{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
      "defaultValue": "Defender CSPM - CIEM Dasboard",
      "metadata": {
        "description": "ギャラリーまたは保存リストで使用されているブックのフレンドリ名。この名前は、リソース グループ内で一意である必要があります。"
      }
    },
    "workbookType": {
      "type": "string",
      "defaultValue": "workbook",
      "metadata": {
        "description": "ブックが表示されるギャラリー。サポートされる値には、ブック、tsg などがあります。通常、これは 'ブック' です"
      }
    },
    "workbookSourceId": {
      "type": "string",
      "defaultValue": "Azure Security Center",
      "metadata": {
        "description": "ブックを関連付けるリソース インスタンスの ID"
      }
    },
    "workbookId": {
      "type": "string",
      "defaultValue": "[newGuid()]",
      "metadata": {
        "description": "このブック インスタンスの一意の GUID"
      }
    }
  },
  "resources": [
    {
      "name": "[parameters('workbookId')]",
      "type": "microsoft.insights/workbooks",
      "location": "[resourceGroup().location]",
      "apiVersion": "2022-04-01",
      "dependsOn": [],
      "kind": "shared",
      "properties": {
        "displayName": "[parameters('workbookDisplayName')]",
        "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Microsoft Defender for Cloud CIEM - Dashboard\\r\\n\\r\\n| Date | Ver. | Comment |\\r\\n| --- | --- | --- |\\r\\n| 2025/4/10 | 0.9a | Add Exempt filter | \\r\\n| 2025/4/11 | 0.9b | Add Assigned Role lists (if resource was seletected) | \\r\\n| 2025/4/11 | 0.9c | Add Tab filter & Target sope field on Assigned Azure RBAC Role| \\r\\n\\r\\n\\r\\n----\"},\"name\":\"Title-1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::tenant\"],\"parameters\":[{\"id\":\"8114c914-6132-470a-ac1a-55c19d786a5a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"source\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\\"azure\\\", \\\"aws\\\", \\\"gcp\\\" ]\",\"value\":[\"azure\"],\"label\":\"CloudSource\"},{\"id\":\"27f08a56-82f7-4944-bdfb-69c9ab2ff856\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"subscription\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ResourceContainers\\r\\n| where type == \\\"microsoft.resources/subscriptions\\\"\\r\\n| project subscriptionId, name\",\"crossComponentResources\":[\"value::tenant\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"value\":[\"3e4358ef-317d-47c8-84ad-0845ffdab0b8\",\"31f48a76-8798-49a1-9c4a-f481d1e656fa\"],\"label\":\"Azure Subscriptions\"},{\"id\":\"ea3bf923-abb4-4d29-a368-ca83e174cda3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceType\",\"type\":7,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"securityresources\\r\\n| where type == \\\"microsoft.security/assessments\\\"\\r\\n| extend assessmentKey = tostring(name)\\r\\n| where assessmentKey == \\\"d19d5a12-41e9-44e2-b7f5-ee2160f62d62\\\"\\r\\n| extend resourceType = trim(\\\" \\\", tostring(properties.additionalData.ResourceType))\\r\\n| summarize count() by resourceType\",\"crossComponentResources\":[\"value::tenant\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"value\":[\"User\",\"ServicePrincipal\"]},{\"id\":\"7f2b09b7-bfba-4f2c-80d8-4161c5d044bf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PermissionsCreepIndexScore\",\"label\":\"PCI Thresholds\",\"type\":1,\"isRequired\":true,\"value\":\"1\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\"},\"name\":\"parameters\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"5735ff81-0a43-4b9f-adb2-b55ff66177d5\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"PCI Summary\",\"subTarget\":\"PCI\",\"style\":\"link\"},{\"id\":\"046ce3b5-4817-4edd-9994-86a630caf553\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overprovisioned ID\",\"subTarget\":\"OVER\",\"style\":\"link\"},{\"id\":\"2ebc994a-572b-4a73-ac76-8d37972b4911\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Inactive ID\",\"subTarget\":\"INACTIVE\",\"style\":\"link\"}]},\"name\":\"Tab-link\"},{\"type\":1,\"content\":{\"json\":\"## CIEM - PCI (Permissions Creep Index) score Information\\r\\n\\r\\nPermission Creep Index (PCI): An aggregated metric that periodically evaluates the level of risk associated with the number of unused or excessive permissions across your identities and resources. It measures how much damage identities can cause based on the permissions they have.\\r\\n\\r\\n----\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"PCI\"},\"name\":\"Title-1-PCI\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\"\\r\\n    | extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))\\r\\n    | where source in ({source})\\r\\n    | where subscriptionId in ({subscription})\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(\\r\\n        source =~ \\\"azure\\\", properties.resourceDetails.Id,\\r\\n        source =~ \\\"aws\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ \\\"gcp\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ 'aws', properties.resourceDetails.AzureResourceId,\\r\\n        source =~ 'gcp', properties.resourceDetails.AzureResourceId,\\r\\n        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)\\r\\n        ))))\\r\\n    | extend assessmentKey = tostring(name)\\r\\n//    | where assessmentKey == \\\"d19d5a12-41e9-44e2-b7f5-ee2160f62d62\\\"\\r\\n    | extend status = trim(\\\" \\\", tostring(properties.status.cause)) // Check Exempted\\r\\n    | where status != \\\"Exempt\\\" // Check Exempted\\r\\n    | extend PermissionsCreepIndexScore = toint(properties.additionalData.PermissionsCreepIndexScore)\\r\\n    | extend resourceType = trim(\\\" \\\", tostring(properties.additionalData.ResourceType))\\r\\n    | where resourceType in ({ResourceType})\\r\\n    | where PermissionsCreepIndexScore >= {PermissionsCreepIndexScore}\\r\\n    | summarize PciAverage = avg(PermissionsCreepIndexScore), PciMax = max(PermissionsCreepIndexScore),PciMin = min(PermissionsCreepIndexScore) by subscriptionId\\r\\n    | order by PciAverage desc\",\"size\":1,\"title\":\"PCI (PermissionsCreepIndexScore) per Subscription\",\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"crossComponentResources\":[\"value::tenant\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"PciAverage\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowDark\",\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"PciMax\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":100,\"palette\":\"magenta\",\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"PciMin\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"20ch\"}}]},\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"PciAverage\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"graphSettings\":{\"type\":2,\"topContent\":{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},\"centerContent\":{\"columnMatch\":\"PciAverage\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"subscriptionId\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"nodeSize\":null,\"staticNodeSize\":100,\"colorSettings\":null,\"hivesMargin\":5,\"edgeColorSettings\":null},\"chartSettings\":{\"xAxis\":\"subscriptionId\"}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"PCI\"},\"name\":\"CIEM-pci-ave\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\"\\r\\n    | extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))\\r\\n    | where source in ({source})\\r\\n    | where subscriptionId in ({subscription})\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(\\r\\n        source =~ \\\"azure\\\", properties.resourceDetails.Id,\\r\\n        source =~ \\\"aws\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ \\\"gcp\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ 'aws', properties.resourceDetails.AzureResourceId,\\r\\n        source =~ 'gcp', properties.resourceDetails.AzureResourceId,\\r\\n        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)\\r\\n        ))))\\r\\n    | extend assessmentKey = tostring(name)\\r\\n//    | where assessmentKey == \\\"d19d5a12-41e9-44e2-b7f5-ee2160f62d62\\\"\\r\\n    | extend status = trim(\\\" \\\", tostring(properties.status.cause)) // Check Exempted\\r\\n    | where status != \\\"Exempt\\\" // Check Exempted\\r\\n    | extend PermissionsCreepIndexScore = toint(properties.additionalData.PermissionsCreepIndexScore)\\r\\n    | extend resourceType = trim(\\\" \\\", tostring(properties.additionalData.ResourceType))\\r\\n    | where resourceType in ({ResourceType})\\r\\n    | where PermissionsCreepIndexScore >= {PermissionsCreepIndexScore}\\r\\n    | summarize count() by resourceType\",\"size\":1,\"title\":\"PCI (PermissionsCreepIndexScore) Data Source\",\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"crossComponentResources\":[\"value::tenant\"],\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"PCI\"},\"name\":\"CIEM-category\"},{\"type\":1,\"content\":{\"json\":\"## CIEM - Overprovisioned ID Information\\r\\n\\r\\nAzure overprovisioned identities should have only the necessary permissions. Overprovisioned identities in Azure are those that have been granted more permissions than they use, which can lead to potential misuse, either accidentally or maliciously.\\r\\n\\r\\n----\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"OVER\"},\"name\":\"Title-2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\"\\r\\n    | extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))\\r\\n    | where source in ({source})\\r\\n    | where subscriptionId in ({subscription})\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(\\r\\n        source =~ \\\"azure\\\", properties.resourceDetails.Id,\\r\\n        source =~ \\\"aws\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ \\\"gcp\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ 'aws', properties.resourceDetails.AzureResourceId,\\r\\n        source =~ 'gcp', properties.resourceDetails.AzureResourceId,\\r\\n        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)\\r\\n        ))))\\r\\n    | extend assessmentKey = tostring(name)\\r\\n    | where assessmentKey == \\\"d19d5a12-41e9-44e2-b7f5-ee2160f62d62\\\"\\r\\n    | extend status = trim(\\\" \\\", tostring(properties.status.cause)) // Check Exempted\\r\\n    | where status != \\\"Exempt\\\" // Check Exempted\\r\\n    | extend resourceName = trim(\\\" \\\", tostring(properties.additionalData.ResourceName))\\r\\n    | extend resourceType = trim(\\\" \\\", tostring(properties.additionalData.ResourceType))\\r\\n    | where resourceType in ({ResourceType})\\r\\n    | extend PCI = toint(properties.additionalData.PermissionsCreepIndexScore)\\r\\n    | extend FirstEvaluationDate = tostring(properties.status.firstEvaluationDate)\\r\\n    | extend StatusChangeDate = tostring(properties.status.statusChangeDate)\\r\\n    | extend principalId = tostring(split(['id'], \\\"/\\\")[8])\\r\\n    | project resourceId, resourceName, resourceType, source, subscriptionId, PCI, FirstEvaluationDate, StatusChangeDate, principalId\\r\\n    | where PCI >= {PermissionsCreepIndexScore}\\r\\n    | order by PCI desc\",\"size\":0,\"title\":\"Asset list about PCI (PermissionsCreepIndexScore) Data\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"resourceName\",\"parameterName\":\"RSName1\"},{\"fieldName\":\"principalId\",\"parameterName\":\"PS1\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"crossComponentResources\":[\"value::tenant\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"resourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"PCI\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":100,\"palette\":\"orangeDark\"}},{\"columnMatch\":\"FirstEvaluationDate\",\"formatter\":6},{\"columnMatch\":\"StatusChangeDate\",\"formatter\":6},{\"columnMatch\":\"principalId\",\"formatter\":5},{\"columnMatch\":\"PermissionsCreepIndexScore\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":100,\"palette\":\"orange\"}},{\"columnMatch\":\"id\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"StatusChangeDate\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"StatusChangeDate\",\"sortOrder\":2}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"OVER\"},\"name\":\"CIEM-1a\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuthorizationResources\\r\\n| where type == 'microsoft.authorization/roleassignments'\\r\\n| extend principalType = tostring(properties['principalType'])\\r\\n| extend principalId = tostring(properties['principalId'])\\r\\n| where principalId == \\\"{PS1}\\\"\\r\\n| extend roleDefinitionId = tolower(tostring(properties['roleDefinitionId']))\\r\\n| extend scope = tostring(properties['scope'])\\r\\n| project roleDefinitionId, principalId, principalType, subscriptionId, scope\\r\\n| join kind=inner (\\r\\n    AuthorizationResources\\r\\n    | where type == 'microsoft.authorization/roledefinitions'\\r\\n    | extend roleName = tostring(properties['roleName'])\\r\\n    | extend roleDescritpion = tostring(properties['description'])\\r\\n    | extend id = tolower(id)\\r\\n    | project id, roleName, roleDescritpion\\r\\n) on $left.roleDefinitionId == $right.id\\r\\n| project-away roleDefinitionId, id\",\"size\":4,\"title\":\"Assigned Azure RBAC Role\",\"noDataMessage\":\"Please select above resource.\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"crossComponentResources\":[\"value::tenant\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"principalType\",\"formatter\":1},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"scope\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"PCI\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":100,\"palette\":\"orangeDark\"}},{\"columnMatch\":\"used\",\"formatter\":1},{\"columnMatch\":\"unused\",\"formatter\":1},{\"columnMatch\":\"links\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":100}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"OVER\"},\"name\":\"CIEM-target-role\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\"\\r\\n    | extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))\\r\\n    | where source in ({source})\\r\\n    | where subscriptionId in ({subscription})\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(\\r\\n        source =~ \\\"azure\\\", properties.resourceDetails.Id,\\r\\n        source =~ \\\"aws\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ \\\"gcp\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ 'aws', properties.resourceDetails.AzureResourceId,\\r\\n        source =~ 'gcp', properties.resourceDetails.AzureResourceId,\\r\\n        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)\\r\\n        ))))\\r\\n    | extend assessmentKey = tostring(name)\\r\\n    | where assessmentKey == \\\"d19d5a12-41e9-44e2-b7f5-ee2160f62d62\\\"\\r\\n    | extend resourceName = trim(\\\" \\\", tostring(properties.additionalData.ResourceName))\\r\\n    | extend resourceType = trim(\\\" \\\", tostring(properties.additionalData.ResourceType))\\r\\n    | where resourceType in ({ResourceType})\\r\\n    | extend PCI = toint(properties.additionalData.PermissionsCreepIndexScore)\\r\\n    | where PCI >= {PermissionsCreepIndexScore}\\r\\n    | where resourceName == '{RSName1}'\\r\\n    | extend used = tostring(properties.additionalData.used)\\r\\n    | extend unused = tostring(properties.additionalData.unused)\\r\\n    | mv-expand expandedUsed = parse_json(used)\\r\\n    | extend UsedRole = expandedUsed.externalId, UsedDateTime = expandedUsed.usedDateTime\\r\\n    | project UsedRole, UsedDateTime\",\"size\":1,\"title\":\"PCI (PermissionsCreepIndexScore) Data Details - Used Role\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"crossComponentResources\":[\"value::tenant\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UsedRole\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80ch\"}},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"PCI\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":100,\"palette\":\"orangeDark\"}},{\"columnMatch\":\"used\",\"formatter\":1},{\"columnMatch\":\"unused\",\"formatter\":1},{\"columnMatch\":\"links\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":1000}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"OVER\"},\"name\":\"CIEM-1b\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\"\\r\\n    | extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))\\r\\n    | where source in ({source})\\r\\n    | where subscriptionId in ({subscription})\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(\\r\\n        source =~ \\\"azure\\\", properties.resourceDetails.Id,\\r\\n        source =~ \\\"aws\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ \\\"gcp\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ 'aws', properties.resourceDetails.AzureResourceId,\\r\\n        source =~ 'gcp', properties.resourceDetails.AzureResourceId,\\r\\n        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)\\r\\n        ))))\\r\\n    | extend assessmentKey = tostring(name)\\r\\n    | where assessmentKey == \\\"d19d5a12-41e9-44e2-b7f5-ee2160f62d62\\\"\\r\\n    | extend resourceName = trim(\\\" \\\", tostring(properties.additionalData.ResourceName))\\r\\n    | extend resourceType = trim(\\\" \\\", tostring(properties.additionalData.ResourceType))\\r\\n    | where resourceType in ({ResourceType})\\r\\n    | extend PCI = toint(properties.additionalData.PermissionsCreepIndexScore)\\r\\n    | where PCI >= {PermissionsCreepIndexScore}\\r\\n    | where resourceName == '{RSName1}'\\r\\n    | extend used = tostring(properties.additionalData.used)\\r\\n    | extend unused = tostring(properties.additionalData.unused)\\r\\n    | mv-expand expandedUnused = parse_json(unused)\\r\\n    | extend UnusedRole = expandedUnused.externalId, UnusedDateTime = expandedUnused.usedDateTime\\r\\n    | project UnusedRole, UnusedDateTime\",\"size\":1,\"title\":\"PCI (PermissionsCreepIndexScore) Data Details - Unused Role\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"crossComponentResources\":[\"value::tenant\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UnusedDateTime\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80ch\"}},{\"columnMatch\":\"used\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80ch\"}},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"PCI\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":100,\"palette\":\"orangeDark\"}},{\"columnMatch\":\"unused\",\"formatter\":1},{\"columnMatch\":\"links\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":1000},\"sortBy\":[]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"OVER\"},\"name\":\"CIEM-1c\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"## CIEM - Permissions of inactive identities\\r\\n\\r\\nMicrosoft Defender for Cloud discovered an identity that has not performed any action on any resource within your Azure subscription in the past 45 days. It is recommended to revoke permissions of inactive identities, in order to reduce the attack surface of your cloud environment.\\r\\n\\r\\n----\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"INACTIVE\"},\"name\":\"テキスト - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\"\\r\\n    | extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))\\r\\n    | where source in ({source})\\r\\n    | where subscriptionId in ({subscription})\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(\\r\\n        source =~ \\\"azure\\\", properties.resourceDetails.Id,\\r\\n        source =~ \\\"aws\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ \\\"gcp\\\" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,\\r\\n        source =~ 'aws', properties.resourceDetails.AzureResourceId,\\r\\n        source =~ 'gcp', properties.resourceDetails.AzureResourceId,\\r\\n        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)\\r\\n        ))))\\r\\n    | extend assessmentKey = tostring(name)\\r\\n    | where assessmentKey == \\\"8b0bd683-bcfe-4ab1-96b9-f15a60eaa89d\\\"\\r\\n    | extend status = trim(\\\" \\\", tostring(properties.status.cause)) // Check Exempted\\r\\n    | where status != \\\"Exempt\\\" // Check Exempted\\r\\n    | extend resourceName = trim(\\\" \\\", tostring(properties.additionalData.ResourceName))\\r\\n    | extend resourceType = trim(\\\" \\\", tostring(properties.additionalData.ResourceType))\\r\\n    | where resourceType in ({ResourceType})\\r\\n    | extend PCI = toint(properties.additionalData.PermissionsCreepIndexScore)\\r\\n    | extend FirstEvaluationDate = tostring(properties.status.firstEvaluationDate)\\r\\n    | extend StatusChangeDate = tostring(properties.status.statusChangeDate)\\r\\n    | extend principalId = tostring(split(['id'], \\\"/\\\")[8])\\r\\n    | project resourceId, resourceName, resourceType, source, subscriptionId, PCI, FirstEvaluationDate, StatusChangeDate, principalId\\r\\n    | where PCI >= {PermissionsCreepIndexScore}\\r\\n    | order by PCI desc\",\"size\":0,\"title\":\"PCI (PermissionsCreepIndexScore) Data\",\"showRefreshButton\":true,\"exportFieldName\":\"principalId\",\"exportParameterName\":\"PS2\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"crossComponentResources\":[\"value::tenant\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"resourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"PCI\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"}},{\"columnMatch\":\"FirstEvaluationDate\",\"formatter\":6},{\"columnMatch\":\"StatusChangeDate\",\"formatter\":6},{\"columnMatch\":\"principalId\",\"formatter\":5},{\"columnMatch\":\"PermissionsCreepIndexScore\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":100,\"palette\":\"orange\"}},{\"columnMatch\":\"id\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}}],\"filter\":true},\"sortBy\":[]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"INACTIVE\"},\"name\":\"CIEM-2a\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuthorizationResources\\r\\n| where type == 'microsoft.authorization/roleassignments'\\r\\n| extend principalType = tostring(properties['principalType'])\\r\\n| extend principalId = tostring(properties['principalId'])\\r\\n| where principalId == \\\"{PS2}\\\"\\r\\n| extend roleDefinitionId = tolower(tostring(properties['roleDefinitionId']))\\r\\n| extend scope = tostring(properties['scope'])\\r\\n| project roleDefinitionId, principalId, principalType, subscriptionId, scope\\r\\n| join kind=inner (\\r\\n    AuthorizationResources\\r\\n    | where type == 'microsoft.authorization/roledefinitions'\\r\\n    | extend roleName = tostring(properties['roleName'])\\r\\n    | extend roleDescritpion = tostring(properties['description'])\\r\\n    | extend id = tolower(id)\\r\\n    | project id, roleName, roleDescritpion\\r\\n) on $left.roleDefinitionId == $right.id\\r\\n| project-away roleDefinitionId, id\",\"size\":4,\"title\":\"Assigned Azure RBAC Role\",\"noDataMessage\":\"Please select above resource.\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resources/tenants\",\"crossComponentResources\":[\"value::tenant\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"principalType\",\"formatter\":1},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"scope\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":null,\"showIcon\":true}},{\"columnMatch\":\"PCI\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":100,\"palette\":\"orangeDark\"}},{\"columnMatch\":\"used\",\"formatter\":1},{\"columnMatch\":\"unused\",\"formatter\":1},{\"columnMatch\":\"links\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":100}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"INACTIVE\"},\"name\":\"CIEM-target-role-inactive\",\"styleSettings\":{\"showBorder\":true}}],\"isLocked\":false,\"fallbackResourceIds\":[\"Azure Security Center\"]}",
        "version": "1.0",
        "sourceId": "[parameters('workbookSourceId')]",
        "category": "[parameters('workbookType')]"
      }
    }
  ],
  "outputs": {
    "workbookId": {
      "type": "string",
      "value": "[resourceId( 'microsoft.insights/workbooks', parameters('workbookId'))]"
    }
  },
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
}