostring(parse_json(tostring(AdditionalData.tactics)))\r\n| summarize count()\r\n by workSpacename, Tactics_\r\n| order by count_ desc\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"size": 1,
"title": "Count of Tactics for selected Workspaces",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "coldHot"
}
},
{
"columnMatch": "High",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Medium",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Low",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Informational",
"formatter": 4,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "Total",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
}
],
"labelSettings": [
{
"columnId": "count_",
"label": "count"
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "query - 3 - Copy - Copy - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "incidents"
},
"name": "group - overview"
},
{
"type": 1,
"content": {
"json": "---------------"
},
"name": "text - 9"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Expand to Show: Incident details",
"expandable": true,
"expanded": true,
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n| where TimeGenerated > startofday(ago(0d))\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n//Filter out duplicate incidents\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n// end of get workspace name section\r\n| extend productName_ = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0])\r\n| where productName_ in ({Product}) or '{Product:label}' ==\"All\"\r\n| summarize count() by IncidentNumber, Title, productName_, Severity, [\"Workspace\"] = workSpacename, IncidentUrl\r\n| order by Workspace asc , IncidentNumber desc\r\n//| top 50 by [\"Workspace\"]",
"size": 1,
"title": "{$rowCount} Incidents in Workspaces today",
"timeContextFromParameter": "TimeRange",
"exportedParameters": [
{
"fieldName": "IncidentNumber",
"parameterName": "IncidentNumber",
"parameterType": 1
},
{
"fieldName": "Workspace",
"parameterName": "Workspace_export",
"parameterType": 1
}
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "productName_",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "30ch"
}
},
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "greenDark",
"text": "{0}{1}"
},
{
"operator": "Default",
"representation": "lightBlue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Workspace",
"formatter": 5
},
{
"columnMatch": "IncidentUrl",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": "Open Azure Sentinel Incident"
}
}
],
"rowLimit": 5000,
"filter": true,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Workspace"
]
},
"sortBy": [
{
"itemKey": "IncidentNumber",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "productName_",
"label": "Product Name"
}
]
},
"sortBy": [
{
"itemKey": "IncidentNumber",
"sortOrder": 2
}
]
},
"name": "query - multi Alerts"
},
{
"type": 1,
"content": {
"json": "For further analysis I suggest you open the Azure Sentinel Incident Blade and _Investigate_ (use the hyper link provided in the table, if you have the correct RBAC).\r\n\r\nAlternatively open the [_Investigation Insights_] or [_Incident Overview_] Workbooks for guided and deeper investigation. Open Incident Overview from the Portal, _Investigation Insights_ can be opened to the right --->.\r\n\r\n- You must have previoulsy SAVED these Workbooks in your workspace(s). \r\n- Investigation Insights requires release v1.2 or above (you may have to manually select the Workspace), for prior versions you will have to select the matching Incident Number as well. \r\n- For the Workbooks to be listed, they need \"Investigation\" in the name when you save them."
},
"customWidth": "50",
"name": "text - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n | where type == \"microsoft.insights/workbooks\"\r\n | where properties.displayName has \"Investigation\" // or properties.displayName has \"Incident\"\r\n | where properties.displayName has '{Workspace_export}'\r\n | project properties.displayName, id, {IncidentNumber}\r\n",
"size": 4,
"title": "Workspace Name: {Workspace_export}",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "properties_displayName",
"formatter": 1
},
{
"columnMatch": "id",
"formatter": 7,
"formatOptions": {
"linkTarget": "WorkbookTemplate",
"linkLabel": "Open Workbook",
"linkIsContextBlade": true
}
}
],
"labelSettings": [
{
"columnId": "properties_displayName",
"label": "Workbook Name"
},
{
"columnId": "id",
"label": "Open"
},
{
"columnId": "Column1",
"label": "Incident Number"
}
]
}
},
"customWidth": "50",
"name": "query - 11"
},
{
"type": 1,
"content": {
"json": "### Select a single workspace to see Incident level details "
},
"name": "text - 6"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "4383a3f4-7606-41a7-b1cf-e5bffd2d9ecb",
"version": "KqlParameterItem/1.0",
"name": "iWorkspace",
"label": "Incident Workspace",
"type": 7,
"query": "resources\r\n// Just show Workspaces that have Sentinel enabled\r\n| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| project name = s_workspace\r\n| sort by name asc",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": null
},
{
"id": "c2494755-05cc-4b93-b253-e8a0d4b7c899",
"version": "KqlParameterItem/1.0",
"name": "iResourceGroup",
"type": 1,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where tolower(name) == \"{iWorkspace}\"\r\n| project resourceGroup",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n// end of workspace validation, now match workspace to the selected parameter\r\n| where tolower(workSpacename) == tolower('{iWorkspace}')\r\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\r\n| extend Alerts = extract(\"\\\\[(.*?)\\\\]\", 1, tostring(AlertIds))\r\n| extend productName_ = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0])\r\n| where productName_ in ({Product}) or '{Product:label}' ==\"All\"\r\n| mv-expand AlertIds to typeof(string)\r\n| join \r\n(\r\n SecurityAlert\r\n | extend AlertEntities = parse_json(Entities)\r\n | mv-expand AlertEntities\r\n) on $left.AlertIds == $right.SystemAlertId\r\n| summarize AlertCount=dcount(AlertIds), entityList=make_set(tostring(AlertEntities.Type)) by IncidentNumber, Status, Severity, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , Tactics =tostring(AdditionalData.tactics), workSpacename, productName_\r\n// set column order\r\n| project workSpacename, IncidentNumber, Severity, Status, AlertCount,Owner, Title, entityList, Tactics, IncidentUrl, productName_\r\n| order by IncidentNumber desc\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"size": 0,
"title": "Details for {iWorkspace} Workspace, count of: {$rowCount} Incidents during {TimeRange:label}",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "workSpacename",
"formatter": 5
},
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "redBright",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "greenDark",
"text": "{0}{1}"
},
{
"operator": "Default",
"representation": "lightBlue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "New",
"representation": "gray",
"text": "{0}{1}"
},
{
"operator": "Default",
"representation": "blue",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "AlertCount",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
},
{
"columnMatch": "IncidentUrl",
"formatter": 1,
"formatOptions": {
"linkTarget": "Url",
"linkLabel": "Open Incident in Azure Sentinel "
}
}
],
"rowLimit": 500,
"filter": true,
"sortBy": [
{
"itemKey": "IncidentNumber",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "IncidentNumber",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "iWorkspace",
"comparison": "isNotEqualTo",
"value": ""
},
"name": "query - single alert"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "incidents"
},
"name": "group - Incidents"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Hunting: Hunt across selected workspaces, using any KQL you paste or edit in this field. ",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "fcc2456c-f4b5-4505-a188-aa4ebab3db67",
"version": "KqlParameterItem/1.0",
"name": "queryTxt",
"type": 1,
"description": "Add workspace identity e.g SecurityIncident | summarize count() by WorkspaceId=TenantId",
"value": "SecurityIncident\r\n| summarize arg_max(TimeGenerated,*) by WorkspaceId=TenantId",
"typeSettings": {
"multiLineText": true,
"editorLanguage": "kql"
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{queryTxt}",
"size": 0,
"title": "Cross workspace Query results, rows: {$rowCount}, QueryTime: {$queryTime}. Select a row for more details",
"exportFieldName": "WorkspaceId",
"exportParameterName": "exportWorkspaceId",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Workspace",
"formatter": 16,
"formatOptions": {
"showIcon": true
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "query - crossWorkspaceQuery"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerWorkspaceID = trim(' ', tostring(properties.customerId))\r\n| project id, customerWorkspaceID, name=tolower(name), subscriptionId, tenantId\r\n|join \r\n(\r\n\tresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project name=tolower(s_workspace), subscriptionId, location, properties, resourceGroup\r\n) on name",
"size": 0,
"title": "ARG - to hide",
"exportedParameters": [
{
"fieldName": "tenantId",
"parameterName": "exporttenantId",
"parameterType": 1
},
{
"fieldName": "subscriptionId",
"parameterName": "exportSubscriptionId",
"parameterType": 1
},
{
"fieldName": "resourceGroup",
"parameterName": "exportResourceGroup",
"parameterType": 1
},
{
"fieldName": "name",
"parameterName": "exportName",
"parameterType": 1
}
],
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Open",
"formatter": 7,
"formatOptions": {
"linkTarget": "Resource",
"linkLabel": "Workspace context blade",
"linkIsContextBlade": true
}
},
{
"columnMatch": "id",
"formatter": 7,
"formatOptions": {
"linkTarget": "WorkbookTemplate",
"linkLabel": "Click to Open [Security operations efficiency] workbook",
"linkIsContextBlade": false
}
},
{
"columnMatch": "note",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100ch"
}
}
],
"sortBy": [
{
"itemKey": "tenantId",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "tenantId",
"sortOrder": 1
}
]
},
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "query - arg Workpace Lookup"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\",\"mergeType\":\"inner\",\"leftTable\":\"query - crossWorkspaceQuery\",\"rightTable\":\"query - arg Workpace Lookup\",\"leftColumn\":\"WorkspaceId\",\"rightColumn\":\"customerWorkspaceID\"}],\"projectRename\":[{\"originalName\":\"[query - crossWorkspaceQuery].TimeGenerated\",\"mergedName\":\"TimeGenerated\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].SourceSystem\",\"mergedName\":\"SourceSystem\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].CallerIpAddress\",\"mergedName\":\"CallerIpAddress\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].CategoryValue\",\"mergedName\":\"CategoryValue\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].CorrelationId\",\"mergedName\":\"CorrelationId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Authorization\",\"mergedName\":\"Authorization\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Authorization_d\",\"mergedName\":\"Authorization_d\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Claims\",\"mergedName\":\"Claims\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Claims_d\",\"mergedName\":\"Claims_d\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Level\",\"mergedName\":\"Level\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].OperationNameValue\",\"mergedName\":\"OperationNameValue\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Properties\",\"mergedName\":\"Properties\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Properties_d\",\"mergedName\":\"Properties_d\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Caller\",\"mergedName\":\"Caller\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].EventDataId\",\"mergedName\":\"EventDataId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].EventSubmissionTimestamp\",\"mergedName\":\"EventSubmissionTimestamp\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].HTTPRequest\",\"mergedName\":\"HTTPRequest\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].OperationId\",\"mergedName\":\"OperationId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ResourceGroup\",\"mergedName\":\"ResourceGroup\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ResourceProviderValue\",\"mergedName\":\"ResourceProviderValue\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ActivityStatusValue\",\"mergedName\":\"ActivityStatusValue\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ActivitySubstatusValue\",\"mergedName\":\"ActivitySubstatusValue\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Hierarchy\",\"mergedName\":\"Hierarchy\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].SubscriptionId\",\"mergedName\":\"SubscriptionId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].OperationName\",\"mergedName\":\"OperationName\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ActivityStatus\",\"mergedName\":\"ActivityStatus\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ActivitySubstatus\",\"mergedName\":\"ActivitySubstatus\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Category\",\"mergedName\":\"Category\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ResourceId\",\"mergedName\":\"ResourceId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ResourceProvider\",\"mergedName\":\"ResourceProvider\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Resource\",\"mergedName\":\"Resource\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Type\",\"mergedName\":\"Type\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery]._ResourceId\",\"mergedName\":\"_ResourceId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].TenantId\",\"mergedName\":\"TenantId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].WorkspaceId\",\"mergedName\":\"WorkspaceId\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].id\",\"mergedName\":\"id\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].customerWorkspaceID\",\"mergedName\":\"customerWorkspaceID\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].name\",\"mergedName\":\"name\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].subscriptionId\",\"mergedName\":\"subscriptionId\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].tenantId\",\"mergedName\":\"tenantId\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].name1\",\"mergedName\":\"name1\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].subscriptionId1\",\"mergedName\":\"subscriptionId1\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].location\",\"mergedName\":\"location\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].properties\",\"mergedName\":\"properties\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - arg Workpace Lookup].resourceGroup\",\"mergedName\":\"resourceGroup\",\"fromId\":\"b4ab017f-a3b7-41b4-aa8a-aadf14ba9087\"},{\"originalName\":\"[query - crossWorkspaceQuery].IncidentName\",\"mergedName\":\"IncidentName\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Title\",\"mergedName\":\"Title\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Description\",\"mergedName\":\"Description\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Severity\",\"mergedName\":\"Severity\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Status\",\"mergedName\":\"Status\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Classification\",\"mergedName\":\"Classification\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ClassificationComment\",\"mergedName\":\"ClassificationComment\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ClassificationReason\",\"mergedName\":\"ClassificationReason\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Owner\",\"mergedName\":\"Owner\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ProviderName\",\"mergedName\":\"ProviderName\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ProviderIncidentId\",\"mergedName\":\"ProviderIncidentId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].FirstActivityTime\",\"mergedName\":\"FirstActivityTime\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].LastActivityTime\",\"mergedName\":\"LastActivityTime\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].FirstModifiedTime\",\"mergedName\":\"FirstModifiedTime\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].LastModifiedTime\",\"mergedName\":\"LastModifiedTime\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].CreatedTime\",\"mergedName\":\"CreatedTime\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ClosedTime\",\"mergedName\":\"ClosedTime\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].IncidentNumber\",\"mergedName\":\"IncidentNumber\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].RelatedAnalyticRuleIds\",\"mergedName\":\"RelatedAnalyticRuleIds\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].AlertIds\",\"mergedName\":\"AlertIds\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].BookmarkIds\",\"mergedName\":\"BookmarkIds\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Comments\",\"mergedName\":\"Comments\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].Labels\",\"mergedName\":\"Labels\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].IncidentUrl\",\"mergedName\":\"IncidentUrl\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].AdditionalData\",\"mergedName\":\"AdditionalData\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ModifiedBy\",\"mergedName\":\"ModifiedBy\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - crossWorkspaceQuery].ProviderName_CF\",\"mergedName\":\"ProviderName_CF\",\"fromId\":\"unknown\"}]}",
"size": 0,
"title": "Cross workspace Query results, rows: {$rowCount}, QueryTime: {$queryTime}. ",
"showExportToExcel": true,
"queryType": 7,
"gridSettings": {
"formatters": [
{
"columnMatch": "id",
"formatter": 7,
"formatOptions": {
"linkTarget": "Resource",
"linkLabel": "Open Workspace",
"linkIsContextBlade": true
}
},
{
"columnMatch": "SubscriptionId",
"formatter": 15,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Resource",
"formatter": 13,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Type",
"formatter": 16,
"formatOptions": {
"showIcon": true
}
}
],
"filter": true,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"id"
],
"expandTopLevel": true,
"finalBy": "name1"
}
}
},
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "hunting"
},
"name": "group - hunting"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Query Pack: Use a Query Pack from any Resource Group, then pick a query to run from within the Query Pack",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "9a0c8c17-ac07-4b9a-b3d9-44060087935f",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"description": "Find Query packs in specific subscriptions ",
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"includeAll": false,
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n| where type == \"microsoft.operationalinsights/querypacks\"\r\n| project-away type, kind",
"size": 0,
"exportedParameters": [
{
"fieldName": "name",
"parameterName": "exportName",
"parameterType": 1
},
{
"fieldName": "resourceGroup",
"parameterName": "resourceGroup",
"parameterType": 1
},
{
"fieldName": "subscriptionId",
"parameterName": "subscriptionId",
"parameterType": 1
}
],
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Subscription}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "tenantId",
"formatter": 16,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "location",
"formatter": 17
},
{
"columnMatch": "resourceGroup",
"formatter": 16,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "subscriptionId",
"formatter": 15,
"formatOptions": {
"showIcon": true
}
}
]
}
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.operationalInsights/querypacks/{exportName}/Queries\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-09-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"name\"},{\"path\":\"properties.body\",\"columnid\":\"body\"},{\"path\":\"properties.description\",\"columnid\":\"description\"},{\"path\":\"properties.tags\",\"columnid\":\"tags\"},{\"path\":\"systemData.lastModifiedAt\",\"columnid\":\"lastModifiedAt\"},{\"path\":\"systemData.lastModifiedBy\",\"columnid\":\"lastModifiedBy\"},{\"path\":\"systemData.createdBy\",\"columnid\":\"createdBy\"},{\"path\":\"systemData.createdBy\",\"columnid\":\"createdByType\"},{\"path\":\"systemData.createdAt\",\"columnid\":\"createdAt\"}]}}]}",
"size": 1,
"title": "Select a Query to run from the list: {$rowCount} Queries in Query Pack: {exportName}",
"exportedParameters": [
{
"fieldName": "body",
"parameterName": "exportQuery"
},
{
"fieldName": "name",
"parameterName": "exportName",
"parameterType": 1
}
],
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "body",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "createdByType",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "body",
"label": "Query"
}
]
},
"sortBy": [
{
"itemKey": "createdByType",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "exportName",
"comparison": "isNotEqualTo"
},
"name": "query -Qp queries"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{exportQuery}",
"size": 0,
"title": "Results of the selected Query: {exportName}",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"conditionalVisibility": {
"parameterName": "exportQuery",
"comparison": "isNotEqualTo"
},
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "querypack"
},
"name": "group - qp"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "KQL Saved Searches: Select a Workspace to check Saved Searches",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "54ab7c42-3983-46fd-bb6b-9a1d206eec3a",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"description": "Lookup saved queries in any Azure Sentinel workspace",
"isRequired": true,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerID = trim(' ', tostring(properties.customerId))\r\n| project id, customerID, name=tolower(name)\r\n|join \r\n(\r\n\tresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project name=tolower(s_workspace)\r\n) on name\r\n| project tolower(id), customerID, name",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}/SavedSearches\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2021-06-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"properties.category\",\"columnid\":\"category\"},{\"path\":\"properties.query\",\"columnid\":\"query\"},{\"path\":\"properties.version\",\"columnid\":\"version\"},{\"path\":\"name\",\"columnid\":\"name\"}]}}]}",
"size": 1,
"title": "Select a Query to run, or Search in all columns, Category, Name & Query",
"noDataMessage": "no saved queries found in {Workspace:name}",
"exportedParameters": [
{
"fieldName": "query",
"parameterName": "query",
"parameterType": 1,
"defaultValue": " "
},
{
"fieldName": "displayName",
"parameterName": "name",
"parameterType": 1
}
],
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"rowLimit": 1000,
"filter": true
}
},
"conditionalVisibilities": [
{
"parameterName": "Subscription",
"comparison": "isNotEqualTo"
},
{
"parameterName": "Workspace",
"comparison": "isNotEqualTo"
}
],
"name": "saved query grid - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Saved Query - {name}",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "f3f7beb8-b287-45fb-8af2-c528ef55b704",
"version": "KqlParameterItem/1.0",
"name": "queryText",
"type": 1,
"typeSettings": {
"multiLineText": true,
"editorLanguage": "kql"
},
"criteriaData": [
{
"condition": "else result = '{query}'",
"criteriaContext": {
"operator": "Default",
"rightValType": "param",
"resultValType": "static",
"resultVal": "{query}"
}
}
],
"label": "Saved Query Text"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query text param"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{query}",
"size": 2,
"title": "Query Results",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"name": "query - 3"
}
]
},
"conditionalVisibilities": [
{
"parameterName": "query",
"comparison": "isNotEqualTo"
},
{
"parameterName": "Workspace",
"comparison": "isNotEqualTo"
}
],
"name": "visible if query selected group"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "saved"
},
"name": "group - kql"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Workspace and Table Retention: Select a Workspace to check Workspace and Table Retention",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "54ab7c42-3983-46fd-bb6b-9a1d206eec3a",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"description": "Lookup Workspace and Table Retention",
"isRequired": true,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerID = trim(' ', tostring(properties.customerId))\r\n| project id, customerID, name=tolower(name)\r\n|join \r\n(\r\n\tresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project name=tolower(s_workspace)\r\n) on name\r\n| project tolower(id), customerID, name",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": ""
}
],
"style": "above",
"queryType": 12
},
"name": "parameters - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscription}/resourceGroups/{Workspace:resourcegroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}?api-version=2022-10-01\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"columns\":[{\"path\":\"id\",\"columnid\":\"Workspace\"},{\"path\":\"properties.retentionInDays\",\"columnid\":\"RetentionInDays\"},{\"path\":\"location\",\"columnid\":\"Location\"},{\"path\":\"properties.workspaceCapping.dailyQuotaGb\",\"columnid\":\"DailyQuotaGb\"},{\"path\":\"properties.sku.name\",\"columnid\":\"SkuName\"}]}}]}",
"size": 4,
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"rowLimit": 10000,
"filter": true
}
},
"name": "query - 12"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "ff66d7b3-6ecd-4d76-9677-7c9496681c58",
"version": "KqlParameterItem/1.0",
"name": "tablePlanFilter",
"label": "Filter by Table Plan and Archive Tier",
"type": 10,
"isRequired": true,
"isGlobal": true,
"typeSettings": {
"showDefault": false
},
"jsonData": "[\r\n { \"value\":\"(@.properties.plan=='Basic') || (@.properties.plan=='Analytics')\", \"label\":\"All\", \"selected\":true},\r\n { \"value\":\"(@.properties.plan=='Basic')\", \"label\":\"Basic Logs\"},\r\n { \"value\":\"(@.properties.plan=='Analytics')\", \"label\":\"Analytic Logs\"},\r\n { \"value\":\"(@.properties.archiveRetentionInDays > 0)\", \"label\":\"Archived Tables\"},\r\n { \"value\":\"(@.properties.archiveRetentionInDays == 0)\", \"label\":\"Default Retention Tables\"}\r\n]",
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "formVertical",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 3"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "6431576b-55b8-4ab1-8c44-59f052268f36",
"version": "KqlParameterItem/1.0",
"name": "tableFilter",
"type": 1,
"isRequired": true,
"isGlobal": true,
"isHiddenWhenLocked": true,
"criteriaData": [
{
"criteriaContext": {
"operator": "Default",
"resultValType": "param",
"resultVal": "tablePlanFilter"
}
}
],
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Cost"
},
"name": "parameters - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscription}/resourceGroups/{Workspace:resourcegroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/Tables?api-version=2021-12-01-preview\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value[?({tableFilter})]\",\"columns\":[{\"path\":\"name\",\"columnid\":\"TableName\"},{\"path\":\"properties.retentionInDays\",\"columnid\":\"RetentionInDays\"},{\"path\":\"properties.plan\",\"columnid\":\"plan\"},{\"path\":\"properties.archiveRetentionInDays\",\"columnid\":\"archiveRetentionInDays\"}]}}]}",
"size": 4,
"title": "Table Count: {$rowCount}",
"showExportToExcel": true,
"queryType": 12,
"visualization": "table",
"gridSettings": {
"rowLimit": 10000,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "TableRetentionQuery"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n| summarize arg_max(TimeGenerated, *), size = sum(Quantity) by DataType\r\n| project\r\n ['Table'] = DataType,\r\n ['Table Size'] = size,\r\n IsBillable\r\n| order by Table asc",
"size": 0,
"title": "Tables Found in the {WorkspaceName} workspace",
"exportFieldName": "DataType",
"exportParameterName": "DataType",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Table Size",
"formatter": 0,
"numberFormat": {
"unit": 38,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Estimated Ingestion Cost",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"currency": "USD",
"style": "currency"
}
}
},
{
"columnMatch": "Esitmated Workspace Retention Cost",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"currency": "USD",
"style": "currency"
}
}
},
{
"columnMatch": "Estimated Data Archive Cost",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"currency": "USD",
"style": "currency"
}
}
}
],
"sortBy": [
{
"itemKey": "$gen_number_Table Size_1",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "$gen_number_Table Size_1",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "ShowHiddenObjects",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "LAWTableQuery"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"e3a3f78c-f05b-458f-85ec-2bc8e5821101\",\"mergeType\":\"inner\",\"leftTable\":\"TableRetentionQuery\",\"rightTable\":\"LAWTableQuery\",\"leftColumn\":\"TableName\",\"rightColumn\":\"Table\"}],\"projectRename\":[{\"originalName\":\"[TableRetentionQuery].TableName\",\"mergedName\":\"TableName\",\"fromId\":\"e3a3f78c-f05b-458f-85ec-2bc8e5821101\"},{\"originalName\":\"[TableRetentionQuery].TableType\",\"mergedName\":\"TableType\",\"fromId\":\"e3a3f78c-f05b-458f-85ec-2bc8e5821101\"},{\"originalName\":\"[TableRetentionQuery].TablePlan\",\"mergedName\":\"TablePlan\",\"fromId\":\"e3a3f78c-f05b-458f-85ec-2bc8e5821101\"},{\"originalName\":\"[TableRetentionQuery].TableInteractivePeriod\",\"mergedName\":\"InteractiveRetention\",\"fromId\":\"e3a3f78c-f05b-458f-85ec-2bc8e5821101\"},{\"originalName\":\"[TableRetentionQuery].TableArchivePeriod\",\"mergedName\":\"ArchiveRetention\",\"fromId\":\"e3a3f78c-f05b-458f-85ec-2bc8e5821101\"},{\"originalName\":\"[TableRetentionQuery].TotalRetentionPeriod\",\"mergedName\":\"TotalRetention\",\"fromId\":\"e3a3f78c-f05b-458f-85ec-2bc8e5821101\"},{\"originalName\":\"[LAWTableQuery].Table Size\",\"mergedName\":\"LAW Table Size\",\"fromId\":\"e3a3f78c-f05b-458f-85ec-2bc8e5821101\"},{\"originalName\":\"[TableRetentionQuery].lastPlanModifiedDate\",\"mergedName\":\"lastPlanModifiedDate\",\"fromId\":\"e3a3f78c-f05b-458f-85ec-2bc8e5821101\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"Is Archived\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"archiveRetentionInDays\",\"operator\":\">\",\"rightValType\":\"static\",\"rightVal\":\"0\",\"resultValType\":\"static\",\"resultVal\":\"Yes\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"No\"}}]},{\"originalName\":\"[LAWTableQuery].IsBillable\",\"mergedName\":\"IsBillable\",\"fromId\":\"unknown\"},{\"originalName\":\"[TableRetentionQuery].RetentionInDays\",\"mergedName\":\"RetentionInDays\",\"fromId\":\"unknown\"},{\"originalName\":\"[TableRetentionQuery].plan\",\"mergedName\":\"plan\",\"fromId\":\"unknown\"},{\"originalName\":\"[TableRetentionQuery].archiveRetentionInDays\",\"mergedName\":\"archiveRetentionInDays\",\"fromId\":\"unknown\"},{\"originalName\":\"[LAWTableQuery].DataType\"},{\"originalName\":\"[LAWTableQuery].Table\"},{\"originalName\":\"[LAWTableQuery].size\"},{\"originalName\":\"[LAWTableQuery].Estimated Data Archive Cost\"},{\"originalName\":\"[LAWTableQuery].Estimated Ingestion Cost\"},{\"originalName\":\"[LAWTableQuery].Esitmated Workspace Retention Cost\"}]}",
"size": 1,
"title": "{tableFilter}, Count: {$rowCount}",
"noDataMessage": "It appears your workspace doesn't currently have any tables that support Basic Plans or there are not any archived tables.",
"showRefreshButton": true,
"exportedParameters": [
{
"fieldName": "TableName",
"parameterName": "TableName",
"parameterType": 1
},
{
"fieldName": "TablePlan",
"parameterName": "TablePlan",
"parameterType": 1
},
{
"fieldName": "InteractiveRetention",
"parameterName": "InteractiveRetention",
"parameterType": 1
},
{
"fieldName": "ArchiveRetention",
"parameterName": "ArchiveRetention",
"parameterType": 1
},
{
"fieldName": "TotalRetention",
"parameterName": "TotalRetention",
"parameterType": 1
},
{
"parameterType": 1
}
],
"showExportToExcel": true,
"queryType": 7,
"gridSettings": {
"formatters": [
{
"columnMatch": "TableName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "35.2857ch"
}
},
{
"columnMatch": "LAW Table Size",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
},
"numberFormat": {
"unit": 39,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "IsBillable",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "false",
"representation": "Blank",
"text": " No"
},
{
"operator": "Default",
"representation": "success",
"text": "Yes"
}
],
"customColumnWidthSetting": "16ch"
}
},
{
"columnMatch": "Is Archived",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Yes",
"representation": "CloudUpload",
"text": "{0}{1}"
},
{
"operator": "Default",
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "TableType",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "15.8571ch"
}
},
{
"columnMatch": "TablePlan",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "15ch"
}
},
{
"columnMatch": "InteractiveRetention",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "22.8571ch"
},
"numberFormat": {
"unit": 27,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "ArchiveRetention",
"formatter": 4,
"formatOptions": {
"min": 0,
"max": 2555,
"palette": "blue",
"customColumnWidthSetting": "20.8571ch"
},
"numberFormat": {
"unit": 27,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "TotalRetention",
"formatter": 4,
"formatOptions": {
"min": 90,
"max": 2555,
"palette": "turquoise",
"compositeBarSettings": {
"labelText": "",
"columnSettings": [
{
"columnName": "Is Archived",
"color": "blue"
}
]
},
"customColumnWidthSetting": "18.2857ch"
},
"numberFormat": {
"unit": 27,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "lastPlanModifiedDate",
"formatter": 6,
"formatOptions": {
"customColumnWidthSetting": "33.1429ch"
}
},
{
"columnMatch": "TableInteractivePeriod",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "26.5714ch"
},
"numberFormat": {
"unit": 27,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "TableArchivePeriod",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "24ch"
},
"numberFormat": {
"unit": 27,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "TotalRetentionPeriod",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": ">",
"thresholdValue": "{workspaceRetention}",
"representation": "yellow",
"text": "{0}{1}"
},
{
"operator": "Default",
"text": "{0}{1}"
}
],
"customColumnWidthSetting": "23.4286ch"
},
"numberFormat": {
"unit": 27,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Table Size",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
},
"numberFormat": {
"unit": 39,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "Estimated Ingestion Cost",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"currency": "USD",
"style": "currency"
}
}
},
{
"columnMatch": "Esitmated Workspace Retention Cost",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"currency": "USD",
"style": "currency"
}
}
},
{
"columnMatch": "Estimated Data Archive Cost",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"currency": "USD",
"style": "currency"
}
}
},
{
"columnMatch": "TableSize",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "SizeUnit",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "14ch"
}
},
{
"columnMatch": "Last Updated Time",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "26ch"
}
}
],
"rowLimit": 10000,
"filter": true,
"sortBy": [
{
"itemKey": "archiveRetentionInDays",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "archiveRetentionInDays",
"sortOrder": 2
}
]
},
"name": "query - final MERGE"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "retention"
},
"name": "group - retention"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: Ingestion",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n| where type == \"microsoft.operationalinsights/workspaces\"\r\n//| where name in (' {Workspace:name} ')\r\n| project name=tolower(name), workspaceRetention=properties.retentionInDays,\r\n Workspacesku=properties.sku.name,\r\n WorkspaceskuLevel=properties.sku.capacityReservationLevel,\r\n WorkspaceskulastUpdate= properties.sku.lastSkuUpdate,\r\n properties, tenantId\r\n|join \r\n(\r\n\tresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project name=tolower(s_workspace),\r\n Sentinelsku=properties.sku.name,\r\n SentinelskuLevel=properties.sku.capacityReservationLevel,\r\n SentinelskulastUpdate= properties.sku.lastSkuUpdate\r\n) on name\r\n| project name, Workspacesku, WorkspaceskuLevel, WorkspaceskulastUpdate, a='{Workspace:name}', Sentinelsku, SentinelskuLevel, SentinelskulastUpdate, tenantId\r\n| extend WorkspaceskuLevel = iif(isempty(WorkspaceskuLevel),0,WorkspaceskuLevel),\r\n SentinelskuLevel = iif(isempty(SentinelskuLevel),0,SentinelskuLevel)\r\n| where a has name \r\n| project-away a\r\n",
"size": 1,
"title": "Workspace SKU details, count: {$rowCount}, click row for more insight",
"exportedParameters": [
{
"fieldName": "WorkspaceskuLevel",
"parameterName": "skuLevel",
"parameterType": 1
},
{
"fieldName": "name",
"parameterName": "wsName",
"parameterType": 1
}
],
"showExportToExcel": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"rowLimit": 10000,
"filter": true
}
},
"name": "query - sku details"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n| where IsBillable == True\r\n| parse ResourceUri with * 'workspaces/' workspaceName_s\r\n| where workspaceName_s == '{wsName}'\r\n| summarize dataPerDay = sum(Quantity)/1000 by bin(TimeGenerated,1d), SentinelCT='{skuLevel}'\r\n| extend higherCT = case(\r\n dataPerDay < 100, 100,\r\n dataPerDay > 100 and dataPerDay < 200, 200,\r\n dataPerDay > 200 and dataPerDay < 300, 300,\r\n dataPerDay > 300 and dataPerDay < 400, 400,\r\n dataPerDay > 400 and dataPerDay < 500, 500,\r\n dataPerDay > 500 and dataPerDay < 1000, 1000,\r\n dataPerDay > 1000 and dataPerDay < 10000, 10000,\r\n dataPerDay > 2000 and dataPerDay < 20000, 20000,\r\n dataPerDay > 5000 and dataPerDay < 50000, 50000,\r\n // else\r\n 0\r\n )\r\n//| extend lowerCT= (higherCT - 100)\r\n\r\n\r\n\r\n",
"size": 1,
"aggregation": 3,
"showAnnotations": true,
"title": "Actual Data Volume and Commitment Tier. Data from: {TimeRange:label}. ",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "y",
"exportParameterName": "yAxis",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "timechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "Column1",
"formatter": 5
},
{
"columnMatch": "dataPerDay",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"maximumSignificantDigits": 2
}
}
}
]
},
"chartSettings": {
"yAxis": [
"higherCT",
"SentinelCT",
"dataPerDay"
],
"seriesLabelSettings": [
{
"seriesName": "higherCT",
"label": "Next Commitment Tier"
},
{
"seriesName": "SentinelCT",
"label": "Actual Commitment Tier",
"color": "purple"
},
{
"seriesName": "dataPerDay",
"color": "green"
}
],
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "wsName",
"comparison": "isNotEqualTo"
},
"name": "query - chart of CR"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n| where IsBillable == true\r\n| summarize GBytes=sum(Quantity)/1000 by workSpacename, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Ingestion by Workspace for {TimeRange:label}",
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeRange",
"timeBrushExportOnlyWhenBrushed": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "barchart",
"chartSettings": {
"ySettings": {
"numberFormatSettings": {
"unit": 39,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n| where IsBillable == True\r\n| summarize GBytes=sum(Quantity)/1000 by workSpacename//, bin(TimeGenerated,{TimeRange:grain})\r\n| top 10 by GBytes",
"size": 0,
"title": "Top 10 Workspaces by ingestion capacity",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"chartSettings": {
"ySettings": {
"numberFormatSettings": {
"unit": 39,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "40",
"name": "query - Top 10 by ingestion"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n// Only look at billable Tables\r\n| where IsBillable == True\r\n| summarize TotalBytes =round(sum(Quantity)) by bin(TimeGenerated, 1d)\r\n| summarize GBperday = round(avg(TotalBytes)/1000,2)\r\n",
"size": 0,
"title": "GB per Day, {TimeRange:label}",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "GBytes",
"formatter": 10,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Column1",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
]
},
"tileSettings": {
"titleContent": {
"formatter": 1
},
"leftContent": {
"columnMatch": "GBperday",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 39,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"rightContent": {
"columnMatch": "avg_"
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - 10 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n// Only look at billable Tables\r\n| where IsBillable == True\r\n| summarize GBytes =round(sum(Quantity))/1000 \r\n",
"size": 0,
"title": "GB Total {TimeRange:label}",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "GBytes",
"formatter": 10,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Column1",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
]
},
"tileSettings": {
"titleContent": {
"formatter": 1
},
"leftContent": {
"columnMatch": "GBytes",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 39,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"rightContent": {
"columnMatch": "avg_"
},
"showBorder": false
}
},
"customWidth": "20",
"name": "query - GB total "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n// Only look at billable Tables\r\n| where TimeGenerated > endofmonth(ago(90d))\r\n| where IsBillable == True\r\n| summarize GBytes =round(sum(Quantity))/1000 by bin(TimeGenerated,30d)\r\n\r\n",
"size": 0,
"title": "Monthly GB Total {TimeRange:label}",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "barchart",
"gridSettings": {
"formatters": [
{
"columnMatch": "GBytes",
"formatter": 10,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "Column1",
"formatter": 9,
"formatOptions": {
"palette": "blue"
}
}
],
"sortBy": [
{
"itemKey": "TimeGenerated",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "TimeGenerated",
"sortOrder": 1
}
],
"tileSettings": {
"titleContent": {
"formatter": 1
},
"leftContent": {
"columnMatch": "GBytes",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 39,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"rightContent": {
"columnMatch": "avg_"
},
"showBorder": false
},
"chartSettings": {
"ySettings": {
"numberFormatSettings": {
"unit": 39,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"customWidth": "40",
"name": "query - GB total - month"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "ingestion"
},
"name": "group - ingestion"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: Tables",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n| summarize CountofTables=dcount(DataType) , TableName=make_set(DataType) by workSpacename\r\n| order by CountofTables desc\r\n",
"size": 0,
"title": "Table count by Workspace, count: {$rowCount}, click row for Content Hub details",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "workSpacename",
"exportParameterName": "workSpacename",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "CountofTables",
"formatter": 4,
"formatOptions": {
"palette": "greenRed",
"customColumnWidthSetting": "25ch"
}
},
{
"columnMatch": "TableName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "150ch"
}
}
],
"filter": true
}
},
"name": "query - tables by ws"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "ff66d7b3-6ecd-4d76-9677-7c9496681c58",
"version": "KqlParameterItem/1.0",
"name": "Solutions",
"label": "Filter Solutions in Content Hub",
"type": 10,
"isRequired": true,
"isGlobal": true,
"typeSettings": {
"showDefault": false
},
"jsonData": "[\r\n { \"value\":\"(@.properties.firstPublishDate.includes('-'))\", \"label\":\"All\"},\r\n { \"value\":\"(@.properties.installedVersion.includes('.'))\", \"label\":\"Installed\", \"selected\":true}\r\n]",
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "deb345ad-8829-4871-8171-9482c50ca59f",
"version": "KqlParameterItem/1.0",
"name": "ws",
"type": 5,
"isRequired": true,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerID = trim(' ', tostring(properties.customerId))\r\n| project id, customerID, name=tolower(name)\r\n|join \r\n(\r\nresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project name=tolower(s_workspace), id, subscriptionId, resourceGroup\r\n | where name == tolower('{workSpacename}')\r\n) on name\r\n| project tolower(id), customerID, name",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"typeSettings": {
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"conditionalVisibility": {
"parameterName": "workSpacename",
"comparison": "isNotEqualTo"
},
"name": "parameters - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{ws:subscriptionid}/resourceGroups/{ws:resourcegroup}/providers/Microsoft.OperationalInsights/workspaces/{ws:name}/providers/Microsoft.SecurityInsights/contentProductPackages\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2023-08-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$..value[?({Solutions})]\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"properties..kind\",\"columnid\":\"kind\"},{\"path\":\"properties.installedVersion\",\"columnid\":\"installedVersion\"},{\"path\":\"properties.version\",\"columnid\":\"availableVersion\"},{\"path\":\"properties.isNew\",\"columnid\":\"isNew\"},{\"path\":\"properties.isPreview\",\"columnid\":\"isPreview\"},{\"path\":\"properties.isFeatured\",\"columnid\":\"isFeatured\"},{\"path\":\"properties.firstPublishDate\",\"columnid\":\"firstPublishDate\",\"substringRegexMatch\":\"0001-01-01\",\"substringReplace\":\"unknown\"},{\"path\":\"properties.lastPublishDate\",\"columnid\":\"lastPublishDate\",\"substringRegexMatch\":\"0001-01-01\",\"substringReplace\":\"unknown\"},{\"path\":\"properties.descriptionHtml\",\"columnid\":\"descriptionHtml\"},{\"path\":\"properties.threatAnalysisTactics\",\"columnid\":\"threatAnalysisTactics\"},{\"path\":\"properties.threatAnalyticsTechniques\",\"columnid\":\"threatAnalyticsTechniques\"},{\"path\":\"properties\",\"columnid\":\"properties\"},{\"path\":\"id\",\"columnid\":\"id\"},{\"path\":\"systemData\",\"columnid\":\"systemData\"}]}}]}",
"size": 0,
"title": "Solution Count: {$rowCount}, click row to read HTML description {ws} {workSpacename}",
"exportFieldName": "descriptionHtml",
"exportParameterName": "descriptionHtml",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "isNew",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "success",
"text": ""
},
{
"operator": "==",
"thresholdValue": "false",
"representation": "Blank",
"text": ""
},
{
"operator": "Default",
"representation": "Blank",
"text": ""
}
]
}
},
{
"columnMatch": "isPreview",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "false",
"representation": "Blank",
"text": ""
},
{
"operator": "==",
"thresholdValue": "true",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"representation": "Blank",
"text": ""
}
]
}
},
{
"columnMatch": "isFeatured",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "success",
"text": ""
},
{
"operator": "==",
"thresholdValue": "false",
"representation": "Blank",
"text": ""
},
{
"operator": "Default",
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "descriptionHtml",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "id",
"formatter": 7,
"formatOptions": {
"linkTarget": "Resource",
"linkIsContextBlade": true
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "displayName",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "displayName",
"sortOrder": 1
}
]
},
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "query - content hub "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\",\"mergeType\":\"table\",\"leftTable\":\"query - content hub \"}],\"projectRename\":[{\"originalName\":\"[query - content hub ].displayName\",\"mergedName\":\"displayName\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].kind\",\"mergedName\":\"kind\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].installedVersion\",\"mergedName\":\"installedVersion\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].availableVersion\",\"mergedName\":\"availableVersion\",\"fromId\":\"unknown\"},{\"originalName\":\"[Added column]\",\"mergedName\":\"isUpgrade\",\"fromId\":null,\"isNewItem\":true,\"newItemData\":[{\"criteriaContext\":{\"leftOperand\":\"availableVersion\",\"operator\":\"!=\",\"rightValType\":\"column\",\"rightVal\":\"installedVersion\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"column\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}]},{\"originalName\":\"[query - content hub ].version\",\"mergedName\":\"version\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].isNew\",\"mergedName\":\"isNew\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].isPreview\",\"mergedName\":\"isPreview\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].isFeatured\",\"mergedName\":\"isFeatured\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].firstPublishDate\",\"mergedName\":\"firstPublishDate\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].lastPublishDate\",\"mergedName\":\"lastPublishDate\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].descriptionHtml\",\"mergedName\":\"descriptionHtml\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].threatAnalysisTactics\",\"mergedName\":\"threatAnalysisTactics\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].threatAnalyticsTechniques\",\"mergedName\":\"threatAnalyticsTechniques\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].propertiers\",\"mergedName\":\"propertiers\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].id\",\"mergedName\":\"id\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].systemData\",\"mergedName\":\"systemData\",\"fromId\":\"47a9f643-b2c8-45f8-91dc-2ee63e40a085\"},{\"originalName\":\"[query - content hub ].properties\",\"mergedName\":\"properties\",\"fromId\":\"unknown\"}]}",
"size": 0,
"title": "Solution Count: {$rowCount}, click row to read HTML description ",
"exportFieldName": "descriptionHtml",
"exportParameterName": "descriptionHtml",
"showExportToExcel": true,
"queryType": 7,
"gridSettings": {
"formatters": [
{
"columnMatch": "isUpgrade",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"representation": "Blank",
"text": ""
}
]
}
},
{
"columnMatch": "isNew",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "Available",
"text": "{0}{1}"
},
{
"operator": "Default",
"representation": "Blank",
"text": ""
}
]
}
},
{
"columnMatch": "isPreview",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "Available",
"text": "{0}{1}"
},
{
"operator": "Default",
"representation": "Blank",
"text": ""
}
]
}
},
{
"columnMatch": "isFeatured",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "Available",
"text": ""
},
{
"operator": "Default",
"representation": "Blank",
"text": ""
}
]
}
},
{
"columnMatch": "firstPublishDate",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "unknown",
"text": ""
},
{
"operator": "Default",
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "lastPublishDate",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "unknown",
"text": ""
},
{
"operator": "Default",
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "id",
"formatter": 7,
"formatOptions": {
"linkTarget": "Resource",
"linkIsContextBlade": true
}
}
],
"rowLimit": 500,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "workSpacename",
"comparison": "isNotEqualTo"
},
"showPin": false,
"name": "query - merged view to show Update available"
},
{
"type": 1,
"content": {
"json": "{descriptionHtml}"
},
"conditionalVisibility": {
"parameterName": "descriptionHtml",
"comparison": "isNotEqualTo"
},
"name": "text - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Usage\r\n// Get the Workspace Name(s) from a parameter\r\n| extend stringtoSplit = split(\"{WorkspaceIDguid}\",\",\")\r\n| mv-expand stringtoSplit\r\n| where stringtoSplit has TenantId\r\n| extend workSpacename = trim(@\"[^\\w]+\",tostring(split(stringtoSplit,\":\").[1]))\r\n| summarize by DataType, workSpacename, IsBillable\r\n| join ( Usage | make-series Trend=count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DataType ) on DataType\r\n\r\n",
"size": 0,
"title": "Table usage trend, count: {$rowCount}",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Group",
"formatter": 1
},
{
"columnMatch": "workSpacename",
"formatter": 1
},
{
"columnMatch": "IsBillable",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "false",
"representation": "4",
"text": "No"
},
{
"operator": "Default",
"representation": "success",
"text": "Yes"
}
]
}
},
{
"columnMatch": "DataType1",
"formatter": 5
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "pink"
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5
},
{
"columnMatch": "TableName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "150ch"
}
}
],
"filter": true,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"workSpacename"
],
"expandTopLevel": true,
"finalBy": "workSpacename"
},
"sortBy": [
{
"itemKey": "$gen_thresholds_IsBillable_3",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "DataType",
"label": "Table Name"
}
]
},
"sortBy": [
{
"itemKey": "$gen_thresholds_IsBillable_3",
"sortOrder": 2
}
]
},
"name": "query - bill and trend"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "tables"
},
"name": "group - Tables"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: Rules",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "2b1d3b81-3847-4840-86ad-da410dda4854",
"version": "KqlParameterItem/1.0",
"name": "ws",
"type": 5,
"isRequired": true,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerID = trim(' ', tostring(properties.customerId))\r\n| project id, customerID, name=tolower(name)\r\n|join \r\n(\r\n\tresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project name=tolower(s_workspace)\r\n) on name\r\n| project tolower(id), tostring(name), a='{Workspace:name}'\r\n| where a has name ",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": ""
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 1"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "d2396b84-e61b-4e41-aef3-0881bf5cfbcc",
"version": "KqlParameterItem/1.0",
"name": "status_",
"label": "Select Status",
"type": 10,
"isRequired": true,
"typeSettings": {
"showDefault": false
},
"jsonData": "[\r\n { \"value\": \"@.properties.enabled==true\", \"label\": \"Enabled\", \"selected\":true }, \r\n { \"value\": \"@.properties.enabled==false\", \"label\": \"Disabled\"}\r\n]\r\n\r\n",
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2 - Copy"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "f6a164ad-c1b8-4765-bafa-4b773bf58a67",
"version": "KqlParameterItem/1.0",
"name": "ruleKind",
"type": 10,
"isRequired": true,
"typeSettings": {
"showDefault": false
},
"jsonData": "[\r\n { \"value\": \"@.kind=='MicrosoftSecurityIncidentCreation'\", \"label\": \"Microsoft Incident Creation\" }, \r\n { \"value\": \"@.kind=='Fusion'\", \"label\": \"Microsoft Fusion\" }, \r\n { \"value\": \"@.kind=='NRT'\", \"label\": \"NRT\" },\r\n { \"value\": \"@.kind=='MLBehaviorAnalytics'\", \"label\": \"MLBehaviorAnalytics\" },\r\n { \"value\": \"@.kind=='ThreatIntelligence'\", \"label\": \"ThreatIntelligence\" }, \r\n { \"value\": \"@.kind=='Scheduled'\", \"label\": \"Scheduled\", \"selected\":true }\r\n]\r\n\r\n",
"timeContext": {
"durationMs": 86400000
},
"label": "Select the Rule Kind"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{ws:subscription}/resourceGroups/{ws:resourcegroup}/providers/Microsoft.OperationalInsights/workspaces/{ws:name}/providers/Microsoft.SecurityInsights/alertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2023-02-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value[?( {ruleKind} && {status_} )]\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"RuleName\"},{\"path\":\"$.properties.description\",\"columnid\":\"Description\"},{\"path\":\"$.name\",\"columnid\":\"AlertRuleID\"},{\"path\":\"$.kind\",\"columnid\":\"Kind\"},{\"path\":\"$.properties.productFilter\",\"columnid\":\"ProductName\"},{\"path\":\"$.properties.enabled\",\"columnid\":\"Status\"},{\"path\":\"$.properties\",\"columnid\":\"prop\"},{\"path\":\"properties.severity\",\"columnid\":\"Severity\"},{\"path\":\"$.properties.lastModifiedUtc\",\"columnid\":\"lastModifiedUtc\"},{\"path\":\"$.properties.tactics\",\"columnid\":\"Tactics\"},{\"path\":\"$.properties.techniques\",\"columnid\":\"Techniques\"},{\"path\":\"properties.queryFrequency\",\"columnid\":\"queryFrequency\"},{\"path\":\"properties.queryPeriod\",\"columnid\":\"queryPeriod\"},{\"path\":\"properties.triggerOperator\",\"columnid\":\"triggerOperator\"},{\"path\":\"properties.triggerThreshold\",\"columnid\":\"triggerThreshold\"},{\"path\":\"properties.eventGroupingSettings.aggregationKind\",\"columnid\":\"eventGroupingSettings\"},{\"path\":\"properties.entityMappings\",\"columnid\":\"entityMappings\"},{\"path\":\"properties.incidentConfiguration\",\"columnid\":\"incidentConfiguration\"},{\"path\":\"properties.alertDetailsOverride\",\"columnid\":\"alertDetailsOverride\"}]}}]}",
"size": 0,
"title": "Deployed Rules - Rule count: {$rowCount}, for: {ws:name}",
"noDataMessage": "No analytic rules are defined ",
"exportedParameters": [
{
"fieldName": "AlertRuleID",
"parameterName": "AlertRuleID",
"parameterType": 1
},
{
"fieldName": "ProductName",
"parameterName": "ProductName",
"parameterType": 1
},
{
"fieldName": "Tactics",
"parameterName": "Tactics",
"parameterType": 1
},
{
"fieldName": "RuleName",
"parameterName": "RuleName",
"parameterType": 1
},
{
"fieldName": "Status",
"parameterName": "Status",
"parameterType": 1
},
{
"fieldName": "prop",
"parameterName": "prop",
"parameterType": 1
}
],
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "Kind",
"formatter": 1
},
{
"columnMatch": "ProductName",
"formatter": 5
},
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "success",
"text": "Enabled"
},
{
"operator": "==",
"thresholdValue": "false",
"representation": "disabled",
"text": "Disabled"
},
{
"operator": "Default",
"representation": "Blank",
"text": ""
}
]
}
},
{
"columnMatch": "prop",
"formatter": 5
},
{
"columnMatch": "Severity",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "High",
"representation": "Sev1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "Sev2",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "Sev3",
"text": "{0}{1}"
},
{
"operator": "Default",
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "entityMappings",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "enabled",
"formatter": 1,
"formatOptions": {
"compositeBarSettings": {
"labelText": "",
"columnSettings": [
{
"columnName": "enabled",
"color": "green"
}
]
}
}
}
],
"rowLimit": 512,
"filter": true,
"sortBy": [
{
"itemKey": "lastModifiedUtc",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "RuleName",
"label": "Rule name"
},
{
"columnId": "AlertRuleID",
"label": "Alert rule ID"
},
{
"columnId": "Kind",
"label": "Rule type"
},
{
"columnId": "ProductName",
"label": "Product name"
}
]
},
"sortBy": [
{
"itemKey": "lastModifiedUtc",
"sortOrder": 2
}
],
"graphSettings": {
"type": 0
},
"mapSettings": {
"locInfo": "LatLong"
}
},
"name": "Analytic rules"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "rules"
},
"name": "group - rules"
}
],
"fromTemplateId": "sentinel-SentinelCentral",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку