Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AdvancedWorkbookConcepts.json

1823 строки
121 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "9c0594a1-1401-406f-b2b3-0881dc3d8fa8",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": true
},
"value": ""
},
{
"id": "219a13ff-9397-41c3-8f8e-99667ec05f79",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| project id, name\r\n| order by tolower(name) asc",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": ""
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 6"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"tabStyle": "bigger",
"links": [
{
"id": "8a5fafd7-91a6-4948-a3f6-a013450a0219",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Introduction",
"subTarget": "0",
"style": "link",
"tabWidth": "300px"
},
{
"id": "d44c2a8a-481d-4ffd-82b5-6c06ee08fd79",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Sources",
"subTarget": "1",
"style": "link",
"tabWidth": "300px"
},
{
"id": "1ac3245a-be61-4c40-bcfc-607d85de4822",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Graphs",
"subTarget": "2",
"style": "link",
"tabWidth": "300px"
},
{
"id": "828d5251-4ac8-4b8e-a060-b1befb82310b",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Linking",
"subTarget": "3",
"style": "link",
"tabWidth": "300px"
},
{
"id": "128c5da2-c237-464d-9bb6-131083f043fb",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Concepts",
"subTarget": "4",
"style": "link",
"tabWidth": "300px"
}
]
},
"name": "links - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "### Welcome to Workbooks 202\r\n\r\nThis is a continuation of Workbooks 101. In the first course, the topics covered were:\r\n- The basics of Workbooks (Visuals, Charts, Graphs)\r\n- Tabs\r\n- Groups\r\n- Time brushing\r\n- Dynamic content\r\n- and personalization\r\n\r\nIn this course, the topics covered will be:\r\n- Different source options for data\r\n- Interactive graphs\r\n- Linking items\r\n- Additional advanced concepts\r\n\r\nThe goal of this course is to learn more advanced content that primarily focuses on integrating other sources and services into a single workbook in order to have it operate more as a multi-level tool than just a data visualization item. By the end of the course, you should understand:\r\n- Integrating additional data sources such as Azure Resource Graph and Azure Resource Manager\r\n- Building and dislaying interactive graphs\r\n- Linking other areas of Azure to the Workbook\r\n- Additional advanced concepts to make workbooks deeper and more valuable"
},
"name": "text - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "0"
},
"name": "Introduction"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Azure Resource Graph",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "### Azure Resource Graph Query\r\n\r\nAzure Resource Graph (ARG) allows for the querying of subscription-wide data that is current. This can range from data such as:\r\n- Policy compliance\r\n- Resources deployed\r\n- Resource configuration\r\n\r\nWhen it comes to utilizing ARG, it is most commonly used for fetching existing resources within the environment. This is used in combination with parameters in order to create items like drop down selectors of resources. </br>\r\n\r\nARG uses KQL to query the information from the scope. The scope can be set to subscription level, tenant level, or managment group level. As mentioned, the data returned is current data, meaning there is no way to query past data. If this is desired, it is recommended to ingest the ARG data into the Log Analytics workspace as a custom data source.\r\n\r\nChances are that the details of interest will be under a 'properties' column. This will require some parsing. An example would be ```extend TEST = properties.name```.\r\n\r\nFor more information on ARG: please see https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-data-sources#azure-resource-graph\r\n\r\nThe query being used for this example is:\r\n\r\n```\r\nresources\r\n| where type has 'microsoft.insights/workbooks'\r\n| extend DisplayName = properties.displayName\r\n```"
},
"customWidth": "50",
"name": "text - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "resources\r\n| where type has 'microsoft.insights/workbooks'\r\n| extend DisplayName = properties.displayName",
"size": 0,
"title": "Azure Resource Graph",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"customWidth": "50",
"name": "query - 0"
}
]
},
"name": "ARG"
},
{
"type": 1,
"content": {
"json": "--------------------------"
},
"name": "text - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Azure Resource Manager",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "### Azure Resource Manager\r\n\r\nAzure Resource Manager (ARM) allows for information and data to be pulled in via an API call. The main differences between ARM and a custom endpoint are:\r\n- ARM does not require an auth token to be generated as it uses the current user's token\r\n- ARM does not require a full URI\r\n\r\n#### URI\r\nThe URI for an ARM call is the second half of a regular URI. What this means is, rather than it being ```https://management.azure.com/subscriptions/SUBID/resourcegroups/RG/PROVIDER```, the URI used for an ARM call would just be ```/subscriptions/SUBID/resourcegroups/RG/PROVIDER```. The call will still require an API version.\r\n\r\n#### Response\r\nLike regular API calls, the response will be in JSON format. This will require some reformatting in order to present the results as logs. To do:\r\n1. Edit the ARM item.\r\n2. Go to 'Result Settings'.\r\n3. Change 'result format' to be 'JSON path'.\r\n4. Under 'JSON path table', enter $.value.\r\n5. Within the section below JSON path table, begin defining columns and the JSON path that the value can be found in.\r\n\r\nExample: Column ID: Name, Column JSON path: $.properties.displayName\r\n\r\nTo get results for the sample, set the subscription, resource group, and workspace to pull from. The ARM call is currently set to query the Microsoft Sentinel analytic rules API. </br>\r\n\r\nFor more information on JSONPath, please see: https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-jsonpath\r\nFor more information on ARM, please see https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-data-sources#azure-resource-manager\r\n"
},
"customWidth": "40",
"name": "text - 3"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "1912c963-a856-47ea-ba0f-538612bf9713",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": true
},
"timeContext": {
"durationMs": 86400000
},
"value": ""
},
{
"id": "7f166153-4412-4e68-a367-b4355921be83",
"version": "KqlParameterItem/1.0",
"name": "Workspace2",
"type": 5,
"query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| project id, name\r\n| order by tolower(name) asc",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": "",
"label": "Workspace"
},
{
"id": "0e9b267b-5b15-4cd2-a343-85443fc83ade",
"version": "KqlParameterItem/1.0",
"name": "ResourceGroup",
"label": "Resource Group",
"type": 1,
"query": "print '{Workspace:resourcegroup}'",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "15",
"name": "parameters - 4"
},
{
"type": 1,
"content": {
"json": "The URI based on the input will be </br>\r\n\r\n#### {Workspace2}/providers/Microsoft.SecurityInsights/alertRules"
},
"customWidth": "45",
"name": "text - 17"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace2}/providers/Microsoft.SecurityInsights/alertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2021-10-01-preview\"}],\"batchDisabled\":false,\"transformers\":null}",
"size": 0,
"title": "Azure Resource Manager Results Unparsed",
"queryType": 12
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace2}/providers/Microsoft.SecurityInsights/alertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2021-10-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.properties.displayName\",\"columnid\":\"DisplayName\"},{\"path\":\"$.name\",\"columnid\":\"Name\"},{\"path\":\"$.kind\",\"columnid\":\"Kind\"},{\"path\":\"$.properties.severity\",\"columnid\":\"Severity\"},{\"path\":\"$.properties.query\",\"columnid\":\"Query\"},{\"path\":\"$.properties.entityMappings\",\"columnid\":\"Entities\"}]}}]}",
"size": 0,
"title": "Azure Resource Manager Results Parsed",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "Entities",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true
}
}
],
"rowLimit": 1000,
"filter": true
}
},
"customWidth": "50",
"name": "query - 5 - Copy"
}
]
},
"name": "ARM"
},
{
"type": 1,
"content": {
"json": "------------"
},
"name": "text - 6"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Azure Data Explorer",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "### Azure Data Explorer\r\n\r\nUse data that is being stored with Azure Data Explorer for components of the workbook. This method requires the database name and table name in order for Azure to properly find the data. The data within the table can be queried with regular KQL.\r\n\r\nFor the data, this example is using the help database and samples table found here: https://dataexplorer.azure.com/clusters/help/databases/Samples\r\n\r\nThe query example here is:\r\n\r\n```\r\nStormEvents \r\n| project column_ifexists(\"Capital\", State)\r\n| summarize by State\r\n| order by State asc\r\n```\r\n\r\nFor more information on ADX, please see https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-data-sources#azure-data-explorer"
},
"customWidth": "50",
"name": "text - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"AzureDataExplorerQuery/1.0\",\"queryText\":\"StormEvents | project column_ifexists(\\\"Capital\\\", State)\\r\\n| summarize by State\\r\\n| order by State asc\",\"clusterName\":\"help\",\"databaseName\":\"Samples\"}",
"showQuery": true,
"size": 0,
"title": "Sampel Data via ADX",
"queryType": 9,
"gridSettings": {
"filter": true
}
},
"customWidth": "50",
"name": "query - 8"
}
]
},
"name": "ADX"
},
{
"type": 1,
"content": {
"json": "------------"
},
"name": "text - 9"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Merge",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "### Merge\r\n\r\nMerge queries allow for two or more queries to be 'merged' together. This is done via a join like in KQL. Merges support the following join types:\r\n- inner unique\r\n- full inner/outer\r\n- left inner/outer\r\n- left semi/anti\r\n- right inner/outer\r\n- right semi/anti\r\n- union\r\n\r\nMerge requires that two tables and two columns are submitted as input in order to perform the join. The results found will depend on the type of join that was selected. To perform multiple joins in a merge, it is just a matter of adding another join within the merge and selecting the tables. The main difference with a second join is that the 'left' tables will only be those involved in the first join, while the 'right' tables will be any table available.\r\n\r\nThe example below combines query one (SigninLogs) with query two (OfficeActivity) based on UserPrincipalName == UserId. The join type is inner unique. The column used for the join is highlighted.\r\n\r\nFor more information on merge, please see: https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-data-sources#merge"
},
"name": "text - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| project TimeGenerated, ResourceId, OperationName, ResultType, Identity, UserPrincipalName, AppDisplayName\r\n| take 100\r\n| order by TimeGenerated",
"size": 0,
"showAnalytics": true,
"title": "Query One (SigningLogs)",
"timeContext": {
"durationMs": 86400000
},
"showRefreshButton": true,
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true
}
},
"customWidth": "50",
"name": "Q1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OfficeActivity\r\n| project TimeGenerated, Operation, UserType, OfficeWorkload, ResultStatus, ResultReasonType, OfficeObjectId, UserId, ExternalAccess, Logon_Type\r\n| take 100\r\n| order by TimeGenerated",
"size": 0,
"showAnalytics": true,
"title": "Query Two (OfficeActivity)",
"timeContext": {
"durationMs": 86400000
},
"showRefreshButton": true,
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true
}
},
"customWidth": "50",
"name": "Q2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\",\"mergeType\":\"innerunique\",\"leftTable\":\"Q1\",\"rightTable\":\"Q2\",\"leftColumn\":\"UserPrincipalName\",\"rightColumn\":\"UserId\"}],\"projectRename\":[{\"originalName\":\"[Q1].TimeGenerated\",\"mergedName\":\"TimeGenerated\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResourceId\",\"mergedName\":\"ResourceId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].OperationName\",\"mergedName\":\"OperationName\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].OperationVersion\",\"mergedName\":\"OperationVersion\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].Category\",\"mergedName\":\"Category\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResultType\",\"mergedName\":\"ResultType\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResultSignature\",\"mergedName\":\"ResultSignature\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResultDescription\",\"mergedName\":\"ResultDescription\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].DurationMs\",\"mergedName\":\"DurationMs\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].CorrelationId\",\"mergedName\":\"CorrelationId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].Resource\",\"mergedName\":\"Resource\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResourceGroup\",\"mergedName\":\"ResourceGroup\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResourceProvider\",\"mergedName\":\"ResourceProvider\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].Identity\",\"mergedName\":\"Identity\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].Level\",\"mergedName\":\"Level\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].Location\",\"mergedName\":\"Location\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AlternateSignInName\",\"mergedName\":\"AlternateSignInName\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AppDisplayName\",\"mergedName\":\"AppDisplayName\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AppId\",\"mergedName\":\"AppId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AuthenticationContextClassReferences\",\"mergedName\":\"AuthenticationContextClassReferences\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AuthenticationDetails\",\"mergedName\":\"AuthenticationDetails\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AuthenticationMethodsUsed\",\"mergedName\":\"AuthenticationMethodsUsed\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AuthenticationProcessingDetails\",\"mergedName\":\"AuthenticationProcessingDetails\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AuthenticationRequirement\",\"mergedName\":\"AuthenticationRequirement\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AuthenticationRequirementPolicies\",\"mergedName\":\"AuthenticationRequirementPolicies\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ClientAppUsed\",\"mergedName\":\"ClientAppUsed\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ConditionalAccessPolicies\",\"mergedName\":\"ConditionalAccessPolicies\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ConditionalAccessStatus\",\"mergedName\":\"ConditionalAccessStatus\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].CreatedDateTime\",\"mergedName\":\"CreatedDateTime\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].DeviceDetail\",\"mergedName\":\"DeviceDetail\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].IsInteractive\",\"mergedName\":\"IsInteractive\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].Id\",\"mergedName\":\"Id\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].IPAddress\",\"mergedName\":\"IPAddress\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].IsRisky\",\"mergedName\":\"IsRisky\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].LocationDetails\",\"mergedName\":\"LocationDetails\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].MfaDetail\",\"mergedName\":\"MfaDetail\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].NetworkLocationDetails\",\"mergedName\":\"NetworkLocationDetails\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].OriginalRequestId\",\"mergedName\":\"OriginalRequestId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ProcessingTimeInMilliseconds\",\"mergedName\":\"ProcessingTimeInMilliseconds\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].RiskDetail\",\"mergedName\":\"RiskDetail\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].RiskEventTypes\",\"mergedName\":\"RiskEventTypes\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].RiskEventTypes_V2\",\"mergedName\":\"RiskEventTypes_V2\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].RiskLevelAggregated\",\"mergedName\":\"RiskLevelAggregated\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].RiskLevelDuringSignIn\",\"mergedName\":\"RiskLevelDuringSignIn\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].RiskState\",\"mergedName\":\"RiskState\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResourceDisplayName\",\"mergedName\":\"ResourceDisplayName\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResourceIdentity\",\"mergedName\":\"ResourceIdentity\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResourceServicePrincipalId\",\"mergedName\":\"ResourceServicePrincipalId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ServicePrincipalId\",\"mergedName\":\"ServicePrincipalId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ServicePrincipalName\",\"mergedName\":\"ServicePrincipalName\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].Status\",\"mergedName\":\"Status\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].TokenIssuerName\",\"mergedName\":\"TokenIssuerName\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].TokenIssuerType\",\"mergedName\":\"TokenIssuerType\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].UserAgent\",\"mergedName\":\"UserAgent\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].UserDisplayName\",\"mergedName\":\"UserDisplayName\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].UserId\",\"mergedName\":\"UserId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].UserPrincipalName\",\"mergedName\":\"UserPrincipalName\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AADTenantId\",\"mergedName\":\"AADTenantId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].UserType\",\"mergedName\":\"UserType\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].FlaggedForReview\",\"mergedName\":\"FlaggedForReview\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].IPAddressFromResourceProvider\",\"mergedName\":\"IPAddressFromResourceProvider\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].SignInIdentifier\",\"mergedName\":\"SignInIdentifier\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].SignInIdentifierType\",\"mergedName\":\"SignInIdentifierType\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].ResourceTenantId\",\"mergedName\":\"ResourceTenantId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].HomeTenantId\",\"mergedName\":\"HomeTenantId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].UniqueTokenIdentifier\",\"mergedName\":\"UniqueTokenIdentifier\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].SessionLifetimePolicies\",\"mergedName\":\"SessionLifetimePolicies\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AutonomousSystemNumber\",\"mergedName\":\"AutonomousSystemNumber\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].AppliedConditionalAccessPolicies\",\"mergedName\":\"AppliedConditionalAccessPolicies\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].RiskLevel\",\"mergedName\":\"RiskLevel\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q1].Type\",\"mergedName\":\"Type\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].TimeGenerated\",\"mergedName\":\"TimeGenerated1\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].Operation\",\"mergedName\":\"Operation\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].UserType\",\"mergedName\":\"UserType1\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].OfficeWorkload\",\"mergedName\":\"OfficeWorkload\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].ResultStatus\",\"mergedName\":\"ResultStatus\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].ResultReasonType\",\"mergedName\":\"ResultReasonType\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].OfficeObjectId\",\"mergedName\":\"OfficeObjectId\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].UserId\",\"mergedName\":\"UserId1\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].ExternalAccess\",\"mergedName\":\"ExternalAccess\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"},{\"originalName\":\"[Q2].Logon_Type\",\"mergedName\":\"Logon_Type\",\"fromId\":\"4b3b840c-6abd-498c-81c8-681ab1f7d23b\"}]}",
"size": 0,
"showAnalytics": true,
"title": "Merge",
"showRefreshButton": true,
"showExportToExcel": true,
"queryType": 7,
"gridSettings": {
"formatters": [
{
"columnMatch": "UserPrincipalName",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": null,
"representation": "yellow",
"text": "{0}{1}"
}
]
}
}
]
}
},
"showPin": false,
"name": "query - 13"
}
]
},
"name": "Merge"
},
{
"type": 1,
"content": {
"json": "---------------"
},
"name": "text - 14"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Custom",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "### Custom\r\n\r\nCustom sources can be leveraged in workbooks. This option is great when looking to host data or information outside of Azure while still leveraging it within Workbooks. There are two main methods for doing this.\r\n\r\n#### External Data\r\nExternal data refers to using KQL and the externaldata operator to point to a web address for a file. By using the operator, a custom table can be built while defining the columns and the data type within each column. \r\n\r\nAs an example, we will reference a publicly hosted GitHub JSON file at https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/CEF/SymantecDLP.json\r\n\r\nFor more information on the externaldata operator, please refer to https://learn.microsoft.com/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuremonitor.\r\n\r\n#### Custom Endpoint\r\nCustom endpoints represent API endpoints or web hosted files that may provide additional information that is relevant to a workbook. If using an API endpoint, this will function as a regular API call where it requires a full URI, auth token, and API version. For web hosted files, an auth token and API version is not required. The results from both options will require parsing in order to show them in a log format. This can be done via the result settings in the custom endpoint call or via KQL.\r\n\r\nAs the data is hosted outside of Azure, it is natively treated as untrusted. Upon the first call to the source, the workbook will raise a warning about the source and will require that the source is marked as trusted.\r\n\r\nAs an example, the query below will be using https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/master/Events/RecommendedEvents.json as a custom endpoint to reference data hosted in the JSON file. \r\n\r\nFor more information on custom endpoints, please see https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-data-sources#custom-endpoint."
},
"name": "text - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "externaldata (SourceSystem:string, TimeGenerated: datetime, ReceiptTime: datetime, DeviceVendor:string, DeviceProduct: string, DeviceEventClassID: string, LogSeverity: string, OriginalSeverity: string, DeviceAction:string, SimplifiedDeviceAction: string, Computer: string, CommunicationDirection: string, DeviceFacility:string, DestinationPort:string, Activity:string, AdditionalExtensions:string) [\r\n @'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/CEF/SymantecDLP.json'\r\n] with (format=\"multijson\")",
"showQuery": true,
"size": 0,
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true
}
},
"name": "query - 21"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "39d94aec-cff6-4220-ac5e-9d81a462fc81",
"version": "KqlParameterItem/1.0",
"name": "CECall",
"type": 1,
"query": "{\"version\":\"CustomEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"url\":\"https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/master/Events/RecommendedEvents.json\",\"contentType\":\"text/plain\",\"urlParams\":[],\"transformers\":null,\"ignoreStandardHeaders\":true}",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
},
"queryType": 10
}
],
"style": "pills",
"queryType": 10
},
"name": "parameters - 19"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"CustomEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"url\":\"https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/master/Events/RecommendedEvents.json\",\"contentType\":\"text/plain\",\"urlParams\":[],\"transformers\":null,\"ignoreStandardHeaders\":true}",
"size": 0,
"title": "Custom Endpoint with Results Unparsed",
"queryType": 10,
"gridSettings": {
"formatters": [
{
"columnMatch": "Column",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
}
]
}
},
"customWidth": "50",
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// First Parse the NSA JSON\r\nprint events=todynamic({CECall:parsejson})\r\n| extend events = events['Recommended Events to Collect']// First we pivot the data\r\n| mv-apply events on (\r\n extend Category = tostring(bag_keys(events)[0])\r\n| extend Category = tostring(bag_keys(events)[0]), description = events[Category].description, events = events[Category].events\r\n)\r\n| mv-apply events on (\r\n extend eventName = tostring(bag_keys(events)[0])\r\n | extend eventId = tostring(bag_keys(events[eventName])[0])\r\n | extend properties = events[eventName][eventId]\r\n | project-away events\r\n)\r\n| order by eventId asc\r\n\r\n\r\n",
"showQuery": true,
"size": 0,
"title": "Custom Endpoint with Results Parsed",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 20"
}
]
},
"name": "Custom"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "1"
},
"name": "Sources"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Graphs \r\n\r\nGraphs (not the same as charts) are a visualization that offer an interactive node-relation visual to represent data flows, connections, or sequences. Graphs take more effort to build as it requires that each component is built out via KQL.\r\n\r\n#### Structure\r\n It can be broken up to 3 parts:\r\n- The data: represents which logs will be used and referred to when building the nodes and links. This can be a single table, or multiple tables that have been joined together.\r\n- The nodes: represent the items of interest in the graph. These will be the items presented within the graph. These may be items such as accounts, devices, processes, or other trackable items. \r\n- The links: represent a relation between the nodes. This is manually defined in the query by the user and reflected in the results. Relations can be scenarios such as authentications, processes started by a user, files uploaded by a user, communication between devices, and more. </br>\r\n\r\nAll of these components are combined in one query that will be used to build the graph.\r\n\r\n#### Building\r\nBuilding the query utilizes several let statements in order to store results or components. First, it will need the data portion. This can be as simple as:\r\n\r\n```\r\nlet data = SigninLogs | Account = split(UserDisplayName, '@')[0] | summarize by Account, UserDisplayName, IPAddress | join kind = leftouter SecurityEvent on Account;\r\n```\r\n\r\nOnce the data is configured, it's time to set the links. This will involve defining what the link relations are, notated with a '->' to signal the direction of the relation. Links are essential for dictating the links between nodes. An example would look like:\r\n\r\n```\r\nlet links = data\r\n\t| summarize by Source = Account, Target = Computer, Kind = 'Account -> Machine';\r\n```\r\n\r\nOnce the links are made, it's time for nodes. This will involve defining what the nodes will be. Think of nodes as the plots on a chart in that they will be interconnected via a common data piece. This may look like:\r\n\r\n```\r\nlet nodes = data \r\n\t| summarize by Id = Account, Name = Account, Kind = 'Account'\r\n\t| union (data\r\n | summarize by Id = Computer, Name = Computer, Kind = 'Machine');\r\n```\r\n\r\n#### Settings\r\nOnce the data, links, and nodes are ready, it's time to build the graph. The query will need to work before this can proceed. If the query is working:\r\n1. Edit the query.\r\n2. Click on 'Graph Settings'. A side menu will appear.\r\n3. These settings are what will determine how the graph looks. Near the top will determine the nodes and what is displayed. It is recommended to put 'name' as the center content and 'kind' as the bottom content. Other content can be added as desired.\r\n4. Under layout settings, set node id to 'id', source id to 'source', and target id to 'target' </br>\r\nOptional: set the coloring type for the nodes at the bottom. \r\n5. When ready, click save and close at the bottom. </br>\r\n\r\nThe graph will now generate based on the data and settings.\r\n\r\nFor more information on graph, please see https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-graph-visualizations."
},
"customWidth": "50",
"name": "text - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let WinAuth = SecurityEvent\r\n| where EventID == 4624 or EventID == 4625\r\n| where Account !startswith('\\\\')\r\n| summarize by Account = tolower(Account), Computer\r\n| top 200 by Account;\r\nlet AlertAccounts =SecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| extend Type = Entities.Type\r\n| where tostring(Type) has 'account'\r\n| extend Account = tolower(tostring(Entities.Name))\r\n| union (SecurityAlert\r\n | mv-expand todynamic(Entities)\r\n | extend Type = Entities.Type\r\n | where tostring(Type) has 'account'\r\n | extend Account = tolower(tostring(Entities.DisplayName))\r\n | summarize by Account = tolower(Account))\r\n| where isnotempty(Account)\r\n| extend Account = split(tostring(Account), '@')[0]\r\n| summarize count() by tostring(Account)\r\n| extend isPotentiallyCompromised = iff(count_ >= 10, 'True', 'False');\r\nlet Compromised = WinAuth\r\n |join kind = innerunique AlertAccounts on Account\r\n | project Account, Computer, isPotentiallyCompromised;\r\nlet data = WinAuth\r\n | join kind = leftouter Compromised on Account\r\n | extend isPotentiallyCompromised = iff(isempty(isPotentiallyCompromised), 'False', isPotentiallyCompromised);\r\ndata",
"size": 0,
"title": "Graph Query Data",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let WinAuth = SecurityEvent\r\n| where EventID == 4624 or EventID == 4625\r\n| where Account !startswith('\\\\')\r\n| summarize by Account = tolower(Account), Computer\r\n| top 200 by Account;\r\nlet AlertAccounts =SecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| extend Type = Entities.Type\r\n| where tostring(Type) has 'account'\r\n| extend Account = tolower(tostring(Entities.Name))\r\n| union (SecurityAlert\r\n | mv-expand todynamic(Entities)\r\n | extend Type = Entities.Type\r\n | where tostring(Type) has 'account'\r\n | extend Account = tolower(tostring(Entities.DisplayName))\r\n | summarize by Account = tolower(Account))\r\n| where isnotempty(Account)\r\n| extend Account = split(tostring(Account), '@')[0]\r\n| summarize count() by tostring(Account)\r\n| extend isPotentiallyCompromised = iff(count_ >= 10, 'True', 'False');\r\nlet Compromised = WinAuth\r\n |join kind = innerunique AlertAccounts on Account\r\n | project Account, Computer, isPotentiallyCompromised;\r\nlet data = WinAuth\r\n | join kind = leftouter Compromised on Account\r\n | extend isPotentiallyCompromised = iff(isempty(isPotentiallyCompromised), 'False', isPotentiallyCompromised)\r\n | project-away Account1, Computer1;\r\nlet links = data\r\n| summarize by Source = Account, Target = Computer, Kind = 'Account -> Machine';\r\nlinks",
"size": 0,
"title": "Graph Query Data with Links",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let WinAuth = SecurityEvent\r\n| where EventID == 4624 or EventID == 4625\r\n| where Account !startswith('\\\\')\r\n| summarize by Account = tolower(Account), Computer\r\n| top 200 by Account;\r\nlet AlertAccounts =SecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| extend Type = Entities.Type\r\n| where tostring(Type) has 'account'\r\n| extend Account = tolower(tostring(Entities.Name))\r\n| union (SecurityAlert\r\n | mv-expand todynamic(Entities)\r\n | extend Type = Entities.Type\r\n | where tostring(Type) has 'account'\r\n | extend Account = tolower(tostring(Entities.DisplayName))\r\n | summarize by Account = tolower(Account))\r\n| where isnotempty(Account)\r\n| extend Account = split(tostring(Account), '@')[0]\r\n| summarize count() by tostring(Account)\r\n| extend isPotentiallyCompromised = iff(count_ >= 10, 'True', 'False');\r\nlet Compromised = WinAuth\r\n |join kind = innerunique AlertAccounts on Account\r\n | project Account, Computer, isPotentiallyCompromised;\r\nlet data = WinAuth\r\n | join kind = leftouter Compromised on Account\r\n | extend isPotentiallyCompromised = iff(isempty(isPotentiallyCompromised), 'False', isPotentiallyCompromised)\r\n | project-away Account1, Computer1;\r\nlet links = data\r\n| summarize by Source = Account, Target = Computer, Kind = 'Account -> Machine';\r\nlet nodes = data \r\n| summarize by Id = Account, Name = Account, Kind = 'Account'\r\n| union (data\r\n | summarize by Id = Computer, Name = Computer, Kind = 'Machine');\r\nnodes\r\n| union links",
"size": 0,
"title": "Graph Query Data with Nodes and Links",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"rowLimit": 1000,
"filter": true
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let WinAuth = SecurityEvent\r\n| where EventID == 4624 or EventID == 4625\r\n| where Account !startswith('\\\\')\r\n| summarize by Account = tolower(Account), Computer\r\n| top 200 by Account;\r\nlet AlertAccounts =SecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| extend Type = Entities.Type\r\n| where tostring(Type) has 'account'\r\n| extend Account = tolower(tostring(Entities.Name))\r\n| union (SecurityAlert\r\n | mv-expand todynamic(Entities)\r\n | extend Type = Entities.Type\r\n | where tostring(Type) has 'account'\r\n | extend Account = tolower(tostring(Entities.DisplayName))\r\n | summarize by Account = tolower(Account))\r\n| where isnotempty(Account)\r\n| extend Account = split(tostring(Account), '@')[0]\r\n| summarize count() by tostring(Account)\r\n| extend isPotentiallyCompromised = iff(count_ >= 10, 'True', 'False');\r\nlet Compromised = WinAuth\r\n |join kind = innerunique AlertAccounts on Account\r\n | project Account, Computer, isPotentiallyCompromised;\r\nlet data = WinAuth\r\n | join kind = leftouter Compromised on Account\r\n | extend isPotentiallyCompromised = iff(isempty(isPotentiallyCompromised), 'False', isPotentiallyCompromised)\r\n | project-away Account1, Computer1;\r\nlet links = data\r\n| summarize by Source = Account, Target = Computer, Kind = 'Account -> Machine';\r\nlet nodes = data \r\n| summarize by Id = Account, Name = Account, Kind = 'Account'\r\n| union (data\r\n | summarize by Id = Computer, Name = Computer, Kind = 'Machine');\r\nnodes\r\n| union links",
"size": 3,
"title": "Graph Query with Graph Visual",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "graph",
"graphSettings": {
"type": 0,
"topContent": {},
"centerContent": {
"columnMatch": "Name"
},
"bottomContent": {
"columnMatch": "Kind"
},
"nodeIdField": "Id",
"sourceIdField": "Source",
"targetIdField": "Target",
"graphOrientation": 3,
"showOrientationToggles": true,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": null,
"hivesMargin": 5
}
},
"name": "query - 2"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "2"
},
"name": "Graphs"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## Linking\r\nLinking allows for the workbook to open items from external locations. This can provide value by consolidating many different items and areas in one location within the workbook.\r\n\r\n#### Type\r\n_Azure Resources_: Azure Resources can be linked within a workbook. This allows for resources of interest to be opened via the workbook without having to leave. The value here is that resources can be modified or reviewed from a single workbook via linking. This can be for:\r\n- Turning on or modifying virtual machines\r\n- Opening workspaces to perform queries\r\n- Opening storage accounts to review blob data\r\n- And more.\r\n\r\nThe resource can be set dynamically or statically. If desired, resource paths can be inserted manually to make the value static. If looking to switch between different resources, values can be set dynamically via Azure Resource Graph.\r\n\r\n_Workbooks_: Workbooks can be linked within another workbook. This allows users to tie two or more workbooks together if they are related. There are two ways to do so:\r\n- Opening the template within the workbook\r\n- Opening the workbook in a context pane\r\n\r\n_Azure Blades_: Blades within the Azure Portal can be linked. This item is a bit more advanced as it involves using developer tools in the web browser. This method allows for blades within Azure to be linked, allowing users to pivot to another part of the portal without having to leave the workbook. This also allows for key blades from several Azure services to be linked in one location for ease of use.\r\n\r\n_External Locations_: This method allows for external links to be tied to a button. This allows for key web locations or items to be statically linked within the workbook. While a URL is static, values of the link can be set dynamically via parameters in the workbook.\r\n- Ex. https://www.virustotal.com/gui/file/ENTERDYNAMICPARAMETERHERE </br>\r\n\r\nFor more information on linking, please see https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-link-actions\r\n"
},
"name": "text - 0"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Azure Resources",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "#### Azure Resources\r\n\r\nTo link a dynamic resource:\r\n- Click add and choose 'parameter'.\r\n- Set the type as a drop down.\r\n- For the data source, set it to 'query'.\r\n- Change the source to Azure Resource Graph.\r\n- Enter the query that will fetch the resources of interest.\r\n - Ex. resources | where type == 'microsoft.operationalinsights/workspaces'.\r\n- Project the resource list by name asc.\r\n- Create a second parameter.\r\n- Leave it as type text.\r\n- Set it to be hidden.\r\n- Set the data source to be a query.\r\n- Use the same query as before, but filter for just the item that was selected in the first parameter. \r\n- Project the id."
},
"customWidth": "33",
"name": "text - 2"
},
{
"type": 1,
"content": {
"json": "#### Cont.\r\nTo link a static resource:\r\n- Find the resource of interest.\r\n- Go into the properties.\r\n- Copy the resource path.\r\n- Paste it into the parameter text box.\r\n</br>\r\n</br>\r\n</br>\r\n</br>\r\n</br>\r\n</br>\r\n</br>\r\n</br>\r\n</br>\r\n</br>"
},
"customWidth": "33",
"name": "text - 9"
},
{
"type": 1,
"content": {
"json": "#### Cont.\r\nTo configure a button to open the link:\r\n- Click add 'links/tabs'.\r\n- Give the button text.\r\n- Under action, select 'resource overview'.\r\n- For dynamic, set the value to the parameter that has the dynamic resource id.\r\n- For static, set the value to the parameter that has the static resource id.\r\n- If there is a sub menu of the item, specify the blade view under 'Settings'.\r\n- Make sure context pane is checked.\r\n- Set a button style.\r\n- Click 'done editing'.\r\n</br>\r\n</br>\r\n</br>\r\n</br>\r\n</br>"
},
"customWidth": "33",
"name": "text - 10"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "8841ce17-9d76-4053-b979-9f177edc8f40",
"version": "KqlParameterItem/1.0",
"name": "DynamicResource",
"label": "Dynamic Resource",
"type": 2,
"query": "resources \r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| project name\r\n| order by name asc",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": "AipDstim"
},
{
"id": "f3978f41-0c0f-47e0-844c-576257a4a99e",
"version": "KqlParameterItem/1.0",
"name": "DRID",
"type": 1,
"query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| where name == '{DynamicResource}'\r\n| project id",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "e4b1b7e9-2ccb-4928-9f8b-b9913f4590c4",
"version": "KqlParameterItem/1.0",
"name": "StaticResource",
"label": "Static Resource",
