{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "2b569602-0ac2-4276-b2bb-5e59c666854f",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"value": [
"value::all"
],
"typeSettings": {
"limitSelectTo": 100,
"additionalResourceOptions": [
"value::1",
"value::all"
],
"includeAll": true
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "524a7a46-0d34-45a3-863f-be259022d3ca",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id",
"crossComponentResources": [
"{Subscription}"
],
"value": [
"/subscriptions/6a021fde-5198-441e-9190-9d634e1f4a84/resourceGroups/hesaad-csgRG/providers/Microsoft.OperationalInsights/workspaces/hesaadCSGSentinel"
],
"typeSettings": {
"limitSelectTo": 100,
"additionalResourceOptions": [
"value::1",
"value::all"
]
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "d1f341a0-677d-4375-a575-63df61593733",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 1209600000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2592000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "a13659b4-b7af-4be2-9a69-b448461c49ae",
"version": "KqlParameterItem/1.0",
"name": "Instructions",
"label": "Setup instructions",
"type": 10,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"ChangeLog\", \"label\": \"Change Log\"}\r\n]",
"timeContext": {
"durationMs": 86400000
},
"value": "Yes"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 1,
"content": {
"json": "### This workbook will provide a status overview for Microsoft Defender IT / OT Forensics, covering both Microsoft Defender for Endpoint (MDE) EPP/AV module and Azure Defender for IoT"
},
"name": "text - 1"
},
{
"type": 1,
"content": {
"json": "# Workbook setup intructions\r\n\r\nIn order to use this workbook the following configuration needs to be enabled in MDE & AD4IoT tenant"
},
"conditionalVisibility": {
"parameterName": "Instructions",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 3"
},
{
"type": 1,
"content": {
"json": "# Change Log\r\n\r\n## Version 0.1\r\nDefender health status added\r\n\r\n## Version 0.2\r\nAdded windows device summary view\r\nAdded windows device details view\r\n\r\n## Version 0.3\r\nComing soon"
},
"conditionalVisibility": {
"parameterName": "Instructions",
"comparison": "isEqualTo",
"value": "ChangeLog"
},
"name": "text - 4"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "8be630b0-a1ec-4a16-b868-68ffc2128836",
"cellValue": "Parm",
"linkTarget": "parameter",
"linkLabel": "MDE (EPP/AV) - Windows Summary",
"subTarget": "WSummary",
"preText": "",
"style": "link"
},
{
"id": "f648cbc7-fb4c-49b3-8633-05a798407a1f",
"cellValue": "Parm",
"linkTarget": "parameter",
"linkLabel": "MDE (EPP/AV) - Windows Details",
"subTarget": "WDetails",
"preText": "",
"style": "link"
},
{
"id": "246453be-c5c6-44e1-94ad-0bbbe6d45d77",
"cellValue": "Parm",
"linkTarget": "parameter",
"linkLabel": "MDE (EPP/AV) - Mac Summary",
"subTarget": "MSummary",
"style": "link"
},
{
"id": "516b5fab-8cd8-4625-87b2-3a78fb368731",
"cellValue": "Parm",
"linkTarget": "parameter",
"linkLabel": "MDE (EPP/AV) - Mac Details",
"subTarget": "MDetails",
"style": "link"
},
{
"id": "6361d84b-324a-4177-a13a-fac51c42f7e6",
"cellValue": "Parm",
"linkTarget": "parameter",
"linkLabel": "Azure Defender for IoT - Devices",
"subTarget": "AD4IoTDevices",
"style": "link"
},
{
"id": "750544c0-0dc3-4035-932e-585b1b83d7fd",
"cellValue": "Parm",
"linkTarget": "parameter",
"linkLabel": "Azure Defender for IoT - Events",
"subTarget": "AD4IoTEvents",
"style": "link"
},
{
"id": "8db6b53e-60df-4d69-9f69-39495d4e583b",
"cellValue": "Parm",
"linkTarget": "parameter",
"linkLabel": "Azure Defender for IoT - CVEs",
"subTarget": "AD4IoTVCEs",
"style": "link"
}
]
},
"name": "links - 2",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "MDE (EPP/AV) - Windows Device status",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AgentHealthStatusWindows_CL\r\n| where DeviceId_s <> \"\"\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by DeviceId_s\r\n| summarize AVEnabled=count(AntivirusEnabled_s) by AntivirusEnabled_s",
"size": 1,
"title": "Antivirus Health",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AgentHealthStatusWindows_CL\r\n| where DeviceId_s <> \"\"\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by DeviceId_s\r\n| summarize AVEnabled=count(AntivirusReporting_s) by AntivirusReporting_s",
"size": 1,
"title": "Antivirus Reporting Health",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "25",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AgentHealthStatusWindows_CL\r\n| where DeviceId_s <> \"\"\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by DeviceId_s\r\n| summarize AVSigEnabled=count(AntivirusSignatureVersion_s) by AntivirusSignatureVersion_s",
"size": 1,
"title": "Antivirus Signature Compliance",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "N/A",
"label": "DISABLED",
"color": "orange"
}
]
}
},
"customWidth": "25",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AgentHealthStatusWindows_CL\r\n| where DeviceId_s <> \"\"\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by DeviceId_s\r\n| summarize BMEnabled=count(BehaviorMonitoring_s) by BehaviorMonitoring_s",
"size": 1,
"title": "Behavior Monitor Health",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "ENABLED",
"color": "blue"
},
{
"seriesName": "",
"label": "DISABLED",
"color": "orange"
}
]
}
},
"customWidth": "25",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AgentHealthStatusWindows_CL\r\n| where DeviceId_s <> \"\"\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by DeviceId_s\r\n| summarize CPEnabled=count(CloudProtection_s) by CloudProtection_s",
"size": 1,
"title": "Cloud Protection Health",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "25",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AgentHealthStatusWindows_CL\r\n| where DeviceId_s <> \"\"\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by DeviceId_s\r\n| summarize PUAEnabled=count(PUAProtection_s) by PUAProtection_s",
"size": 1,
"title": "Potentially Unwanted Application Status",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "DISABLED",
"color": "orange"
}
]
}
},
"customWidth": "25",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AgentHealthStatusWindows_CL\r\n| where DeviceId_s <> \"\"\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by DeviceId_s\r\n| summarize SensorDataEnabled=count(SensorDataCollection_s) by SensorDataCollection_s",
"size": 1,
"title": "Sensor Data Status",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "DISABLED",
"color": "orange"
}
]
}
},
"customWidth": "25",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AgentHealthStatusWindows_CL\r\n| where DeviceId_s <> \"\"\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by DeviceId_s\r\n| summarize SensorEnabled=count(SensorEnabled_s) by SensorEnabled_s",
"size": 1,
"title": "Sensor Health",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "DISABLED",
"color": "orange"
}
]
}
},
"customWidth": "25",
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "Parm",
"comparison": "isEqualTo",
"value": "WSummary"
},
"name": "group - Overall Health"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "MDE (EPP/AV) - Device Summary",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AgentHealthStatusWindows_CL\r\n| where DeviceId_s <> \"\"\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by DeviceId_s\r\n| project Computer = DeviceId_s, AntivirusEnabled_s, AntivirusReporting_s, AntivirusSignatureVersion_s, BehaviorMonitoring_s,CloudProtection_s,PUAProtection_s, SensorDataCollection_s,SensorEnabled_s,TamperProtection_s//,mtgPerf , DeviceName_s",
"size": 0,
"showAnalytics": true,
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"showRefreshButton": true,
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "AntivirusEnabled_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "critical",
"text": ""
}
]
}
},
{
"columnMatch": "AntivirusReporting_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "4",
"text": ""
}
]
}
},
{
"columnMatch": "AntivirusSignatureVersion_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "4",
"text": ""
}
]
}
},
{
"columnMatch": "BehaviorMonitoring_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "4",
"text": ""
}
]
}
},
{
"columnMatch": "CloudProtection_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "4",
"text": ""
}
]
}
},
{
"columnMatch": "PUAProtection_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "critical",
"text": ""
}
]
}
},
{
"columnMatch": "SensorDataCollection_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "4",
"text": ""
}
]
}
},
{
"columnMatch": "SensorEnabled_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "4",
"text": ""
}
]
}
},
{
"columnMatch": "TamperProtection_s",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "4",
"text": ""
}
]
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "AntivirusEnabled_s",
"label": "AV"
},
{
"columnId": "AntivirusReporting_s",
"label": "AV Reporting"
},
{
"columnId": "AntivirusSignatureVersion_s",
"label": "Signature"
},
{
"columnId": "BehaviorMonitoring_s",
"label": "BM"
},
{
"columnId": "CloudProtection_s",
"label": "CP"
},
{
"columnId": "PUAProtection_s",
"label": "PUA"
},
{
"columnId": "SensorDataCollection_s",
"label": "Sensor Data"
},
{
"columnId": "SensorEnabled_s",
"label": "Sensor"
},
{
"columnId": "TamperProtection_s",
"label": "TP"
}
]
}
},
"showPin": true,
"name": "query - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "Parm",
"comparison": "isEqualTo",
"value": "WDetails"
},
"name": "group - details"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "MDE (EPP/AV) - Mac Summary",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDE_MAC_devicehealth_CL\r\n| extend test = parse_json(Results_s)\r\n| mv-expand test\r\n| extend Device_ = tostring(test.DeviceName)\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by Device_\r\n| extend ImpairedCommunications_ = tostring(test.ImpairedCommunications)\r\n|summarize test=count(Device_) by ImpairedCommunications_",
"size": 0,
"title": "ImpairedCommunications_",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDE_MAC_devicehealth_CL\r\n| extend test = parse_json(Results_s)\r\n| mv-expand test\r\n| extend Device_ = tostring(test.DeviceName)\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by Device_\r\n| extend PUAProtection_ = tostring(test.PUAProtection)\r\n|summarize test=count(Device_) by PUAProtection_",
"size": 0,
"title": "PUAProtection_",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 0 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDE_MAC_devicehealth_CL\r\n| extend test = parse_json(Results_s)\r\n| mv-expand test\r\n| extend Device_ = tostring(test.DeviceName)\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by Device_\r\n| extend RealtimeProtection_ = tostring(test.RealtimeProtection)\r\n|summarize test=count(Device_) by RealtimeProtection_",
"size": 0,
"title": "RealtimeProtection_",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 0 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDE_MAC_devicehealth_CL\r\n| extend test = parse_json(Results_s)\r\n| mv-expand test\r\n| extend Device_ = tostring(test.DeviceName)\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by Device_\r\n| extend SensorDataCollection_ = tostring(test.SensorDataCollection)\r\n|summarize test=count(Device_) by SensorDataCollection_",
"size": 0,
"title": "SensorDataCollection_",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 0 - Copy - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDE_MAC_devicehealth_CL\r\n| extend test = parse_json(Results_s)\r\n| mv-expand test\r\n| extend Device_ = tostring(test.DeviceName)\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by Device_\r\n| extend CloudProtection_ = tostring(test.CloudProtection)\r\n|summarize test=count(Device_) by CloudProtection_",
"size": 0,
"title": "CloudProtection_",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 0 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDE_MAC_devicehealth_CL\r\n| extend test = parse_json(Results_s)\r\n| mv-expand test\r\n| extend Device_ = tostring(test.DeviceName)\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by Device_\r\n| extend AntivirusSignatureVersion_ = tostring(test.AntivirusSignatureVersion)\r\n|summarize test=count(Device_) by AntivirusSignatureVersion_",
"size": 0,
"title": "AntivirusSignatureVersion_",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 0 - Copy - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "Parm",
"comparison": "isEqualTo",
"value": "MSummary"
},
"name": "Mac Summary"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "MDE (EPP/AV) - MAC Details",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "MDE_MAC_devicehealth_CL\r\n| extend test = parse_json(Results_s)\r\n| mv-expand test\r\n| extend Device_ = tostring(test.DeviceName)\r\n| summarize mtgPerf= arg_max(TimeGenerated, *) by Device_\r\n| extend ImpairedCommunications_ = tostring(test.ImpairedCommunications)\r\n| extend PUAProtection_ = tostring(test.PUAProtection)\r\n| extend RealtimeProtection_ = tostring(test.RealtimeProtection)\r\n| extend SensorDataCollection_ = tostring(test.SensorDataCollection)\r\n| extend CloudProtection_ = tostring(test.CloudProtection)\r\n| extend AntivirusSignatureVersion_ = tostring(test.AntivirusSignatureVersion)\r\n|project Device_, ImpairedCommunications_, PUAProtection_, RealtimeProtection_, SensorDataCollection_, CloudProtection_, AntivirusSignatureVersion_",
"size": 0,
"title": "MAC Details",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "ImpairedCommunications_",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "==",
"thresholdValue": "DISABLED",
"representation": "3",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "question",
"text": ""
}
]
}
},
{
"columnMatch": "PUAProtection_",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "==",
"thresholdValue": "DISABLED",
"representation": "error",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "question",
"text": ""
}
]
}
},
{
"columnMatch": "RealtimeProtection_",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "==",
"thresholdValue": "DISABLED",
"representation": "error",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "question",
"text": ""
}
]
}
},
{
"columnMatch": "SensorDataCollection_",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "==",
"thresholdValue": "DISABLED",
"representation": "error",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "question",
"text": ""
}
]
}
},
{
"columnMatch": "CloudProtection_",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "==",
"thresholdValue": "DISABLED",
"representation": "error",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "question",
"text": ""
}
]
}
},
{
"columnMatch": "AntivirusSignatureVersion_",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "ENABLED",
"representation": "success",
"text": ""
},
{
"operator": "==",
"thresholdValue": "DISABLED",
"representation": "error",
"text": ""
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "question",
"text": ""
}
]
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Device_",
"label": "Device"
},
{
"columnId": "ImpairedCommunications_",
"label": "Impaired Comms."
},
{
"columnId": "PUAProtection_",
"label": "PUA"
},
{
"columnId": "RealtimeProtection_",
"label": "Real-Time Protection"
},
{
"columnId": "SensorDataCollection_",
"label": "Sensor Status"
},
{
"columnId": "CloudProtection_",
"label": "Cloud Protection"
},
{
"columnId": "AntivirusSignatureVersion_",
"label": "AV Status"
}
]
},
"sortBy": []
},
"conditionalVisibility": {
"parameterName": "Parm",
"comparison": "isEqualTo",
"value": "MDetails"
},
"name": "MAC Details"
}
]
},
"conditionalVisibility": {
"parameterName": "Parm",
"comparison": "isEqualTo",
"value": "MDetails"
},
"name": "MAC details"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Azure Defender for IoT - Devices",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AD4IOT_Devices_CL\r\n| project Vendor = vendor_s, DeviceName = name_s, DeviceIP = ipAddresses_s, MacAddresses= macAddresses_s, Type = type_s, Protocol = protocols_s, Firmware = firmware_s",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"tileSettings": {
"showBorder": false
},
"mapSettings": {
"locInfo": "LatLong"
}
},
"name": "query - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "Parm",
"comparison": "isEqualTo",
"value": "AD4IoTDevices"
},
"name": "group - AD4IoTDevices"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Azure Defender for IoT - Events",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AD4IOT_Events_CL\r\n| project Event = title_s, timeStamp = timestamp_d, Content = content_s, Type = type_s",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "Parm",
"comparison": "isEqualTo",
"value": "AD4IoTEvents"
},
"name": "group - AD4IoTEvents"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Azure Defender for IoT - CVEs",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AD4IOT_CVE_CL\r\n| project CVE = cveId_s, Score = score_s, IP = IPAddress, AttackVector = attackVector_s, Description = description_s",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 0"
}
]
},
"conditionalVisibility": {
"parameterName": "Parm",
"comparison": "isEqualTo",
"value": "AD4IoTVCEs"
},
"name": "group - AD4IoTVCEs"
}
],
"fallbackResourceIds": [
"/subscriptions/6a021fde-5198-441e-9190-9d634e1f4a84/resourcegroups/hesaad-csgrg/providers/microsoft.operationalinsights/workspaces/hesaadcsgsentinel"
],
"fromTemplateId": "sentinel-UserWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}