{ "contentVersion": "1.0.0.0", "parameters": { "workbookDisplayName": { "type": "string", "defaultValue": "Microsoft Sentinel Project Deployment Status", "metadata": { "description": "The friendly name for the workbook that is used in the Gallery or Saved List. This name must be unique within a resource group." } }, "SubscriptionId": { "type": "string", "defaultValue": "Enter the Subscription ID", "metadata": { "description": "Subscription ID where the workbook will be deployed" } }, "ResourceGroupName": { "type": "string", "defaultValue": "Enter the Resource Group name", "metadata": { "description": "Resource Group name where the Sentinel workspace is located" } }, "WorkspaceName": { "type": "string", "defaultValue": "Enter the Sentinel workspace name", "metadata": { "description": "Microsoft Sentinel workspace name" } }, "workbookId": { "type": "string", "defaultValue": "[newGuid()]", "metadata": { "description": "The unique guid for this workbook instance" } } }, "resources": [ { "name": "[parameters('workbookId')]", "type": "microsoft.insights/workbooks", "location": "[resourceGroup().location]", "apiVersion": "2022-04-01", "dependsOn": [], "kind": "shared", "properties": { "displayName": "[parameters('workbookDisplayName')]", "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Microsoft Sentinel Deployment Completion Status\\n---\\nThis Workbook is to track the Project Deployment Status\\n\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c76c09d8-1337-4637-88aa-eca5d2b7d2af\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"64d7b948-194c-489d-84b0-c7eb126bd0bd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InternalWSs\",\"type\":1,\"isRequired\":true,\"query\":\"SecurityIncident\\r\\n| take 1\\r\\n| parse IncidentUrl with * \\\"/workspaces/\\\" Workspace \\\"/\\\" *\\r\\n| project Workspace\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"6633396f-ea86-415c-9cfa-34f9e59b3645\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":null},{\"id\":\"31080b10-ab7a-44d3-a573-32970c9ef330\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project subscriptionId,id,name\\r\\n| where '{Subscription}' has subscriptionId\\r\\n| project value =id, label = name\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":null},{\"id\":\"e7c5dce8-c742-42a2-973c-37d7aaf3aa79\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InternalRG\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where id =~ \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e3085138-269a-4698-966c-acbdd5278b86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ActiveRules\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Subscription:id}/resourcegroups/{Workspace:resourcegroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRules\\\",\\\"urlParams\\\":[{\\\"key\\\":\\\"api-version\\\",\\\"value\\\":\\\"2021-10-01-preview\\\"}],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$.value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"$.properties.enabled\\\",\\\"columnid\\\":\\\"Enabled\\\"}]}}]}\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":12},{\"id\":\"ecb450a8-4e64-4bfd-ac45-efe9cfed8521\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"df4b5b50-dbb3-4aa7-923b-93fd4e3ada91\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"ee1fb7f6-ed56-45de-b4de-f2021161c71b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WorkspaceCount\",\"type\":2,\"multiSelect\":true,\"quote\":\"\",\"delimiter\":\"\",\"query\":\"range x from 1 to 10 step 1\",\"typeSettings\":{\"limitSelectTo\":1,\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[]},{\"id\":\"71663596-8476-4407-9dde-d4bf0539222d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DataconnectorName\",\"type\":2,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"let tableNames = datatable(DataConnector:string, TableName:string)\\r\\n[\\r\\n \\\"Microsoft Entra ID\\\",\\\"SigninLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"AuditLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ProvisioningLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"NonInteractiveUserSignInLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ServicePrincipalSignInLogs\\\",\\r\\n \\\"Microsoft Entra ID\\\",\\\"ManagedIdentitySignInLogs\\\",\\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADIdentityProtectionAlerts\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADUserRiskEvents\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskyUsers\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskySignIns\\\",\\r\\n \\\"Azure Activity\\\",\\\"AzureActivity\\\",\\r\\n \\\"Azure DDoS Protection\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Key Vault\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Kubernetes Service (AKS)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft Purview (Preview)\\\",\\\"PurviewInformationProtection\\\",\\r\\n \\\"Azure Storage Account\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Web Application Firewall (WAF)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Common Event Format (CEF) via AMA\\\",\\\"CommonSecurityLog\\\",\\r\\n \\\"Windows DNS Events via AMA\\\",\\\"ASimDnsActivityLogs\\\",\\r\\n \\\"Azure Event Hubs\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft 365 Insider Risk Management\\\",\\\"OfficeActivity\\\",\\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityInfo\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityDirectoryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityLogonEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityQueryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentitySigninEvents\\\",\\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityIncident\\\",\\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppFileEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppAccountEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceNetworkEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceFileEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceRegistryEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceImageLoadEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceProcessEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceLogonEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceAlertEvents\\\",\\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityAlert\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailEvents\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailPostDeliveryEvents\\\", \\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailUrlInfo\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailAttachmentInfo\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLogs\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLabelEvents\\\",\\r\\n \\\"Microsoft 365\\\",\\\"OfficeActivity\\\", \\r\\n \\\"Microsoft 365\\\",\\\"ExchangeOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"SharePointOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"Teams\\\",\\r\\n \\\"Windows Security Events via AMA\\\",\\\"SecurityEvent\\\",\\r\\n \\\"Syslog via AMA\\\",\\\"Syslog\\\",\\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\", \\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicatorV2\\\",\\r\\n \\\"Premium Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat intelligence - TAXII\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Platforms\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Upload Indicators API (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityAlert\\\", \\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityRecommendation\\\",\\r\\n \\\"Windows Firewall Events via AMA (Preview)\\\",\\\"ASimNetworkSessionLogs\\\"\\r\\n];\\r\\ntableNames\\r\\n| distinct DataConnector\",\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[]},{\"id\":\"6396005e-03c3-4c6e-a289-5de6565048fc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TableName\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"let tableNames = datatable(DataConnector:string, TableName:string)\\r\\n[\\r\\n \\\"Microsoft Entra ID\\\",\\\"SigninLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"AuditLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ProvisioningLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"NonInteractiveUserSignInLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ServicePrincipalSignInLogs\\\",\\r\\n \\\"Microsoft Entra ID\\\",\\\"ManagedIdentitySignInLogs\\\",\\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADIdentityProtectionAlerts\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADUserRiskEvents\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskyUsers\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskySignIns\\\",\\r\\n \\\"Azure Activity\\\",\\\"AzureActivity\\\",\\r\\n \\\"Azure DDoS Protection\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Key Vault\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Kubernetes Service (AKS)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft Purview (Preview)\\\",\\\"PurviewInformationProtection\\\",\\r\\n \\\"Azure Storage Account\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Web Application Firewall (WAF)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Common Event Format (CEF) via AMA\\\",\\\"CommonSecurityLog\\\",\\r\\n \\\"Windows DNS Events via AMA\\\",\\\"ASimDnsActivityLogs\\\",\\r\\n \\\"Azure Event Hubs\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft 365 Insider Risk Management\\\",\\\"OfficeActivity\\\",\\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityInfo\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityDirectoryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityLogonEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityQueryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentitySigninEvents\\\",\\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityIncident\\\",\\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppFileEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppAccountEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceNetworkEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceFileEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceRegistryEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceImageLoadEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceProcessEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceLogonEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceAlertEvents\\\",\\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityAlert\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailEvents\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailPostDeliveryEvents\\\", \\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailUrlInfo\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailAttachmentInfo\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLogs\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLabelEvents\\\",\\r\\n \\\"Microsoft 365\\\",\\\"OfficeActivity\\\", \\r\\n \\\"Microsoft 365\\\",\\\"ExchangeOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"SharePointOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"Teams\\\",\\r\\n \\\"Windows Security Events via AMA\\\",\\\"SecurityEvent\\\",\\r\\n \\\"Syslog via AMA\\\",\\\"Syslog\\\",\\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\", \\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicatorV2\\\",\\r\\n \\\"Premium Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat intelligence - TAXII\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Platforms\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Upload Indicators API (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityAlert\\\", \\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityRecommendation\\\",\\r\\n \\\"Windows Firewall Events via AMA (Preview)\\\",\\\"ASimNetworkSessionLogs\\\"\\r\\n];\\r\\ntableNames\\r\\n|where DataConnector in ({DataconnectorName})\\r\\n|project TableName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":null},{\"id\":\"9190ab66-2ba8-45c6-9adc-1b7aa9acd330\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"countRuleTemplates\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[{\\\"key\\\":\\\"\\\",\\\"value\\\":\\\"\\\"}],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates\\\",\\\"urlParams\\\":[{\\\"key\\\":\\\"api-version\\\",\\\"value\\\":\\\"2022-06-01-preview\\\"}],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$.value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"name\\\",\\\"columnid\\\":\\\"name\\\"}]}}]}\",\"queryType\":12},{\"id\":\"bfd5bba7-c76a-4540-b5e2-5daf38af16b0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"countActiveRules\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}//providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRules\\\",\\\"urlParams\\\":[{\\\"key\\\":\\\"api-version\\\",\\\"value\\\":\\\"2022-06-01-preview\\\"}],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$.value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"name\\\",\\\"columnid\\\":\\\"name\\\"}]}}]}\",\"queryType\":12},{\"id\":\"6d3cd1b2-7076-4671-9a34-8da81d82a2fb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RuleCount\",\"type\":2,\"query\":\"range x from 1 to 250 step 1\",\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":null},{\"id\":\"e458bc19-bde1-4f31-a598-98172db668b6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WorkbookCount\",\"type\":2,\"query\":\"range x from 1 to 20 step 1\",\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":null},{\"id\":\"e39d0ab1-065c-45bb-badf-d8bb89bc93f6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LogicappCount\",\"type\":2,\"query\":\"range x from 1 to 20 step 1\",\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":null},{\"id\":\"a0ea5f7f-c038-45c2-89d6-7442d4ef1b19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RulesCreatedDate\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup:name}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates\\\",\\\"urlParams\\\":[{\\\"key\\\":\\\"api-version\\\",\\\"value\\\":\\\"2022-06-01-preview\\\"}],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$.value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"properties.createdDateUTC\\\",\\\"columnid\\\":\\\"createdDateUTC\\\"}]}}]}\",\"isHiddenWhenLocked\":true,\"queryType\":12},{\"id\":\"e5b8349c-9c16-470e-87c9-4d7b1b165060\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"countByActiveCategory\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRules\\\",\\\"urlParams\\\":[{\\\"key\\\":\\\"api-version\\\",\\\"value\\\":\\\"2022-06-01-preview\\\"}],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$.value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"kind\\\",\\\"columnid\\\":\\\"kind\\\"}]}}]}\",\"isHiddenWhenLocked\":true,\"queryType\":12},{\"id\":\"92210724-ec18-4408-b4a3-104e9af39bcb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"description\":\"This will show some help information to help you understand the page you are on\",\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[]},\"jsonData\":\"[{ \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }]\"}],\"style\":\"pills\",\"queryType\":12},\"name\":\"parameters - 10\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"56afa30b-44a9-495e-bcb0-9b582d6d2167\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Deployment Score\",\"subTarget\":\"DeploymentScore\",\"preText\":\"Deployment Score\",\"style\":\"link\"},{\"id\":\"bb1abad8-3156-458e-af57-299ef0878673\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"EnablementData\",\"subTarget\":\"EnablementData\",\"style\":\"link\"},{\"id\":\"c3d5c2d6-f998-45c4-93d9-f0d9d37f00b3\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workspace Info\",\"subTarget\":\"Workspace Info\",\"style\":\"link\"},{\"id\":\"ba9c47dc-eab4-450f-8836-6ca385c26084\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dataconnectors Info\",\"subTarget\":\"Dataconnectors Info\",\"style\":\"link\"},{\"id\":\"a6e83b92-fdd4-48bc-8cde-f2dfa218ee47\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook/Rules/Automation\",\"subTarget\":\"Workbook/Rules/Automation\",\"style\":\"link\"},{\"id\":\"915b90ab-f3c5-40c5-a779-4fca413ba10a\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence\",\"subTarget\":\"Threat Intelligence\",\"style\":\"link\"},{\"id\":\"5907fdc0-116c-4957-95cb-a99698f3b223\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Incidents\",\"subTarget\":\"Incidents\",\"style\":\"link\"}]},\"name\":\"links - 21\"},{\"type\":1,\"content\":{\"json\":\"## Repository Connection\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"text - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Subscription:Id}/resourceGroups/{resourceGroup:name}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/sourcecontrols?api-version=2021-10-01-preview\\\",\\\"urlParams\\\":[],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$..value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"properties.displayName\\\",\\\"columnid\\\":\\\"displayName\\\"},{\\\"path\\\":\\\"properties.repoType\\\",\\\"columnid\\\":\\\"repoType\\\"},{\\\"path\\\":\\\"properties.repository.url\\\",\\\"columnid\\\":\\\"url\\\"},{\\\"path\\\":\\\"properties.contentTypes\\\",\\\"columnid\\\":\\\"contentTypes\\\"},{\\\"path\\\":\\\"type\\\",\\\"columnid\\\":\\\"type\\\"},{\\\"path\\\":\\\"id\\\",\\\"columnid\\\":\\\"id\\\"},{\\\"path\\\":\\\"systemData\\\",\\\"columnid\\\":\\\"systemData\\\"},{\\\"path\\\":\\\"properties\\\",\\\"columnid\\\":\\\"properties\\\"}]}}]}\",\"size\":0,\"title\":\"Source Control / Repo Connection, count: {$rowCount}\",\"queryType\":12},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"query - Source Controls\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workspace Enablement Status\\r\\n##### Below Chart represents the scope of workspace that needs to be enable as part of project and the percentage of completion\\r\\n##### Select the subscription and workspace count on the parameter to track the completion status\\r\\n\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"group - 23\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Worspace Enablement Status\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n//| where id has \\\"{Workspace}\\\"\\r\\n| extend sentinel = iif(isnotempty(tostring(\\\"{Workspace}\\\")), \\\"Enabled\\\", \\\"Not Completed\\\")\\r\\n|where subscriptionId has '{DefaultSubscription_Internal}'\\r\\n| project ['Log Analytics Workspace Name'] = id, ['Resource Group'] = resourceGroup, location, ['Workspace Status'] = sentinel,subscriptionId\\r\\n//| summarize count() by subscriptionId\\r\\n//|render barchart\\r\\n\",\"size\":0,\"title\":\"Number of workspaces available on {Subscription}\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workspace Info\"},\"name\":\"query - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n//| where id has \\\"{Workspace}\\\"\\r\\n| extend sentinel = iif(isnotempty(tostring(\\\"{Workspace}\\\")), \\\"Enabled\\\", \\\"Not Completed\\\")\\r\\n| project ['Log Analytics Workspace Name'] = id, ['Resource Group'] = resourceGroup, location, ['Workspace Status'] = sentinel,subscriptionId\\r\\n| summarize count() by subscriptionId\\r\\n//|render barchart\",\"size\":0,\"title\":\"Count of Workspaces Enabled on each Subscription\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"subscriptionId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"subscriptionId\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workspace Info\"},\"name\":\"query - 27\",\"styleSettings\":{\"maxWidth\":\"40\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces' \\r\\n//| where id has \\\"{Workspace}\\\"\\r\\n| extend state = trim(' ', tostring(properties.provisioningState))\\r\\n\\t\\t,sku = trim(' ', tostring(properties.sku.name))\\r\\n ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\\r\\n\\t\\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\\r\\n\\t\\t,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\\r\\n| extend skuUpdate = iif(strlen(skuUpdate) > 0, skuUpdate,\\\"Unknown\\\")\\r\\n//| extend sentinel = iif(toint(retentionDays) < 90,\\\"If you have Sentinel, you can change your retention to 90days (free)?\\\",\\\"\\\")\\r\\n| project ['Log Analytics Workspace Name']=id, ['Resource Group']=resourceGroup, location, ['Data Retention(days)']=retentionDays, ['Last known SKU update']=skuUpdate, ['Licence']=sku, ['Commitment Tier']=properties.sku.capacityReservationLevel,W_CreatedDate=properties.createdDate, W_modifedDate=properties.modifiedDate\\r\\n//, ['Notes'] = sentinel\",\"size\":0,\"title\":\"Log Analytic Workspace With Data Retention Info\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Last known SKU update\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Daily Data Cap\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"not set\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"1\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Data Retention\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}]}},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workspace Info\"},\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n// Just show Workspaces that have Sentinel enabled\\r\\n| where type == \\\"microsoft.operationsmanagement/solutions\\\"\\r\\n| where name has \\\"SecurityInsights\\\"\\r\\n| parse name with * '(' s_workspace ')'*\\r\\n| project WorkspaceName= s_workspace, properties.creationTime, properties.lastModifiedTime , ['Days Enabled'] = datetime_diff('day',now(),todatetime(properties.creationTime)), CapacityReservation=properties.sku.capacityReservationLevel\",\"size\":0,\"title\":\"Microsoft Sentinel Enabled on below workspaces\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Days Enabled\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"30\",\"representation\":\"yellow\",\"text\":\"Free {1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"green\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workspace Info\"},\"name\":\"query - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n// Just show Workspaces that have Sentinel enabled\\r\\n| where type == \\\"microsoft.operationsmanagement/solutions\\\"\\r\\n| where name has \\\"SecurityInsights\\\"\\r\\n| parse name with * '(' s_workspace ')'*\\r\\n|where subscriptionId has '{DefaultSubscription_Internal}'\\r\\n| summarize EnabledWorkspaces=count()\\r\\n|extend OverallWorkspace =toint(\\\"{WorkspaceCount}\\\")\\r\\n|extend Percentage = ((EnabledWorkspaces * 100) / OverallWorkspace)\\r\\n| project Percentage , EnabledWorkspaces, OverallWorkspace\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"Workspace Enablement Status\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"EnabledWorkspaces\",\"color\":\"greenDark\"},{\"seriesName\":\"OverallWorkspace\",\"color\":\"blue\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"Workspace Enablement Status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n// Just show Workspaces that have Sentinel enabled\\r\\n| where type == \\\"microsoft.operationsmanagement/solutions\\\"\\r\\n| where name has \\\"SecurityInsights\\\"\\r\\n| parse name with * '(' s_workspace ')'*\\r\\n|where subscriptionId has '{DefaultSubscription_Internal}'\\r\\n| summarize EnabledWorkspaces=count()\\r\\n|extend OverallWorkspace =toint(\\\"{WorkspaceCount}\\\")\\r\\n|extend Percentage = ((EnabledWorkspaces * 100) / OverallWorkspace)\\r\\n|project-away OverallWorkspace\\r\\n\",\"size\":0,\"title\":\"Completion Percentage on Workspace Enablement\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"visualization\":\"barchart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"Completion Percentage on Workspace Enablement\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n// Just show Workspaces that have Sentinel enabled\\r\\n| where type == \\\"microsoft.operationsmanagement/solutions\\\"\\r\\n| where name has \\\"SecurityInsights\\\"\\r\\n| parse name with * '(' s_workspace ')'*\\r\\n|where subscriptionId has '{DefaultSubscription_Internal}'\\r\\n| extend sentinel = iif(isnotempty(tostring(\\\"{Workspace}\\\")), \\\"Enabled\\\", \\\"Not Completed\\\")\\r\\n|project ['Log Analytics Workspace Name'] = s_workspace,subscriptionId,resourceGroup,['Status'] = sentinel,location\",\"size\":0,\"title\":\"List of Sentinel Workspace Enabled on {DefaultSubscription_Internal}\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Workspace:subscription}/resourceGroups/{Workspace:resourcegroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/Tables?api-version=2017-04-26-preview\\\",\\\"urlParams\\\":[],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$.value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"name\\\",\\\"columnid\\\":\\\"TableName\\\"},{\\\"path\\\":\\\"properties.retentionInDays\\\",\\\"columnid\\\":\\\"RetentionInDays\\\"}]}}]}\",\"size\":0,\"title\":\"TableLevel Retention\",\"queryType\":12},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workspace Info\"},\"name\":\"query - 8\"}]},\"name\":\"group - 30\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Data Connector Enablement Status\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dataconnectors Info\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//let tablename1 = dynamic([{TableName}]);\\r\\nlet selectedtable = dynamic([{TableName}]);\\r\\nlet tableNames = datatable(TableName:string, DataType:string)\\r\\n[\\r\\n \\\"Microsoft Entra ID\\\",\\\"SigninLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"AuditLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ProvisioningLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"NonInteractiveUserSignInLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ServicePrincipalSignInLogs\\\",\\r\\n \\\"Microsoft Entra ID\\\",\\\"ManagedIdentitySignInLogs\\\",\\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADIdentityProtectionAlerts\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADUserRiskEvents\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskyUsers\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskySignIns\\\",\\r\\n \\\"Azure Activity\\\",\\\"AzureActivity\\\",\\r\\n \\\"Azure DDoS Protection\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Key Vault\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Kubernetes Service (AKS)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft Purview (Preview)\\\",\\\"PurviewInformationProtection\\\",\\r\\n \\\"Azure Storage Account\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Web Application Firewall (WAF)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Common Event Format (CEF) via AMA\\\",\\\"CommonSecurityLog\\\",\\r\\n \\\"Windows DNS Events via AMA\\\",\\\"ASimDnsActivityLogs\\\",\\r\\n \\\"Azure Event Hubs\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft 365 Insider Risk Management\\\",\\\"OfficeActivity\\\",\\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityInfo\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityDirectoryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityLogonEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityQueryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentitySigninEvents\\\",\\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityIncident\\\",\\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppFileEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppAccountEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceNetworkEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceFileEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceRegistryEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceImageLoadEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceProcessEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceLogonEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceAlertEvents\\\",\\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityAlert\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailEvents\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailPostDeliveryEvents\\\", \\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailUrlInfo\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailAttachmentInfo\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLogs\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLabelEvents\\\",\\r\\n \\\"Microsoft 365\\\",\\\"OfficeActivity\\\", \\r\\n \\\"Microsoft 365\\\",\\\"ExchangeOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"SharePointOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"Teams\\\",\\r\\n \\\"Windows Security Events via AMA\\\",\\\"SecurityEvent\\\",\\r\\n \\\"Syslog via AMA\\\",\\\"Syslog\\\",\\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\", \\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicatorV2\\\",\\r\\n \\\"Premium Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat intelligence - TAXII\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Platforms\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Upload Indicators API (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityAlert\\\", \\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityRecommendation\\\",\\r\\n \\\"Windows Firewall Events via AMA (Preview)\\\",\\\"ASimNetworkSessionLogs\\\"\\r\\n];\\r\\nlet usageSummary = Usage\\r\\n //|where ResourceUri contains '{Workspace}'\\r\\n | summarize LogCount = count(), SizeinMB = round(sum(Quantity), 2) by DataType\\r\\n | extend status = iif(LogCount > 0, \\\"Completed\\\", \\\"NotStarted\\\");\\r\\ntableNames\\r\\n| where DataType in (selectedtable)\\r\\n| join kind=leftouter (usageSummary) on DataType\\r\\n| project DataType, TableName, LogCount = coalesce(LogCount, 0), status = iif(LogCount == 0, \\\"NotStarted\\\", status)\\r\\n| sort by LogCount desc\\r\\n|project-away LogCount\\r\\n\",\"size\":0,\"title\":\"List of Dataconnectors Enabled\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"startsWith\",\"thresholdValue\":\"Completed\",\"representation\":\"greenDark\",\"text\":\"{0}{1}\"},{\"operator\":\"startsWith\",\"thresholdValue\":\"NotStarted\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}}]},\"sortBy\":[]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"query - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Columns explained\\r\\n- **Table name**: the name of the Log Analytics workspace table. The list of tables is updated dynamically.\\r\\n- **Table size**: the total size of the data stored in the table for the specified time range.\\r\\n- **Table entries**: the total number of events stored in the table for the specified time range. \\r\\n- **Size per entry**: Average size of each event.\\r\\n- **Is billable**: indicates if the table is billable or free (True/False)\"},\"conditionalVisibilities\":[{\"parameterName\":\"Show Help\",\"comparison\":\"isEqualTo\",\"value\":\"yes\"},{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dataconnectors Info\"}],\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n//|where ResourceUri contains '{Workspace}'\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Entries'] = Entries,['IsBillable'] = _IsBillable\\r\\n| order by ['Table Entries'] desc\\r\\n\",\"size\":0,\"title\":\"Log Ingestion status for {TimeRange:label} from all tables\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Table Name\",\"exportParameterName\":\"Table\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"15%\"}},{\"columnMatch\":\"Table Size\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleRed\",\"customColumnWidthSetting\":\"24%\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Table Entries\",\"formatter\":3,\"formatOptions\":{\"palette\":\"magenta\",\"customColumnWidthSetting\":\"24%\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":3,\"formatOptions\":{\"palette\":\"turquoise\",\"customColumnWidthSetting\":\"24%\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"IsBillable\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Last Record Received\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Estimated Table Price\",\"formatter\":3,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Table Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redGreen\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dataconnectors Info\"},\"showPin\":false,\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dataconnectors Info\"},\"name\":\"group - 23\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| make-series count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DataType\\r\\n| extend lastDay = toreal(trim(@\\\"[^\\\\w]+\\\",tostring(array_slice(count_,-1,-1)))), lastWeek = array_slice(count_,array_length(count_) -7,-1)\\r\\n| order by DataType asc\",\"size\":0,\"title\":\"Data Ingestion trend: {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":3}}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"lastDay\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"10\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"lastWeek\",\"formatter\":10,\"formatOptions\":{\"palette\":\"blueDark\"}},{\"columnMatch\":\"BilledSize\",\"formatter\":21,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":4,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":3}}}],\"sortBy\":[{\"itemKey\":\"DataType\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"DataType\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dataconnectors Info\"},\"name\":\"query - 22\"},{\"type\":1,\"content\":{\"json\":\"# Data Connector Enablement Status\\r\\n##### List of Scoped Dataconnectos Enabled\\r\\n##### Select the scoped dataconnectors Name and the table Name on the parameter field to track the enbalement status\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selectedtable = dynamic([{TableName}]);\\r\\nlet tableNames = datatable(TableName:string, DataType:string)\\r\\n[\\r\\n \\\"Microsoft Entra ID\\\",\\\"SigninLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"AuditLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ProvisioningLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"NonInteractiveUserSignInLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ServicePrincipalSignInLogs\\\",\\r\\n \\\"Microsoft Entra ID\\\",\\\"ManagedIdentitySignInLogs\\\",\\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADIdentityProtectionAlerts\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADUserRiskEvents\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskyUsers\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskySignIns\\\",\\r\\n \\\"Azure Activity\\\",\\\"AzureActivity\\\",\\r\\n \\\"Azure DDoS Protection\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Key Vault\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Kubernetes Service (AKS)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft Purview (Preview)\\\",\\\"PurviewInformationProtection\\\",\\r\\n \\\"Azure Storage Account\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Web Application Firewall (WAF)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Common Event Format (CEF) via AMA\\\",\\\"CommonSecurityLog\\\",\\r\\n \\\"Windows DNS Events via AMA\\\",\\\"ASimDnsActivityLogs\\\",\\r\\n \\\"Azure Event Hubs\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft 365 Insider Risk Management\\\",\\\"OfficeActivity\\\",\\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityInfo\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityDirectoryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityLogonEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityQueryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentitySigninEvents\\\",\\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityIncident\\\",\\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppFileEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppAccountEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceNetworkEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceFileEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceRegistryEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceImageLoadEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceProcessEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceLogonEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceAlertEvents\\\",\\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityAlert\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailEvents\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailPostDeliveryEvents\\\", \\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailUrlInfo\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailAttachmentInfo\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLogs\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLabelEvents\\\",\\r\\n \\\"Microsoft 365\\\",\\\"OfficeActivity\\\", \\r\\n \\\"Microsoft 365\\\",\\\"ExchangeOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"SharePointOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"Teams\\\",\\r\\n \\\"Windows Security Events via AMA\\\",\\\"SecurityEvent\\\",\\r\\n \\\"Syslog via AMA\\\",\\\"Syslog\\\",\\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\", \\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicatorV2\\\",\\r\\n \\\"Premium Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat intelligence - TAXII\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Platforms\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Upload Indicators API (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityAlert\\\", \\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityRecommendation\\\",\\r\\n \\\"Windows Firewall Events via AMA (Preview)\\\",\\\"ASimNetworkSessionLogs\\\"\\r\\n];\\r\\nlet usageSummary = Usage\\r\\n |where ResourceUri contains '{Workspace}'\\r\\n | summarize LogCount = count(), SizeinMB = round(sum(Quantity), 2) by DataType\\r\\n | extend status = iif(LogCount > 0, \\\"Completed\\\", \\\"NotStarted\\\");\\r\\ntableNames\\r\\n| where DataType in (selectedtable)\\r\\n| join kind=leftouter (usageSummary) on DataType\\r\\n| extend status = iif(LogCount > 0, \\\"Completed\\\", \\\"Not Started\\\")\\r\\n| project TableName,LogCount = coalesce(LogCount, 0), status = iif(LogCount == 0, \\\"NotStarted\\\", status)\\r\\n| project TableName, status\\r\\n|summarize count() by status\\r\\n//| sort by LogCount desc\\r\\n//|render piechart\",\"size\":0,\"title\":\"EnablementStatus on Scoped Dataconnectors\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selectedtable = dynamic([{TableName}]);\\r\\nlet tableNames = datatable(TableName:string, DataType:string)\\r\\n[\\r\\n \\\"Microsoft Entra ID\\\",\\\"SigninLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"AuditLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ProvisioningLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"NonInteractiveUserSignInLogs\\\", \\r\\n \\\"Microsoft Entra ID\\\",\\\"ServicePrincipalSignInLogs\\\",\\r\\n \\\"Microsoft Entra ID\\\",\\\"ManagedIdentitySignInLogs\\\",\\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADIdentityProtectionAlerts\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADUserRiskEvents\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskyUsers\\\", \\r\\n \\\"Microsoft Entra ID Protection\\\",\\\"AADRiskySignIns\\\",\\r\\n \\\"Azure Activity\\\",\\\"AzureActivity\\\",\\r\\n \\\"Azure DDoS Protection\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Key Vault\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Kubernetes Service (AKS)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft Purview (Preview)\\\",\\\"PurviewInformationProtection\\\",\\r\\n \\\"Azure Storage Account\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Azure Web Application Firewall (WAF)\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Common Event Format (CEF) via AMA\\\",\\\"CommonSecurityLog\\\",\\r\\n \\\"Windows DNS Events via AMA\\\",\\\"ASimDnsActivityLogs\\\",\\r\\n \\\"Azure Event Hubs\\\",\\\"AzureDiagnostics\\\",\\r\\n \\\"Microsoft 365 Insider Risk Management\\\",\\\"OfficeActivity\\\",\\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityInfo\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityDirectoryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityLogonEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentityQueryEvents\\\", \\r\\n \\\"Microsoft Defender for Identity\\\",\\\"IdentitySigninEvents\\\",\\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Microsoft Defender XDR\\\",\\\"SecurityIncident\\\",\\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppFileEvents\\\", \\r\\n \\\"Microsoft Defender for Cloud Apps\\\",\\\"CloudAppAccountEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceNetworkEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceFileEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceRegistryEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceImageLoadEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceProcessEvents\\\", \\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceLogonEvents\\\",\\r\\n \\\"Microsoft Defender for Endpoint\\\",\\\"DeviceAlertEvents\\\",\\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityAlert\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Subscription-based Microsoft Defender for Cloud (Legacy)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityAlert\\\",\\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityIncident\\\", \\r\\n \\\"Tenant-based Microsoft Defender for Cloud (Preview)\\\",\\\"SecurityRecommendation\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailEvents\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailPostDeliveryEvents\\\", \\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailUrlInfo\\\",\\r\\n \\\"Microsoft Defender for Office 365 (Preview)\\\",\\\"EmailAttachmentInfo\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLogs\\\",\\r\\n \\\"Microsoft Purview Information Protection\\\",\\\"InformationProtectionLabelEvents\\\",\\r\\n \\\"Microsoft 365\\\",\\\"OfficeActivity\\\", \\r\\n \\\"Microsoft 365\\\",\\\"ExchangeOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"SharePointOnline\\\", \\r\\n \\\"Microsoft 365\\\",\\\"Teams\\\",\\r\\n \\\"Windows Security Events via AMA\\\",\\\"SecurityEvent\\\",\\r\\n \\\"Syslog via AMA\\\",\\\"Syslog\\\",\\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\", \\r\\n \\\"Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicatorV2\\\",\\r\\n \\\"Premium Microsoft Defender Threat Intelligence (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat intelligence - TAXII\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Platforms\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Threat Intelligence Upload Indicators API (Preview)\\\",\\\"ThreatIntelligenceIndicator\\\",\\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityAlert\\\", \\r\\n \\\"Microsoft Defender for IoT\\\",\\\"IoTSecurityRecommendation\\\",\\r\\n \\\"Windows Firewall Events via AMA (Preview)\\\",\\\"ASimNetworkSessionLogs\\\"\\r\\n];\\r\\nlet usageSummary = Usage\\r\\n |where ResourceUri contains '{Workspace}'\\r\\n | summarize LogCount = count(), SizeinMB = round(sum(Quantity), 2) by DataType\\r\\n | extend status = iif(LogCount > 0, \\\"Completed\\\", \\\"NotStarted\\\");\\r\\nlet statusSummary = tableNames\\r\\n | where DataType in (selectedtable)\\r\\n | join kind=leftouter (usageSummary) on DataType\\r\\n | extend status = iif(LogCount > 0, \\\"Completed\\\", \\\"Not Started\\\")\\r\\n | project TableName,LogCount = coalesce(LogCount, 0), status = iif(LogCount == 0, \\\"NotStarted\\\", status)\\r\\n //|summarize Count = count() by status\\r\\n | summarize Count = count() by status;\\r\\nlet total = toscalar(statusSummary | summarize sum(Count));\\r\\nstatusSummary\\r\\n| extend Percentage = round(100.00 * Count / total, 2)\\r\\n|project-away Count\",\"size\":0,\"title\":\"Completion Percentage on Data Connector Enablement\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries, ['IsBillable'] = _IsBillable\\r\\n| order by ['Table Size'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"TableName with Events Info\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"Table Name\",\"parameterName\":\"Table\",\"parameterType\":1,\"defaultValue\":\"All Tables\"},{\"fieldName\":\"Table Name\",\"parameterName\":\"Table\",\"parameterType\":7,\"defaultValue\":\"All Tables\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"greenDark\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dataconnectors Info\"},\"showPin\":true,\"name\":\"query - 6\"}]},\"name\":\"group - 25\"},{\"type\":1,\"content\":{\"json\":\"## Analytics rules\\r\\nThis table displays all the analytics rules in the chosen subscription, workspace, and time range. \"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{InternalRG}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRules\\\",\\\"urlParams\\\":[{\\\"key\\\":\\\"api-version\\\",\\\"value\\\":\\\"2020-01-01\\\"}],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$.value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"$.properties.displayName\\\",\\\"columnid\\\":\\\"RuleName\\\"},{\\\"path\\\":\\\"$.properties.description\\\",\\\"columnid\\\":\\\"Description\\\"},{\\\"path\\\":\\\"$.name\\\",\\\"columnid\\\":\\\"AlertRuleID\\\"},{\\\"path\\\":\\\"$.kind\\\",\\\"columnid\\\":\\\"Kind\\\"},{\\\"path\\\":\\\"$.properties.productFilter\\\",\\\"columnid\\\":\\\"ProductName\\\"},{\\\"path\\\":\\\"$.properties.tactics\\\",\\\"columnid\\\":\\\"Tactics\\\"},{\\\"path\\\":\\\"$.properties.enable\\\",\\\"columnid\\\":\\\"Status\\\"},{\\\"path\\\":\\\"$.properties\\\",\\\"columnid\\\":\\\"prop\\\"},{\\\"path\\\":\\\"$.properties.lastModifiedUtc\\\",\\\"columnid\\\":\\\"lastModifiedUtc\\\"}]}}]}\",\"size\":0,\"title\":\"List of Enabled Analytical Rules\",\"noDataMessage\":\"No analytic rules are defined \",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"AlertRuleID\",\"parameterName\":\"AlertRuleID\",\"parameterType\":1},{\"fieldName\":\"ProductName\",\"parameterName\":\"ProductName\",\"parameterType\":1},{\"fieldName\":\"Tactics\",\"parameterName\":\"Tactics\",\"parameterType\":1},{\"fieldName\":\"RuleName\",\"parameterName\":\"RuleName\",\"parameterType\":1},{\"fieldName\":\"Status\",\"parameterName\":\"Status\",\"parameterType\":1},{\"fieldName\":\"prop\",\"parameterName\":\"prop\",\"parameterType\":1}],\"exportToExcelOptions\":\"all\",\"queryType\":12,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Kind\",\"formatter\":1},{\"columnMatch\":\"ProductName\",\"formatter\":5},{\"columnMatch\":\"Tactics\",\"formatter\":5},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"success\",\"text\":\"enabled\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"disabled\",\"text\":\"disabled\"},{\"operator\":\"==\",\"thresholdValue\":\"false\",\"representation\":\"disabled\",\"text\":\"disabled\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"success\",\"text\":\"enabled\"}]}},{\"columnMatch\":\"prop\",\"formatter\":5},{\"columnMatch\":\"enabled\",\"formatter\":3,\"formatOptions\":{\"min\":0,\"max\":1,\"palette\":\"redGreen\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"query - 9\"},{\"type\":1,\"content\":{\"json\":\"# Analytical Rules\\r\\n##### Select the rulecount to be deployed as part of scope on the parameter value to track the score\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"text - 24\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ActiveRules = print Enabled = dynamic({ActiveRules});\\r\\nActiveRules\\r\\n| mv-expand Enabled\\r\\n|where Enabled has 'true'\\r\\n//|summarize Enabledcount = count() by \\r\\n| summarize EnableCount = count() by tostring(Enabled)\\r\\n \\r\\n\\r\\n\",\"size\":0,\"title\":\" ActiveRules - Enabled\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"true\",\"color\":\"greenDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\" ActiveRules - Enabled\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Define the active rules\\r\\nlet ActiveRules = print Enabled = dynamic({ActiveRules});\\r\\nlet RuleCount = toint('{RuleCount}');\\r\\nActiveRules\\r\\n| mv-expand Enabled\\r\\n|where Enabled has 'true'\\r\\n| summarize EnabledCount = count() by tostring(Enabled)\\r\\n//| extend RemainingRules = RuleCount - EnabledCount\\r\\n| extend CompletionPercentage = (EnabledCount * 100.0) / RuleCount\\r\\n//|extend PendingPercentage = (RemainingRules * 100.0) / RuleCount\\r\\n//| summarize CompletionPercentage, PendingPercentage\\r\\n|project EnabledCount,CompletionPercentage\\r\\n\",\"size\":0,\"title\":\"Percentage Completed on Analytical Rules Enablement\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"query - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| project a = split('{RulesCreatedDate}',\\\",\\\")\\r\\n| limit 1\\r\\n| mv-expand todynamic(a)\\r\\n| project b= split(trim(@\\\"[^\\\\w]+\\\",tostring(a)),\\\"T\\\").[0]\\r\\n| summarize count() by todatetime(b)\\r\\n| order by b asc\\r\\n| top 10 by b \",\"size\":1,\"title\":\"Rule templates vs. created by Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"},\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" Usage\\r\\n | project a = '{countByActiveCategory:value}'\\r\\n | limit 1\\r\\n | extend a = split(trim(@\\\"[^\\\\w]+\\\",a),\\\",\\\") \\r\\n | mv-expand a\\r\\n | summarize count() by trim(\\\" \\\", tostring(a))\\r\\n | order by count_ desc\",\"size\":0,\"title\":\"ActiveRules By Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"Column1\",\"label\":\"RuleType\"}]}},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"},\"name\":\"query - 20\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRules\\\",\\\"urlParams\\\":[{\\\"key\\\":\\\"api-version\\\",\\\"value\\\":\\\"2022-06-01-preview\\\"},{\\\"key\\\":\\\"$orderby\\\",\\\"value\\\":\\\"properties/createdDateUTC desc\\\"}],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$.value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"properties.displayName\\\",\\\"columnid\\\":\\\"displayName\\\"},{\\\"path\\\":\\\"properties.description\\\",\\\"columnid\\\":\\\"description\\\"},{\\\"path\\\":\\\"properties.queryFrequency\\\",\\\"columnid\\\":\\\"queryFrequency\\\"},{\\\"path\\\":\\\"properties.queryPeriod\\\",\\\"columnid\\\":\\\"queryPeriod\\\"},{\\\"path\\\":\\\"properties.triggerOperator\\\",\\\"columnid\\\":\\\"triggerOperator\\\"},{\\\"path\\\":\\\"properties.triggerThreshold\\\",\\\"columnid\\\":\\\"triggerThreshold\\\"},{\\\"path\\\":\\\"properties.severity\\\",\\\"columnid\\\":\\\"severity\\\"},{\\\"path\\\":\\\"properties.tactics\\\",\\\"columnid\\\":\\\"tactics\\\"},{\\\"path\\\":\\\"properties.techniques\\\",\\\"columnid\\\":\\\"techniques\\\"},{\\\"path\\\":\\\"properties.enabled\\\",\\\"columnid\\\":\\\"enabled\\\"}]}}]}\",\"size\":0,\"title\":\"Active Rules Details\",\"queryType\":12},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"},\"name\":\"query - 21\"},{\"type\":1,\"content\":{\"json\":\"# Workbook Details\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"},\"name\":\"text - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources | where type == \\\"microsoft.insights/workbooks\\\" | extend Name = tostring(properties.displayName) | where Name has tostring('{Workspace:name}')| extend Name = properties.displayName | where Name has 'Intro to KQL' | summarize count() | extend Workbook = 'Intro to KQL'| extend isEnabled = iff(count_ > 0, 'True', 'False')\\r\\n| union (resources | where type == \\\"microsoft.insights/workbooks\\\" | extend Name = properties.displayName | where Name has 'Advanced KQL for Microsoft Sentinel' | summarize count() | extend Workbook = 'Advanced KQL for Microsoft Sentinel' | extend isEnabled = iff(count_ > 0, 'True', 'False')),(resources | where type == \\\"microsoft.insights/workbooks\\\" | extend Name = properties.displayName | where Name has 'Azure AD Sign-in Logs' | summarize count() | extend Workbook = 'Azure AD Sign-in Logs' | extend isEnabled = iff(count_ > 0, 'True', 'False')) | project Workbook, isEnabled\",\"size\":0,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"isEnabled\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"greenDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"greenDark\",\"text\":\"True\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"redBright\",\"text\":\"False\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibilities\":[{\"parameterName\":\"test\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"}],\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources | where type == \\\"microsoft.insights/workbooks\\\" | extend Name = properties.sourceId | where Name has '{Workspace:name}' | extend Name = properties.displayName | where Name has 'Data Collection health monitoring' | summarize count() | extend Workbook = 'Data collection health monitoring' | extend isEnabled = iff(count_ > 0, 'True', 'False') \\r\\n| union (resources | where type == \\\"microsoft.insights/workbooks\\\" | extend Name = properties.displayName | where Name has 'Insecure Protocols' | summarize count() | extend Workbook = 'Insecure Protocols' | extend isEnabled = iff(count_ > 0, 'True', 'False')),(resources | where type == \\\"microsoft.insights/workbooks\\\" | extend Name = properties.displayName | where Name has 'Investigation Insights' | summarize count() | extend Workbook = 'Investigation Insights' | extend isEnabled = iff(count_ > 0, 'True', 'False')) | project Workbook, isEnabled\",\"size\":0,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"isEnabled\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"greenDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":null,\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibilities\":[{\"parameterName\":\"test\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"}],\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources | where type == \\\"microsoft.insights/workbooks\\\" | extend Name = properties.sourceId | where Name has '{Workspace:name}' | extend Name = properties.displayName | where Name has 'Microsoft Sentinel Cost' | summarize count() | extend Workbook = 'Microsoft Sentinel Cost' | extend isEnabled = iff(count_ > 0, 'True', 'False')\\r\\n| union (resources | where type == \\\"microsoft.insights/workbooks\\\" | extend Name = properties.displayName | where Name has 'Security Operations Efficiency' | summarize count() | extend Workbook = 'Security Operations Efficiency' | extend isEnabled = iff(count_ > 0, 'True', 'False')), (resources | where type == \\\"microsoft.insights/workbooks\\\" | extend Name = properties.displayName | where Name has 'Workspace Usage Report' | summarize count() | extend Workbook = 'Workspace Usage Report' | extend isEnabled = iff(count_ > 0, 'True', 'False')) | project Workbook, isEnabled\",\"size\":0,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"isEnabled\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"greenDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibilities\":[{\"parameterName\":\"test\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"}],\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RecommendedWorkbooks = datatable(Workbook:string)\\r\\n['Intro to KQL', \\r\\n'Advanced KQL for Microsoft Sentinel',\\r\\n'Azure AD Sign-in Logs',\\r\\n'Data collection health monitoring',\\r\\n'Insecure Protocols',\\r\\n'Investigation Insights',\\r\\n'Microsoft Sentinel Cost',\\r\\n'Security Operations Efficiency',\\r\\n'Workspace Usage Report',\\r\\n'Insider Risk Management',\\r\\n'SOC Process Framework',\\r\\n'Zero Trust (TIC 3.0)'\\r\\n];\\r\\nRecommendedWorkbooks\",\"size\":0,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibilities\":[{\"parameterName\":\"test\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"}],\"name\":\"RecommendedWorkbook-MainList\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources | where type == \\\"microsoft.insights/workbooks\\\" \\r\\n| extend Name = properties.displayName \\r\\n| extend Workbook = case(\\r\\nName has 'Intro to KQL', 'Intro to KQL',\\r\\nName has 'Advanced KQL for Microsoft Sentinel', 'Advanced KQL for Microsoft Sentinel',\\r\\nName has 'Azure AD Sign-in Logs', 'Azure AD Sign-in Logs',\\r\\nName has 'Data collection health monitoring', 'Data collection health monitoring',\\r\\nName has 'Insecure Protocols', 'Insecure Protocols',\\r\\nName has 'Investigation Insights' , 'Investigation Insights',\\r\\nName has 'Microsoft Sentinel Cost', 'Microsoft Sentinel Cost',\\r\\nName has 'Security Operations Efficiency', 'Security Operations Efficiency',\\r\\nName has 'Workspace Usage Report' , 'Workspace Usage Report',\\r\\nName has 'Insider Risk Management', 'Insider Risk Management',\\r\\nName has 'SOC Process Framework', 'SOC Process Framework',\\r\\nName has 'Zero Trust (TIC 3.0)', 'Zero Trust (TIC 3.0)', \\\"Not in list\\\"\\r\\n)\\r\\n| extend isEnabled = iif (Workbook == \\\"Not in list\\\" , 'False', 'True' )\\r\\n| where Workbook != \\\"Not in list\\\"\\r\\n| distinct Workbook, isEnabled\",\"size\":0,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"isEnabled\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"greenDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibilities\":[{\"parameterName\":\"test\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"}],\"name\":\"RecommendedWorkbook-FindEnabled\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"Merge/1.0\\\",\\\"merges\\\":[{\\\"id\\\":\\\"fab58256-3f74-422d-86a8-c70b371dd05d\\\",\\\"mergeType\\\":\\\"leftouter\\\",\\\"leftTable\\\":\\\"RecommendedWorkbook-MainList\\\",\\\"rightTable\\\":\\\"RecommendedWorkbook-FindEnabled\\\",\\\"leftColumn\\\":\\\"Workbook\\\",\\\"rightColumn\\\":\\\"Workbook\\\"}],\\\"projectRename\\\":[{\\\"originalName\\\":\\\"[RecommendedWorkbook-MainList].Workbook\\\",\\\"mergedName\\\":\\\"Workbook\\\",\\\"fromId\\\":\\\"fab58256-3f74-422d-86a8-c70b371dd05d\\\"},{\\\"originalName\\\":\\\"[RecommendedWorkbook-FindEnabled].isEnabled\\\",\\\"mergedName\\\":\\\"isEnabled\\\",\\\"fromId\\\":\\\"fab58256-3f74-422d-86a8-c70b371dd05d\\\"},{\\\"originalName\\\":\\\"[RecommendedWorkbook-FindEnabled].Workbook\\\"}]}\",\"size\":0,\"title\":\"Recommended Workbooks Deployed\",\"queryType\":7,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"isEnabled\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"greenDark\",\"text\":\"True\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"redBright\",\"text\":\"False\"}]}}]}},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"},\"showPin\":false,\"name\":\"RecommendedWorkbook-Merge\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"},\"name\":\"group - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//let WorkbookCount = toint('{WorkbookCount}');\\r\\nresources\\r\\n| where type == \\\"microsoft.insights/workbooks\\\"\\r\\n| where properties.sourceId has '{Workspace}'\\r\\n| project WorkbookName = properties.displayName\\r\\n\",\"size\":0,\"title\":\"List of Enabled Workbooks\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"query - 18\"},{\"type\":1,\"content\":{\"json\":\"# WorkbookEnablement Status\\r\\n##### To track the workbook enbalement status select the scope of workbook count on pararmeter value\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"text - 25\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//let WorkbookCount = toint('{WorkbookCount}');\\r\\nresources\\r\\n| where type == \\\"microsoft.insights/workbooks\\\"\\r\\n| where properties.sourceId has '{Workspace}'\\r\\n| project WorkbookName = properties.displayName\\r\\n| summarize EnabledCount = count() \\r\\n//| extend CompletionPercentage = (EnabledCount * 100.0) / {WorkbookCount}\\r\\n//|project-away CompletionPercentage\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"Count of Enabled Workbook\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"visualization\":\"categoricalbar\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"query - 22\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//let WorkbookCount = toint('{WorkbookCount}');\\r\\nresources\\r\\n| where type == \\\"microsoft.insights/workbooks\\\"\\r\\n| where properties.sourceId has '{Workspace}'\\r\\n| project WorkbookName = properties.displayName\\r\\n| summarize EnabledCount = count()\\r\\n| extend CompletionPercentage = (EnabledCount * 100.0) / {WorkbookCount}\\r\\n//| extend status = iff( EnabledCount == {WorkbookCount},\\\"Completed\\\", \\\"NotCompleted\\\")\\r\\n\",\"size\":0,\"title\":\"Percentage Completed on Workbook Enablement\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"query - 23\"},{\"type\":1,\"content\":{\"json\":\"# Azure LogicApp Status\\r\\n##### Select the Logic app count on the parameter value to track the completion status\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"text - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type has \\\"microsoft.Logic/workflows\\\"\\r\\n//Microsoft.Logic/workflows/\\r\\n| extend State = properties.state\\r\\n|where State has \\\"Enabled\\\"\\r\\n|summarize EnabledCount = count() by tostring(State)\",\"size\":0,\"title\":\"Count of Enabled LogicApps\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Enabled\",\"color\":\"amethyst\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"query - 24\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type has \\\"microsoft.Logic/workflows\\\"\\r\\n//Microsoft.Logic/workflows/\\r\\n| extend State = properties.state\\r\\n|where State has \\\"Enabled\\\"\\r\\n|summarize EnabledCount = count() by tostring(State)\\r\\n|extend CompletedPercentage = (EnabledCount * 100.0)/ {LogicappCount}\\r\\n//|project-away Enabled\",\"size\":0,\"title\":\"Completed Percentage on LogicApp Enablement\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"DeploymentScore\"},\"name\":\"query - 25\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type has \\\"microsoft.Logic/workflows\\\"\\r\\n//Microsoft.Logic/workflows/\\r\\n| extend State = properties.state\\r\\n|where State has \\\"Enabled\\\"\\r\\n|project ['LogicAppName'] = name,resourceGroup, location, State\",\"size\":0,\"title\":\"List of Enabled Logic apps Name\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"ARMEndpoint/1.0\\\",\\\"data\\\":null,\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"path\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/automationRules\\\",\\\"urlParams\\\":[{\\\"key\\\":\\\"api-version\\\",\\\"value\\\":\\\"2022-01-01-preview\\\"}],\\\"batchDisabled\\\":false,\\\"transformers\\\":[{\\\"type\\\":\\\"jsonpath\\\",\\\"settings\\\":{\\\"tablePath\\\":\\\"$.value\\\",\\\"columns\\\":[{\\\"path\\\":\\\"properties.displayName\\\",\\\"columnid\\\":\\\"displayName\\\"},{\\\"path\\\":\\\"properties.triggeringLogic.isEnabled\\\",\\\"columnid\\\":\\\"IsEnabled\\\"},{\\\"path\\\":\\\"name\\\",\\\"columnid\\\":\\\"nameGUID\\\"},{\\\"path\\\":\\\"properties.order\\\",\\\"columnid\\\":\\\"order\\\"},{\\\"path\\\":\\\"properties.createdTimeUtc\\\",\\\"columnid\\\":\\\"createdTimeUtc\\\"},{\\\"path\\\":\\\"properties.lastModifiedTimeUtc\\\",\\\"columnid\\\":\\\"lastlastModifiedTimeUtc\\\"},{\\\"path\\\":\\\"properties.createdBy.userPrincipalName\\\",\\\"columnid\\\":\\\"createdBy\\\"},{\\\"path\\\":\\\"properties.lastModifiedBy.name\\\",\\\"columnid\\\":\\\"lastModifiedBy\\\"},{\\\"path\\\":\\\"properties.triggeringLogic\\\",\\\"columnid\\\":\\\"triggeringLogic\\\"},{\\\"path\\\":\\\"properties.createdBy\\\",\\\"columnid\\\":\\\"propertiesCreatedBy\\\"}]}}]}\",\"size\":0,\"title\":\"List of Enabled Automation Rules\",\"queryType\":12},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Workbook/Rules/Automation\"},\"name\":\"query - 22\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_GetWatchlistAlias\\r\\n| order by WatchlistAlias asc\",\"size\":0,\"title\":\"Watchlist Data\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"EnablementData\"},\"name\":\"query - 27\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"title\":\"Indicators Imported into Sentinel by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Threat Intelligence\"},\"name\":\"query - 28\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Threat Intelligence\"},\"name\":\"query - 29\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Threat Intelligence\"},\"name\":\"query - 30\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n| summarize CountOfIndicators = count() by ThreatType , bin(TimeGenerated, {TimeRange:grain})\\r\\n| order by CountOfIndicators desc \",\"size\":0,\"title\":\"Threat Intelligence by Threat Type \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Threat Intelligence\"},\"name\":\"query - 31\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e116d842-3cbe-445c-a2f0-77d565b1d353\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let SortOrder = datatable(Value:string, SortOrder:int)\\r\\n[\\\"High\\\", 1, \\\"Medium\\\", 2, \\\"Low\\\", 3, \\\"Informational\\\", 4];\\r\\nSecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| summarize arg_max(TimeGenerated,*) by IncidentNumber\\r\\n| summarize Count=dcount(IncidentNumber) by Severity\\r\\n| extend Label = strcat(Severity,\\\" [\\\",Count,\\\"]\\\")\\r\\n| project Label, Value=Severity\\r\\n| distinct Value, Label\\r\\n| join kind=leftouter SortOrder on Value\\r\\n| project Value, Label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f773f9e7-fc1c-4732-a5c0-1b9168911700\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Severity in ({Severity})\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"fb5f53db-f20d-4ae4-b326-d0132a20a441\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| where Severity in ({Severity})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"de6cac05-568d-431b-a25c-db7bab1e8703\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Tags\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| mv-expand Labels\\r\\n| project Tags=tostring(Labels.labelName)\\r\\n| distinct Tags\\r\\n| sort by Tags asc\\r\\n| union (datatable(Tags:string)[\\\"Untagged\\\"])\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"80712773-bdb4-434f-9270-4108e600c0ee\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IncidentNumber\",\"type\":1,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Incidents\"},\"name\":\"parameters - 32\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n//| where IncidentNumber == \\\"{IncidentNumber}\\\" or isempty(\\\"{IncidentNumber}\\\")\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| where Severity in ({Severity})\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| summarize IncidentCount=dcount(IncidentNumber) by bin(CreatedTime, {TimeRange:grain})\",\"size\":0,\"title\":\"Incident Timeline\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Incidents\"},\"name\":\"query - 33\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selectedTags = dynamic([{Tags}]);\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| where IncidentNumber == \\\"{IncidentNumber}\\\" or isempty(\\\"{IncidentNumber}\\\")\\r\\n| where Severity in ({Severity})\\r\\n| where Status in ({Status})\\r\\n| where Labels has_any(selectedTags) or (selectedTags has_any(\\\"Untagged\\\") and array_length(Labels) == 0)\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n| join \\r\\n(\\r\\n SecurityAlert\\r\\n | extend AlertEntities = parse_json(Entities)\\r\\n | mv-expand AlertEntities\\r\\n | extend sortOrder = case \\r\\n ( \\r\\n AlertEntities.Type == \\\"account\\\",1, AlertEntities.Type == \\\"host\\\",2, AlertEntities.Type == \\\"ip\\\",3, AlertEntities.Type == \\\"url\\\",4, 99\\r\\n ) \\r\\n | order by sortOrder asc \\r\\n) on $left.AlertIds == $right.SystemAlertId\\r\\n| summarize AlertCount=dcount(AlertIds), entityList=make_set(tostring(AlertEntities.Type)) by IncidentNumber, Status, Severity, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , Tactics =tostring(AdditionalData.tactics)\\r\\n| where Owner in ({Owner}) or (isempty(Owner) and \\\"Unassigned\\\" in ({Owner}))\\r\\n// set column order\\r\\n| project IncidentNumber, Severity, Status, AlertCount,Owner, Title, Alerts, entityList, Tactics, IncidentUrl\\r\\n| order by IncidentNumber desc\",\"size\":0,\"title\":\"Incident Details for 7 days\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"IncidentNumber\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AlertCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Incidents\"},\"name\":\"query - 34\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| extend Source = case(ProviderName has 'ASI Scheduled Alerts', 'Microsoft Sentinel',\\r\\n ProviderName has 'MDATP', 'Defender for Endpoint',\\r\\n ProviderName has 'Azure Security Center', 'Defender for Cloud',\\r\\n ProviderName has 'Azure Advanced Threat Protection', 'Defender for Identity',\\r\\n ProviderName has 'OATP', 'Defender for Office',\\r\\n ProviderName has 'MCAS', 'Defender for Cloud Apps',\\r\\n ProviderName)\\r\\n| summarize count() by Source, bin(TimeGenerated, 1d)\",\"size\":0,\"title\":\"Incidents generated by ProductName\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Incidents\"},\"name\":\"query - 35\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\r\\n| summarize arg_max(TimeGenerated,Status, Severity, Owner, AdditionalData) by IncidentNumber\\r\\n| extend Owner = todynamic(Owner.assignedTo) \\r\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\r\\n| summarize dcount(IncidentNumber) by Severity\",\"size\":0,\"title\":\"Incidents by severity\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"dcount_IncidentNumber\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"dcount_IncidentNumber\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"dcount_IncidentNumber\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Incidents\"},\"name\":\"query - 36\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourcegroups/RESOURCEGROUPNAME/providers/microsoft.operationalinsights/workspaces/WORKSPACENAME\"],\"fromTemplateId\":\"sentinel-UserWorkbook\"}", "version": "1.0", "sourceId": "[concat('/subscriptions/', parameters('SubscriptionId'), '/resourcegroups/', parameters('ResourceGroupName'), '/providers/microsoft.operationalinsights/workspaces/', parameters('WorkspaceName'))]", "category": "sentinel" } } ], "outputs": { "workbookId": { "type": "string", "value": "[resourceId( 'microsoft.insights/workbooks', parameters('workbookId'))]" } }, "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#" }