"type": 1,
"timeContext": {
"durationMs": 86400000
},
"value": ""
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 4"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "paragraph",
"links": [
{
"id": "19e09e65-23cf-4a2a-80e8-543b7ee8515c",
"cellValue": "{DRID}",
"linkTarget": "Resource",
"linkLabel": "Open Dynamic Resource",
"style": "primary",
"linkIsContextBlade": true
},
{
"id": "d65f60bf-19e0-419e-9258-067ce4e058b9",
"cellValue": "{StaticResource}",
"linkTarget": "Resource",
"linkLabel": "Open Static Resource",
"style": "primary",
"linkIsContextBlade": true
}
]
},
"name": "links - 3"
}
]
},
"name": "AR"
},
{
"type": 1,
"content": {
"json": "-------------------------------------------------"
},
"name": "text - 16"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Workbooks",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "## Workbooks\r\n\r\nLinking workbooks is powerful in that it combines one or more workbooks with the current one that is being used. This can create a chain of functionality and use cases in one convenient location. \r\n\r\n#### Methods\r\n\r\nThere are two main methods:\r\n- Linking as an Azure Resource\r\n- Linking a template if hosted elsewhere\r\n\r\nBoth options are viable options for linking a workbook. Linking workbooks dynamically via the Azure resource method is a little easier while also allowing users to avoid having to pass parameters in the configuration. The workbook (template) action is great to use when statically linking workbooks while providing better performance. "
},
"customWidth": "33",
"name": "text - 1"
},
{
"type": 1,
"content": {
"json": "#### Azure Resource Based\r\nTo link via an Azure resource:\r\n1. Follow the steps listed above for dynamic values (parameters, Azure Resource Graph, button.)\r\n2. Make sure the value is set to the dynamic value for the workbook.\r\n3. Under settings, make sure the value is set to 'workbook'.\r\n"
},
"name": "text - 11"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "40b047c5-cbe8-4f00-bdf2-cf621af4a75e",
"version": "KqlParameterItem/1.0",
"name": "Workbooks",
"type": 2,
"query": "resources\r\n| where type == 'microsoft.insights/workbooks'\r\n| project Name = tostring(properties.displayName)\r\n| order by Name asc",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": "ACSC Ess 8"
},
{
"id": "652c792b-1277-462c-a666-0aba795413ae",
"version": "KqlParameterItem/1.0",
"name": "WBID",
"type": 1,
"query": "resources\r\n| where type == 'microsoft.insights/workbooks'\r\n| where tostring(properties.displayName) has '{Workbooks}'\r\n| project id",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 5"
},
{
"type": 1,
"content": {
"json": "#### Workbook Templates\r\n\r\nThe Workbook (Template) action allows for workbooks to be linked in a workbook by directing the current workbook to where the template can be found for the other workbook of interest. This action contains several values:\r\n- *Owner*: Value is the resource ID of the Azure resource that 'owns' the workbook. This is will most commonly be 'Sentinel' or 'Azure Monitor'.\r\n- *Workbook resources*: Array of Azure resource IDs that specify the default resource used in the workbook. An example would be if the workbook being opened shows data on virtual machines, the value entered would be the virtual machine resource IDs.\r\n- *Template ID*: Specifies the ID of the template to be opened. Can be a value that indicates the source, such as 'Community-Workbooks/Performance/Apdex' if using a workbook from the community gallery. If using a link to a saved workbook, use the full Azure resource ID.\r\n- *Workbook type*: Specifies the kind of workbook template to open. Default or workbook is most commonly used values.\r\n- *Gallery type*: Specifies the gallery type that is displayed in the gallery view. Default or workbook is the most commonly used values.\r\n- *Location*: Specifies if a specfic workbook resource is being opened. If location is not specified, finding the workbook will be slower. If the location is not known, leave the value as default.\r\n- *Specifc Parameters*: Allows specific parameters to be passed to the workbook to be opened. Parameter names must be the same between the workbooks.\r\n- *Workbook template parameters*: Specifies the parameters that are passed to the target template. Name and value must not be empty to pass the parameter to the target template.\r\n\r\nTo link via the Workbook (Template) action:\r\n1. Click add and choose 'link/tabs'.\r\n2. Give the button a name and set the action to 'workbook(template)'.\r\n3. Open the settings.\r\n4. Provide the values as specified above in order to map the template.\r\n5. Once done, click 'save and close'.\r\n6. Click 'update links'.\r\n7. Click on the new button to oonfirm that the workbook opens properly.\r\n\r\nFor more information on the Workbook (Template) action, please refer to https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-link-actions#workbook-template-link-settings."
},
"name": "text - 10"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "paragraph",
"links": [
{
"id": "6258094c-50a4-437d-848d-c53200a48938",
"cellValue": "{WBID}",
"linkTarget": "Resource",
"linkLabel": "Workbook as Resource",
"subTarget": "workbook",
"style": "primary",
"linkIsContextBlade": true
},
{
"id": "445af6d3-df5c-479f-ab08-08340350011f",
"cellValue": "{WBID}",
"linkTarget": "WorkbookTemplate",
"linkLabel": "Workbook as Template",
"style": "primary",
"linkIsContextBlade": true,
"workbookContext": {
"componentIdSource": "workbook",
"resourceIdsSource": "workbook",
"templateIdSource": "cell",
"typeSource": "static",
"type": "sentinel",
"gallerySource": "static",
"gallery": "sentinel",
"locationSource": "workbook",
"passSpecificParams": true,
"templateParameters": [
{
"name": "workspace",
"source": "parameter",
"value": "Workspace"
},
{
"name": "subscription",
"source": "parameter",
"value": "Subscription"
},
{
"name": "SubscriptionId",
"source": "static",
"value": "{subscription:subscriptionId}"
},
{
"name": "resourceGroup",
"source": "static",
"value": "{Workspace:resourceGroup}"
}
]
}
}
]
},
"name": "links - 8"
},
{
"type": 1,
"content": {
"json": "-----------------------------------------------"
},
"name": "text - 18"
},
{
"type": 1,
"content": {
"json": "#### Template Based\r\n\r\nExternally hosted templates will be a JSON file hosted on another platform, such as GitHub or even from Microsoft Sentinel. Workbooks are able to call upon external template files if directed to the proper location and file name. For this to work, two items are needed:\r\n- URL path to the folder in which the file is hosted\r\n- A mapping of the workbook name and the file name in order to make a library\r\n\r\nExamples would be:\r\n- https://securityinsights.hosting.portal.azure.net/securityinsights/Content/Workbooks/WORKBOOKTEMPLATEFILENAME.json'.\r\n- https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/WORKBOOKTEMPLATEFILENAME.json\r\n\r\nAn example of mapping the file names to a workbook name would appear as so:\r\n```json\r\n[\r\n {\"value\": \"WorkspaceUsage.json\", \"label\": \"Workspace Usage Report\", \"tags\": [\"usage\"]},\r\n\t{\"value\": \"AMAmigrationTracker.json\", \"label\": \"AMA Agent - Migration Tracker\", \"tags\" : [\"migration\", \"Agents\", \"deployment\"]},\r\n\t{\"value\": \"MicrosoftSentinelDeploymentandMigrationTracker.json\", \"label\": \"Sentinel Deployments and Migration Tracker\", \"tags\": [\"migration\",\"deployment\"]},\r\n\t{\"value\": \"ArchivingBasicLogsRetention.json\", \"label\": \"Archiving and Basic Logs Retention\", \"tags\": [\"retention\",\"archiving\",\"basic logs\"]}\r\n]\r\n```\r\nTo link:\r\n1. Make a parameter to take on the value of the library and one for the URL.\r\n2. If desired, different methods can be used to display the template.\r\n - Context pane: Opens the workbook template in a context pane within this screen. This utilizes links.\r\n - Tab: Opens the workbook template within this screen. Utilizes groups in order to leverage the templates.\r\n - Full screen: Opens the template in a full screen that will leave this view.\r\n3. Make new links that will be buttons.\r\n4. Set the action to Workbook(Template).\r\n5. Set the value to be a parameter call to the parameter that is storing the URL path to the template.\r\n6. Under the Workbook Template Parameters, set:\r\n - Workspace - Parameter - WorkspaceParameter\r\n - Subscription - Parameter - SubscriptionParameter\r\n - resourceGroup- Parameter -WorkspaceParameter:resourceGroup\r\n7. Save the settings.\r\n8. Click 'update links' and test the button to ensure that the desired template opens properly."
},
"name": "text - 12"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "a9b3932a-e140-498f-97f4-da4ffcad5a4a",
"version": "KqlParameterItem/1.0",
"name": "selectedWorkbook",
"label": "Select Workbook",
"type": 2,
"isGlobal": true,
"query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n {\\\"value\\\": \\\"WorkspaceUsage.json\\\", \\\"label\\\": \\\"Workspace Usage Report\\\", \\\"tags\\\": [\\\"usage\\\"]},\\r\\n\\t{\\\"value\\\": \\\"AMAmigrationTracker.json\\\", \\\"label\\\": \\\"AMA Agent - Migration Tracker\\\", \\\"tags\\\" : [\\\"migration\\\", \\\"Agents\\\", \\\"deployment\\\"]},\\r\\n\\t{\\\"value\\\": \\\"MicrosoftSentinelDeploymentandMigrationTracker.json\\\", \\\"label\\\": \\\"Sentinel Deployments and Migration Tracker\\\", \\\"tags\\\": [\\\"migration\\\",\\\"deployment\\\"]},\\r\\n\\t{\\\"value\\\": \\\"ArchivingBasicLogsRetention.json\\\", \\\"label\\\": \\\"Archiving and Basic Logs Retention\\\", \\\"tags\\\": [\\\"retention\\\",\\\"archiving\\\",\\\"basic logs\\\"]}\\r\\n]\",\"transformers\":null}",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 8
},
{
"id": "1772f659-c2b1-4882-a26b-63feb82ab734",
"version": "KqlParameterItem/1.0",
"name": "WorkbookRenderWhere",
"label": "Where to Open",
"type": 10,
"description": "Select the area where to render the selected workbook",
"isRequired": true,
"isGlobal": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[\"Context Pane\",\"Tab\",\"Full Screen\"]",
"value": "Full Screen"
},
{
"id": "49ce5797-eb8c-4616-94a6-14b9a92606b4",
"version": "KqlParameterItem/1.0",
"name": "templateBaseUrl",
"type": 1,
"criteriaData": [
{
"criteriaContext": {
"operator": "Default",
"resultValType": "static",
"resultVal": "https://securityinsights.hosting.portal.azure.net/securityinsights/Content/Workbooks"
}
}
],
"label": "Sentinel URL"
},
{
"id": "a7f49a79-2939-432e-a86d-b4700f49e867",
"version": "KqlParameterItem/1.0",
"name": "Github",
"type": 1,
"value": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/AzureSentinelCost.json",
"label": "GitHub URL"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 3"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "nav",
"links": [
{
"id": "6587fa50-dc9c-46b7-ba95-b2b48b6c9733",
"cellValue": "{templateBaseUrl}/{selectedWorkbook}",
"linkTarget": "WorkbookTemplate",
"linkLabel": "Open Workbook",
"preText": "📘",
"style": "secondary",
"linkIsContextBlade": true,
"workbookContext": {
"componentIdSource": "workbook",
"resourceIdsSource": "workbook",
"templateIdSource": "cell",
"typeSource": "static",
"type": "sentinel",
"gallerySource": "static",
"gallery": "sentinel",
"locationSource": "workbook",
"passSpecificParams": true,
"templateParameters": [
{
"name": "Workspace",
"source": "parameter",
"value": "workspace"
},
{
"name": "Subscription",
"source": "parameter",
"value": "subscriptionId"
},
{
"name": "subscriptionId",
"source": "parameter",
"value": "subscriptionId"
},
{
"name": "resourceGroup",
"source": "parameter",
"value": "resourceGroup"
}
]
}
}
]
},
"conditionalVisibility": {
"parameterName": "WorkbookRenderWhere",
"comparison": "isEqualTo",
"value": "Context Pane"
},
"name": "links - 4"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "template",
"loadFromTemplateId": "https://securityinsights.hosting.portal.azure.net/securityinsights/Content/Workbooks/AMAmigrationTracker.json",
"items": []
},
"conditionalVisibility": {
"parameterName": "selectedWorkbook",
"comparison": "isEqualTo",
"value": "AMAmigrationTracker.json"
},
"name": "AMA Migration Tracker"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "template",
"loadFromTemplateId": "https://securityinsights.hosting.portal.azure.net/securityinsights/Content/Workbooks/MicrosoftSentinelDeploymentandMigrationTracker.json",
"items": []
},
"conditionalVisibility": {
"parameterName": "selectedWorkbook",
"comparison": "isEqualTo",
"value": "MicrosoftSentinelDeploymentandMigrationTracker.json"
},
"name": "Microosft Sentinel Deployment and Migration Tracker"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "template",
"loadFromTemplateId": "https://securityinsights.hosting.portal.azure.net/securityinsights/Content/Workbooks/WorkspaceUsage.json",
"items": []
},
"conditionalVisibility": {
"parameterName": "selectedWorkbook",
"comparison": "isEqualTo",
"value": "WorkspaceUsage.json"
},
"name": "Microosft Sentinel Deployment and Migration Tracker - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "WorkbookRenderWhere",
"comparison": "isEqualTo",
"value": "Tab"
},
"name": "Workbook Tabs Group"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "nav",
"links": [
{
"id": "023a9468-b62b-479e-8cbe-d1f2d4c90303",
"cellValue": "{templateBaseUrl}/{selectedWorkbook}",
"linkTarget": "WorkbookTemplate",
"linkLabel": "Open Workbook",
"preText": "📘",
"style": "secondary",
"workbookContext": {
"componentIdSource": "workbook",
"resourceIdsSource": "workbook",
"templateIdSource": "cell",
"typeSource": "static",
"type": "sentinel",
"gallerySource": "static",
"gallery": "sentinel",
"locationSource": "workbook",
"passSpecificParams": true,
"templateParameters": [
{
"name": "Workspace",
"source": "parameter",
"value": "workspace"
},
{
"name": "Subscription",
"source": "parameter",
"value": "subscriptionId"
},
{
"name": "subscriptionId",
"source": "parameter",
"value": "subscriptionId"
},
{
"name": "resourceGroup",
"source": "parameter",
"value": "resourceGroup"
}
]
}
}
]
},
"conditionalVisibility": {
"parameterName": "WorkbookRenderWhere",
"comparison": "isEqualTo",
"value": "Full Screen"
},
"name": "Open Workbook - Full Screen"
}
]
},
"name": "Workbooks"
},
{
"type": 1,
"content": {
"json": "-----------------------------------------"
},
"name": "text - 17"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Blades",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "#### Blades\r\n\r\nLinking blades allows other blades within Azure to be opened from the workbook without having to leave. There are two main ways to link blades:\r\n1. Via URL: Using the URL of the blade to point the workbook on where to navigate\r\n2. Using Azure Portal metadata to point the workbook on where to navigate\r\n\r\nBoth methods leverage the custom view option, which is made up of 3 components:\r\n1. *Extension*: The name of the blade.\r\n2. *View*: The name of the view on the blade.\r\n3. *Inputs*: Parameters or JSON values that are taken in as inputs when opening the blade.\r\n\r\n*URL*\r\n\r\nTo use this method:\r\n1. Create a new link that will be a button.\r\n2. Set the action to custom view.\r\n3. Click on the configure button.\r\n4. In another tab, go to the blade that should be linked.\r\n5. Copy the URL.\r\n6. Within the configuration settings for the button, click on the URL tab and paste the URL. </br>\r\n - Note: If there is an error, change '#view' to '#blade'\r\n7. Validate that the extension, view, and inputs are filled out.\r\n8. Click save and close. Validate that the button properly opens the blade of interest. </br>\r\n - Note: It is recommended that input values are as dynamic as possible in order to allow for the button to open multiple specified destinations. This is best done via parameters. </br>\r\n\r\n*Metadata* </br>\r\nThis method uses metadata from the Azure Portal via developer tools within the web browser. This method is more tedious but proves to be more accurate when linking blades. Additionally, this method allows for sub-blades to be linked.</br>\r\n\r\nTo use this method:\r\n1. Create a new link that will be a button.\r\n2. Set the action to custom view.\r\n3. Click on the configure button.\r\n4. In another tab, go to the blade that should be linked.\r\n5. Press control+alt+d. A set of yellow boxes should open.\r\n6. Open up the developer tools within the web browser.\r\n7. Go to the console tool.\r\n8. Click on the link to the blade in the upper left yellow box. This should generate a response in the console tool. An example of the link will look like 'AppInsights > UsageNotebookBlade'\r\n9. Within the response inside the console tool, expand the input. It will list the inputs that are taken for the blade. Right click on the input and choose 'copy object'.\r\n10. Go back to the button configuration settings.\r\n11. Click on the JSON tab and paste the copied object.\r\n12. Make sure that the extension and view are populated. This can be fetched from the upper left yellow box.\r\n13. Hit control+alt+d again to close the yellow boxes.\r\n14. Click save and close.\r\n15. Confirm that the button opens the blade as desired. </br>\r\n - Note: It is recommended to make the JSON objects in the button settings as dynamic as possible.\r\n\r\nFor this example, the workbook is linking a button to the Azure Monitor Overview blade via the URL method and the metadata method. For the sub-blade button, it is opening the create new incident button from Microsoft Sentinel using the metadata method."
},
"name": "text - 18"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "paragraph",
"links": [
{
"id": "db5e2b71-b376-4f73-a175-e5fa6fd5b858",
"linkTarget": "OpenBlade",
"linkLabel": "Open URL Blade",
"style": "primary",
"linkIsContextBlade": true,
"bladeOpenContext": {
"bladeName": "AzureMonitoringBrowseBlade",
"extensionName": "Microsoft_Azure_Monitoring",
"bladeJsonParameters": "{\n \"menuId\": \"overview\"\n}"
}
},
{
"id": "0e2be8c1-4806-46db-8e6e-ab0a55ae0314",
"linkTarget": "OpenBlade",
"linkLabel": "Open Metadata Blade",
"style": "primary",
"linkIsContextBlade": true,
"bladeOpenContext": {
"bladeName": "AzureMonitoringBrowseBlade",
"extensionName": "Microsoft_Azure_Monitoring",
"bladeParameters": []
}
},
{
"id": "adfcc3e2-da5c-47c7-a67d-0877d8bee04d",
"linkTarget": "OpenBlade",
"linkLabel": "Open Sub-Blade",
"style": "primary",
"linkIsContextBlade": true,
"bladeOpenContext": {
"bladeName": "CreateIncidentPage.ReactView",
"extensionName": "Microsoft_Azure_Security_Insights",
"bladeJsonParameters": "{\r\n \"isCrossWorkspaceMode\": false,\r\n \"selectedWorkspace\": \"{Workspace}\",\r\n \"availableWorkspaces\": [],\r\n \"workspaceAzureIdsWithoutWritePermissions\": []\r\n}"
}
}
]
},
"name": "links - 19"
}
]
},
"name": "Blades"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "3"
},
"name": "Linking"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Creating Tables from Parameters",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "### Creating Tables from Parameters\r\n\r\nTables can be created from API responses and used to query and modify. Normally, the response will be in a nested JSON format. This can be parsed via KQL and made into a table format that allows for querying. An example of this would be running an ARM call to list all of the deployed Microsoft Sentinel analytic rules or all deployed data collection rules from Azure Monitor.\r\n\r\nFor parsing, the query will leverage different operators, such as mv-expand, bag_unpack, or pack_all.\r\n\r\nTo do so:\r\n\r\n1. Create a parameter that performs the API or ARM call to get and store the response.\r\n2. Create a new query.\r\n3. Call on the parameter by using the parameter name between two curly brackets. A common example used is print rule=dynamic(CURLYBRACKETPARAMETERNAMEHERE)\r\n4. Fill out the body of the query as needed. An example would look like:\r\n\r\n```\r\nprint rule=dynamic({PARAMETERNAME})\r\n| evaluate bag_unpack(rule)\r\n| project todynamic(properties)\r\n| evaluate bag_unpack(properties)\r\n| project-away etag, type, name,systemData\r\n| project properties = pack_all()\r\n```\r\n\r\nFor the section, an example parameter is available that will be parsed and queried like a regular table. The example parameter will be using ARM to fetch all automation rules deployed in the selected Microsoft Sentinel environment."
},
"name": "text - 0"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "4b851f45-bef0-4bf9-b1d7-e27259d0228d",
"version": "KqlParameterItem/1.0",
"name": "AutomationRules",
"type": 1,
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}/providers/Microsoft.SecurityInsights/automationRules?api-version=2022-12-01-preview\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":null}",
"timeContext": {
"durationMs": 86400000
},
"queryType": 12
}
],
"style": "above",
"queryType": 12
},
"name": "parameters - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "print Connector = dynamic({AutomationRules})\r\n| evaluate bag_unpack(Connector)\r\n| project todynamic(value)\r\n| mv-expand value\r\n| evaluate bag_unpack(value)\r\n| project todynamic(properties)\r\n| evaluate bag_unpack(properties)\r\n| project Name = displayName, createdTimeUtc, actions, triggeringLogic\r\n| order by Name asc",
"showQuery": true,
"size": 0,
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "actions",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
}
]
}
},
"name": "query - 8"
}
]
},
"name": "TableParams"
},
{
"type": 1,
"content": {
"json": "--------------------------------------"
},
"name": "text - 1"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Creating ARM Templates",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "### Creating ARM Templates\r\n\r\nARM templates can be both created and deployed within workbooks. This will involve a combination of parameters, links, and making an editor in the workbook. There are two main ways to go about this:\r\n1. Create an editor for the values to be manually and statically entered by the user. </br>\r\n2. Store the template in the API button that will be dynamically updated by parameters.\r\n\r\n*Parameters* </br>\r\nThis portion will leverage storing values in parameters in order to make the template generation dynamic. Storing values in parameters allows for the values stored to be changed, which will update the template dynamically.\r\n\r\n*Links* </br>\r\nThis portion will leverage creating buttons that will contain the API URI call. If dynamically updating the template, this will also store the main portions of the template.\r\n\r\n*Editor* </br>\r\nThis portion will create a parameter that allows for user input and will behave like a barebones JSON editor. The value of this parameter is passed to the API button for deployment.\r\n\r\nTo make it dynamically: </br>\r\n1. Review the ARM template or PUT API documentation for the item that should be deployed.\r\n2. Create a parameter for items such as: resource group, resource group location, workspace resource path, etc.\r\n3. Create a link button.\r\n4. Set the action to ARM action (if only deploying the body of the ARM template).\r\n5. Set the ARM URI with the API version.\r\n6. Enter the ARM template body into the request body section. Make sure that any value that should be dynamic is represented with the parameter name in curly brackets that is storing the item value.\r\n7. Make sure that all of the values in the parameters are set.\r\n8. When ready, click the button to deploy. A side menu will appear. If validation passes, click deploy again.\r\n\r\nTo make it manually:\r\n1. Review the ARM template or PUT API documentation for the item that should be deployed.\r\n2. Make a parameter that is of type text. Set the value to multiline and of type JSON.\r\n3. Set the size to 40 (this makes the editor taller).\r\n4. Make a link button. \r\n5. Set the action to ARM action.\r\n6. Modify the template and finalize the details in the editor.\r\n7. Go to the link button for the manual template and edit it.\r\n8. Enter the parameter name for the ARM Template from the editor in curly brackets. This does not need to be in quotes.\r\n9. When ready, click on the link button. A side menu will appear, if validation passes, click deploy again.\r\n"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Subscription}"
],
"parameters": [
{
"id": "47eb961c-27ac-42df-aa52-8ad9aa948312",
"version": "KqlParameterItem/1.0",
"name": "DeployWorkspace",
"label": "Deploy to Workspace",
"type": 5,
"query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| project id, name\r\n| order by name asc",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": ""
},
{
"id": "a665804c-8d16-488d-9e4e-2a86ce795cde",
"version": "KqlParameterItem/1.0",
"name": "DWLocation",
"type": 1,
"query": "resources\r\n| where id has '{DeployWorkspace}'\r\n| project location",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "5f4b913e-5fa9-49b3-8d9d-29670ea614bc",
"version": "KqlParameterItem/1.0",
"name": "DCE",
"type": 5,
"query": "resources\r\n| where type has 'Microsoft.Insights/dataCollectionEndpoints'\r\n| where location == '{DWLocation}'\r\n| project id, name\r\n| order by tolower(name) asc",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": ""
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 15"
},
{
"type": 1,
"content": {
"json": "Workspace Resource ID: {DeployWorkspace} </br>\r\nData Collection Endpoint ID: {DCE} </br>\r\nWorkspace Location: {DWLocation}",
"style": "upsell"
},
"name": "text - 5"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "89556e06-5aeb-4d72-8355-0843f803d3b6",
"version": "KqlParameterItem/1.0",
"name": "Template",
"type": 1,
"typeSettings": {
"multiLineText": true,
"editorLanguage": "json",
"multiLineHeight": 30
},
"timeContext": {
"durationMs": 86400000
},
"value": "{\r\n \"location\": \"WORKSPACELOCATIONHERE\",\r\n \"properties\": {\r\n \"dataCollectionEndpointId\": \"DATACOLLECTIONENDPOINTRESOURCEPATHHERE\",\r\n \"dataSources\": {\r\n \"windowsEventLogs\": [\r\n {\r\n \"name\": \"eventLogsDataSource\",\r\n \"streams\": [\r\n \"Microsoft-SecurityEvent\"\r\n ],\r\n \"xPathQueries\": [\r\n \"Security!*[System[(EventID=1) or (EventID=299) or (EventID=300) or (EventID=324) or (EventID=340) or (EventID=403) or (EventID=404) or (EventID=410) or (EventID=411) or (EventID=412) or (EventID=413) or (EventID=431) or (EventID=500) or (EventID=501) or (EventID=1100)]]\"\r\n\t\t\t\t\t\t]\r\n }\r\n ]\r\n },\r\n \"destinations\": {\r\n \"logAnalytics\": [\r\n {\r\n \"workspaceResourceId\": \"WORKSPACERESOURCEPATHHERE\",\r\n \"name\": \"WORKSPACENAMEHERE\"\r\n }\r\n ]\r\n },\r\n \"dataFlows\": [\r\n {\r\n \"streams\": [\r\n \"Microsoft-SecurityEvent\"\r\n ],\r\n \"destinations\": [\r\n \"WORKSPACENAMEHERE\"\r\n ]\r\n }\r\n ]\r\n }\r\n }"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 8"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "13722552-050b-44c3-b195-9b1f5009d05b",
"version": "KqlParameterItem/1.0",
"name": "DCRName1",
"type": 1,
"timeContext": {
"durationMs": 86400000
},
"value": "DCR1",
"label": "Manual DCR Name"
},
{
"id": "86a1309f-7a71-4fe1-a703-22cac2745889",
"version": "KqlParameterItem/1.0",
"name": "DCRName2",
"type": 1,
"timeContext": {
"durationMs": 86400000
},
"value": "DCR2",
"label": "Dynamic DCR Name"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 4"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "paragraph",
"links": [
{
"id": "bec8d1d3-da16-4505-b593-eb4dc50afbe7",
"cellValue": "",
"linkTarget": "ArmAction",
"linkLabel": "Deploy Manual Template",
"style": "primary",
"linkIsContextBlade": true,
"templateRunContext": {
"componentIdSource": "cell",
"templateUriSource": "parameter",
"templateUri": "Template",
"templateParameters": [],
"titleSource": "static",
"descriptionSource": "static",
"runLabelSource": "static"
},
"armActionContext": {
"path": "/subscriptions/{Subscription:subscriptionId}/resourceGroups/{DeployWorkspace:resourceGroup}/providers/Microsoft.Insights/dataCollectionRules/{DCRName1}?api-version=2021-09-01-preview",
"headers": [],
"params": [],
"body": "{Template}",
"httpMethod": "PUT",
"description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command."
}
},
{
"id": "45638da4-60a4-4e92-bc2e-58fb1b9965c5",
"linkTarget": "ArmAction",
"linkLabel": "Deploy Dynamic Template",
"style": "primary",
"linkIsContextBlade": true,
"armActionContext": {
"path": "/subscriptions/{Subscription:subscriptionId}/resourceGroups/{DeployWorkspace:resourceGroup}/providers/Microsoft.Insights/dataCollectionRules/{DCRName2}?api-version=2021-09-01-preview",
"headers": [],
"params": [],
"body": "{\r\n \"location\": \"{DWLocation}\",\r\n \"properties\": {\r\n \"dataCollectionEndpointId\": \"{DCE}\",\r\n \"dataSources\": {\r\n \"windowsEventLogs\": [\r\n {\r\n \"name\": \"eventLogsDataSource\",\r\n \"streams\": [\r\n \"Microsoft-SecurityEvent\"\r\n ],\r\n \"xPathQueries\": [\r\n \"Security!*[System[(EventID=1) or (EventID=299) or (EventID=300) or (EventID=324) or (EventID=340) or (EventID=403) or (EventID=404) or (EventID=410) or (EventID=411) or (EventID=412) or (EventID=413) or (EventID=431) or (EventID=500) or (EventID=501) or (EventID=1100)]]\"\r\n ] \r\n }\r\n ]\r\n },\r\n \"destinations\": {\r\n \"logAnalytics\": [\r\n {\r\n \"workspaceResourceId\": \"{DeployWorkspace}\",\r\n \"name\": \"{DeployWorkspace:name}\"\r\n }\r\n ]\r\n },\r\n \"dataFlows\": [\r\n {\r\n \"streams\": [\r\n \"Microsoft-SecurityEvent\"\r\n ],\r\n \"destinations\": [\r\n \"{DeployWorkspace:name}\"\r\n ]\r\n }\r\n ]\r\n }\r\n }",
"httpMethod": "PUT",
"description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command."
}
}
]
},
"name": "links - 9"
}
]
},
"name": "ARM"
},
{
"type": 1,
"content": {
"json": "--------------------------------------"
},
"name": "text - 3"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Running Automation from Workbooks",
"expandable": true,
"items": [
{
"type": 1,
"content": {
"json": "### Running Automation from Workbook\r\nThere are two main ways to run automation from a workbook:\r\n1. Linking the automation blade for an incident\r\n2. Calling the trigger for a playbook via API\r\n\r\n_Linking_ </br>\r\nThis method will leverage the steps highlighted in the linking section. There are a few items that will be needed:\r\n- List of incidents with the name and the GUID dedicated to incident\r\n- A URL to the link (this can be built via building a string)\r\n\r\nTo do this: </br>\r\n1. Create a query that lists all current open incidents. The details must contain the column IncidentName.\r\n2. In the settings of the query, set it to export IncidentName when a row is selected.\r\n3. Create a link button and set the action to custom view.\r\n4. Edit the settings for the button.\r\n5. Enter the extension name and the view name. Under JSON value, paste the expected value that the view is looking for as input. (This is covered under the linking section).\r\n6. Once the values are set and validated, click on an incident. \r\n7. Click on the button to open the blade for running automation.\r\n8. A side menu will appear containing a list of available playbooks that can be run on the selected incident.\r\n"
},
"name": "text - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityIncident\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n| where Status != 'Closed'\r\n| project Title, Status, IncidentName",
"size": 0,
"title": "Current Incidents",
"timeContext": {
"durationMs": 86400000
},
"exportFieldName": "IncidentName",
"exportParameterName": "IncidentName",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"filter": true
}
},
"showPin": false,
"name": "query - 12"
},
{
"type": 1,
"content": {
"json": "### Incident URL\r\n\r\nhttps://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident{Workspace}/providers/Microsoft.SecurityInsights/Incidents/{IncidentName}"
},
"name": "text - 13"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "list",
"links": [
{
"id": "a8fb7090-7181-431b-a70d-0bec461d21b4",
"linkTarget": "OpenBlade",
"linkLabel": "Run Playbook",
"style": "primary",
"linkIsContextBlade": true,
"bladeOpenContext": {
"bladeName": "ManualTriggerBlade",
"extensionName": "Microsoft_Azure_Security_Insights",
"bladeJsonParameters": "{\r\n \"targetObjectType\": 0,\r\n \"targetObjectArmId\": \"/subscriptions/{Subscription:subscriptionId}/resourceGroups/{Workspace:resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/Incidents/{IncidentName}\"\r\n}"
}
}
]
},
"name": "links - 14"
},
{
"type": 1,
"content": {
"json": "-------------------------------\r\n_API_ </br>\r\nThis method will leverage the steps highlighted in the linking section. There are a few items that will be needed:\r\n- *Playbook resource group*: Used for filtering and will be done via the steps covered for Azure Resource Graph\r\n- *Resource path to the playbook*: This will be done via the steps covered for Azure Resource Graph\r\n- *Trigger type of the playbook*: This will also be done via the steps for Azure Resource Graph\r\n- *Tenant ID*: Used by the API to identify where it should be looking for running the action\r\n\r\nTo do this: </br>\r\n1. Create a query that lists all current open incidents. The details must include the column IncidentName.\r\n2. In the settings of the query, set it to export IncidentName when a row is selected.\r\n3. Create a link button and set the action to ARM action.\r\n4. Create parameters for resource groups with playbooks, playbooks within the selected resource group, the trigger for the playbook, and the tenant id.\r\n- Resource groups containing playbooks can be found by querying ARG for resources with type 'microsoft.logic/workflows' then projecting the resource group.\r\n- Playbooks within the selected resource group can be found by performing the same ARG query but filtering the results with 'where resourceGroup == '{PlaybookResourceGroupPARAMETER}'\r\n- The trigger can be found by running an ARM GET call and parsing out the trigger name. The URI would be \"{Subscription}/resourceGroups/{ PlaybookResourceGroup }/providers/Microsoft.Logic/workflows/{ Playbook:name }/triggers?api-version=2016-06-01\"\r\n5. Go back into the ARM action button settings. Set the path to be '{ WORKSPACEPARAMETERHERE }/providers/Microsoft.SecurityInsights/incidents/{ INCIDENTGUIDPARAMETERHERE }/runPlaybook?api-version=2019-01-01-preview\r\n6. Set the body of the ARM action to \r\n\r\n```\r\n{\r\n\"LogicAppsResourceId\":\"{ PLAYBOOKNAMEPARAMETERHERE }\",\r\n \"TenantId\":\"{ TENANTIDPARAMETERHERE }\"\r\n}\r\n```\r\n7. Once each of the items are populated, make sure that an incident is clicked on.\r\n8. When ready, click the run playbook button."
},
"name": "text - 15"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "dad56ee0-a8fa-44e3-b451-be75766cce8f",
"version": "KqlParameterItem/1.0",
"name": "PlaybookResourceGroup",
"label": "Resource Group",
"type": 5,
"query": "resources\r\n| where type has 'microsoft.logic/workflows'\r\n| summarize Count = count() by subscriptionId, resourceGroup\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project resourceGroup\r\n| order by resourceGroup asc",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": "adminresource"
},
{
"id": "25d1f13b-c800-437d-a2e1-938b1d4c89fb",
"version": "KqlParameterItem/1.0",
"name": "Playbook",
"type": 5,
"query": "resources\r\n| where type has 'microsoft.logic/workflows'\r\n| where resourceGroup == '{PlaybookResourceGroup}'\r\n| summarize by id, name\r\n\r\n",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": ""
},
{
"id": "9bc7e994-6b45-4e2e-94d5-115b4810a2fe",
"version": "KqlParameterItem/1.0",
"name": "Trigger",
"type": 5,
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Subscription}/resourceGroups/{PlaybookResourceGroup}/providers/Microsoft.Logic/workflows/{Playbook:name}/triggers?api-version=2016-06-01\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"$.name\",\"columnid\":\"Type\"}]}}]}",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 12,
"value": null
},
{
"id": "5d597c6e-84cf-4885-b017-9925c2962df2",
"version": "KqlParameterItem/1.0",
"name": "TenantId",
"type": 1,
"timeContext": {
"durationMs": 86400000
},
"value": ""
}
],
"style": "above",
"queryType": 12
},
"name": "parameters - 10"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "list",
"links": [
{
"id": "060bcf85-d0f8-4523-8bd2-3848c618b1b1",
"linkTarget": "ArmAction",
"linkLabel": "Run Playbook",
"style": "primary",
"linkIsContextBlade": true,
"armActionContext": {
"path": "{Workspace}/providers/Microsoft.SecurityInsights/incidents/{IncidentName}/runPlaybook?api-version=2019-01-01-preview",
"headers": [],
"params": [],
"body": "{\r\n\"LogicAppsResourceId\":\"{Playbook}\",\r\n \"TenantId\":\"{TenantId}\"\r\n}",
"httpMethod": "POST",
"description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command."
}
}
]
},
"name": "links - 11"
}
]
},
"name": "Automation"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "4"
},
"name": "Concepts"
}
],
"fallbackResourceIds": [
""
],
"fromTemplateId": "sentinel-AdvancedWorkbookConcepts",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку