{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "fc390156-f146-413e-9a23-d9933bcd1fef",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"value": null,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": false
}
},
{
"id": "adaa5eac-3c59-48c1-a60d-81a7b648cf15",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id, label = name",
"crossComponentResources": [
"{Subscription}"
],
"value": "/subscriptions/7b76bfbc-cb1e-4df1-b6e8-b826eef6c592/resourceGroups/soc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc",
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "1fb4279d-faf4-4d0c-8f6e-427acb9f9aad",
"version": "KqlParameterItem/1.0",
"name": "resourceGroup",
"type": 1,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where id == "{Workspace}"\r\n| project resourceGroup",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "aa4ccb3e-5406-4f84-81f9-7f70f32d006a",
"version": "KqlParameterItem/1.0",
"name": "top",
"label": "Limit Results for Incidents",
"type": 2,
"description": "Only shows this many Incidents from the returned results",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": " [{ "value": "249", "label": "Show < 249", "selected":true },\r\n { "value": "10", "label": "10"},\r\n { "value": "20", "label": "20"},\r\n { "value": "50", "label": "50"},\r\n { "value": "100", "label": "100"}]"
},
{
"id": "543e7d3f-7d73-4219-a8ea-10e22a51a3e4",
"version": "KqlParameterItem/1.0",
"name": "apiTimeRange",
"label": "Incident Time select",
"type": 2,
"description": "Select a Incident time to filter from",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/incidents","urlParams":[{"key":"api-version","value":"2019-01-01-preview"},{"key":"$orderby","value":"properties/createdTimeUtc desc"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value..properties.createdTimeUtc","columns":[]}}]}",
"value": null,
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 12
},
{
"id": "d9bafddd-8823-4cb4-83eb-976ef08fce0a",
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "Show Help?",
"type": 10,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { "value": "Yes", "label": "Yes"},\r\n {"value": "No", "label": "No", "selected":true },\r\n { "value": "Change Log", "label": "Change Log"}\r\n]"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Rules",
"subTarget": "Rules",
"style": "link"
},
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Incidents",
"subTarget": "Incidents",
"style": "link"
},
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Others",
"subTarget": "Others",
"style": "link"
}
]
},
"name": "links - 11"
},
{
"type": 1,
"content": {
"json": "
\r\n### Please select a Time Range: use [Incident Time select] parameter above \r\n
",
"style": "warning"
},
"conditionalVisibilities": [
{
"parameterName": "apiTimeRange",
"comparison": "isEqualTo"
},
{
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Incidents"
}
],
"name": "text - 6"
},
{
"type": 1,
"content": {
"json": "Clive Watson - Microsoft\r\n### Sentinel API query examples. This is to show the options rather than a full solution. Please adapt as necessary.\r\n\tv1.0 Initial version: This workbook is to show examples of the Sentinel API usage in a workbook. \r\n\tv1.3 Add Connector vs Table . \r\n\tv1.4 Add download controls\r\n\tv1.4.2 Switched Cases to Incidents api, add a filter for comments, icons and colour coding \r\n\tv1.4.3 Added Tabs & Groups. Fixed connector name \r\n\tv1.4.4 Added Orderby, Top and api Time filter \r\n\tv1.4.5 help added and api-version updates\r\n\tv1.4.6 JSON path workaround\r\n\r\n",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Change Log"
},
"name": "text - 5"
},
{
"type": 1,
"content": {
"json": " Useful links\r\n\r\nsource: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples (note these are example OUTPUTs).\r\nhttps://docs.microsoft.com/en-us/rest/api/azure/\r\nhttps://docs.microsoft.com/en-us/rest/api/monitor/microsoft.workloadmonitor/components/listbyresource#uri-parameters and https://www.odata.org/documentation/odata-version-2-0/uri-conventions/\r\nThis and other workbooks: https://github.com/CliveW-MSFT/KQLpublic/tree/master/KQL/Workbooks\r\nFree/Paid connector info with description: https://techcommunity.microsoft.com/t5/azure-sentinel/categorizing-microsoft-alerts-across-data-sources-in-azure/ba-p/1503367\r\n",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 5 - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Rules",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRules","urlParams":[{"key":"api-version","value":"2020-01-01"},{"key":"orderby","value":"properties/lastModifiedUtc desc"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value","columns":[{"path":"properties.displayName","columnid":"displayName"},{"path":"properties.lastModifiedUtc","columnid":"lastUpdateUtc"},{"path":"properties.enabled","columnid":"Enabled"},{"path":"properties.severity","columnid":"Severity"},{"path":"properties.tactics","columnid":"Tactics"},{"path":"properties.incidentConfiguration","columnid":"IncidentConfig"},{"path":"kind","columnid":"AlertType"}]}}]}",
"size": 0,
"title": "Active Rules, from the Sentinel API",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "lastUpdateUtc",
"formatter": 1
}
],
"filter": true,
"sortBy": [
{
"itemKey": "lastUpdateUtc",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "lastUpdateUtc",
"sortOrder": 2
}
]
},
"name": "query - Rules"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates","urlParams":[{"key":"api-version","value":"2020-01-01"},{"key":"$orderby","value":"properties/lastModifiedUtc desc"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value","columns":[{"path":"properties.displayName","columnid":"DisplayName"},{"path":"kind","columnid":"AlertType"},{"path":"properties.status","columnid":"Status"},{"path":"properties.createdDateUTC","columnid":"createdDateUTC"},{"path":"properties.requiredDataConnectors","columnid":"requiredDataConnectors"},{"path":"properties.productFilter","columnid":"ProductFilter"},{"path":"properties.requiredDataConnectors[:1].connectorId","columnid":"ConnectorName"},{"path":"properties.requiredDataConnectors[*].dataTypes[0]","columnid":"ConnectorTable"}]}}]}",
"size": 1,
"title": "Rule Templates, from the Sentinel API ",
"exportFieldName": "",
"exportParameterName": "ConnectorTable",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "createdDateUTC",
"formatter": 1
}
],
"filter": true
},
"sortBy": []
},
"name": "query -RuleTemplate"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "a639c897-744f-4eee-86f4-64da0f211515",
"version": "KqlParameterItem/1.0",
"name": "rulesByDate2",
"type": 1,
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates","urlParams":[{"key":"api-version","value":"2020-01-01"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value","columns":[{"path":"properties.createdDateUTC","columnid":"createdDateUTC"}]}}]}",
"timeContext": {
"durationMs": 86400000
},
"queryType": 12,
"value": null
}
],
"style": "above",
"queryType": 12
},
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "parameters - list ruleCreated date"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// use a table that exists - Usage was picked but isnt used.\r\nUsage\r\n| project a = split('{rulesByDate2}',",")\r\n| limit 1\r\n| mvexpand todynamic(a)\r\n| project b= split(trim(@"[^\\w]+",tostring(a)),"T").[0]\r\n| summarize count() by todatetime(b)\r\n| order by b asc\r\n| top 10 by b ",
"size": 1,
"title": "Rule templates created by Date",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "categoricalbar",
"gridSettings": {
"sortBy": [
{
"itemKey": "b",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "b",
"sortOrder": 2
}
]
},
"showPin": false,
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"Merge/1.0","merges":[{"id":"3fc7311f-6c43-4361-83ad-0c24f65590ac","mergeType":"union","leftTable":"query - Rules","rightTable":"query -RuleTemplate","leftColumn":"displayName","rightColumn":"displayName"}],"projectRename":[{"originalName":"displayName","mergedName":"displayName","fromId":"unknown"},{"originalName":"lastUpdateUtc","mergedName":"lastUpdateUtc","fromId":"unknown"},{"originalName":"[query -RuleTemplate].createdDateUTC","mergedName":"createdDateUTC","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"Enabled","mergedName":"Enabled","fromId":"unknown"},{"originalName":"Severity","mergedName":"Severity","fromId":"unknown"},{"originalName":"Tactics","mergedName":"Tactics","fromId":"unknown"},{"originalName":"IncidentConfig","mergedName":"IncidentConfig","fromId":"unknown"},{"originalName":"AlertType","mergedName":"AlertType","fromId":"unknown"},{"originalName":"value","mergedName":"value","fromId":"unknown"},{"originalName":"defaultVisualization","mergedName":"defaultVisualization","fromId":"unknown"},{"originalName":"[query -RuleTemplate].displayName","mergedName":"displayName","fromId":"unknown"},{"originalName":"[query -RuleTemplate].AlertType","mergedName":"AlertType","fromId":"unknown"},{"originalName":"[query - Rules].displayName","mergedName":"displayName1","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query - Rules].lastUpdateUtc","mergedName":"lastUpdateUtc1","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query - Rules].Enabled","mergedName":"Enabled1","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query - Rules].Severity","mergedName":"Severity1","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query - Rules].Tactics","mergedName":"Tactics1","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query - Rules].IncidentConfig","mergedName":"IncidentConfig1","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query - Rules].AlertType","mergedName":"AlertType1","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query -RuleTemplate].status","mergedName":"status","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query -RuleTemplate].requiredDataConnectors","mergedName":"requiredDataConnectors","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query -RuleTemplate].ProductFilter","mergedName":"ProductFilter","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query -RuleTemplate].ConnectorName","mergedName":"ConnectorName","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query -RuleTemplate].ConnectorTable","mergedName":"ConnectorTable","fromId":"3fc7311f-6c43-4361-83ad-0c24f65590ac"},{"originalName":"[query -RuleTemplate].value","mergedName":"value","fromId":"unknown"},{"originalName":"[query -RuleTemplate].defaultVisualization","mergedName":"defaultVisualization","fromId":"unknown"},{"originalName":"[query -RuleTemplate].value","mergedName":"value","fromId":"unknown"},{"originalName":"[query -RuleTemplate].defaultVisualization","mergedName":"defaultVisualization","fromId":"unknown"},{"originalName":"[query -RuleTemplate].ClientRequestId","mergedName":"ClientRequestId","fromId":"unknown"},{"originalName":"[query -RuleTemplate].id","mergedName":"id","fromId":"unknown"},{"originalName":"[query -RuleTemplate].name","mergedName":"name","fromId":"unknown"},{"originalName":"[query -RuleTemplate].type","mergedName":"type","fromId":"unknown"},{"originalName":"[query -RuleTemplate].kind","mergedName":"kind","fromId":"unknown"},{"originalName":"[query -RuleTemplate].properties","mergedName":"properties","fromId":"unknown"},{"originalName":"[query -RuleTemplate].DisplayName","mergedName":"DisplayName","fromId":"unknown"},{"originalName":"[query -RuleTemplate].Status","mergedName":"Status","fromId":"unknown"}]}",
"size": 0,
"title": "Merged View: [Active Rules] and [Rule Templates]",
"showExportToExcel": true,
"queryType": 7,
"gridSettings": {
"formatters": [
{
"columnMatch": "lastUpdateUtc",
"formatter": 1
},
{
"columnMatch": "createdDateUTC",
"formatter": 1
},
{
"columnMatch": "Enabled",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "green",
"text": "Yes"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "redBright",
"text": "No"
}
]
}
}
],
"filter": true
},
"sortBy": []
},
"name": "query - 7"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Rules"
},
"name": "group - rules"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "group Incidents",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/incidents","urlParams":[{"key":"api-version","value":"2020-01-01"},{"key":"$orderby","value":"properties/incidentNumber desc"},{"key":"$top","value":"{top}"},{"key":"$filter","value":"properties/createdTimeUtc le {apiTimeRange}"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value","columns":[{"path":"properties.incidentNumber","columnid":"Incident_Number"},{"path":"properties.title","columnid":"title"},{"path":"properties.severity","columnid":"severity"},{"path":"properties.additionalData.commentsCount","columnid":"comments"},{"path":"properties.status","columnid":"status"},{"path":"properties.owner.assignedTo","columnid":"Owner"},{"path":"properties.firstActivityTimeUtc","columnid":"firstActivityTimeUtc"},{"path":"properties.lastActivityTimeUtc","columnid":"lastActivityTimeUtc"},{"path":"properties.createdTimeUtc","columnid":"createdTimeUtc"},{"path":"properties.lastModifiedTimeUtc","columnid":"lastModifiedTimeUtc"},{"path":"properties.additionalData.tactics","columnid":"tactics"},{"path":"properties.relatedAnalyticRuleIds","columnid":"relatedAlertIDs"},{"path":"name","columnid":"IncidentID"}]}}]}",
"size": 0,
"title": "Incidents from the Sentinel API",
"exportFieldName": "IncidentID",
"exportParameterName": "IncidentID",
"showExportToExcel": true,
"queryType": 12,
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "severity",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "3",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "High",
"representation": "critical",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "comments",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": ">",
"thresholdValue": "0",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "New",
"representation": "grayBlue",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Closed",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Active",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "gray",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "firstActivityTimeUtc",
"formatter": 1
},
{
"columnMatch": "lastActivityTimeUtc",
"formatter": 1
},
{
"columnMatch": "createdTimeUtc",
"formatter": 1
},
{
"columnMatch": "lastModifiedTimeUtc",
"formatter": 1
},
{
"columnMatch": "relatedAlertIDs",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "createdTimeUtc",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "createdTimeUtc",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "apiTimeRange",
"comparison": "isNotEqualTo"
},
"name": "query - Incidents"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/comments","urlParams":[{"key":"api-version","value":"2020-01-01"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value","columns":[{"path":"properties.author.name","columnid":"userAdded"},{"path":"properties.author.userPrincipalName","columnid":"userPrinicipalName"},{"path":"properties.message","columnid":"comment"},{"path":"properties.createdTimeUtc","columnid":"commentCreated"}]}}]}",
"size": 0,
"title": "comments from Sentinel api, if the above selected Incident has any? id: {IncidentID}",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "apiTimeRange",
"comparison": "isNotEqualTo"
},
"name": "query - comments"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/bookmarks","urlParams":[{"key":"api-version","value":"2020-01-01"},{"key":"$orderby","value":"properties/created desc"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value","columns":[{"path":"properties.displayName","columnid":"displayName"},{"path":"properties.updatedBy.email","columnid":"updatedBy"},{"path":"properties.notes","columnid":"notes"},{"path":"properties.created","columnid":"created"}]}}]}",
"size": 0,
"title": "Bookmarks from Sentinel api",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"filter": true,
"sortBy": [
{
"itemKey": "created",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "created",
"sortOrder": 2
}
]
},
"name": "query - 9"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Incidents"
},
"name": "group - Incidents"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group Others",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/dataConnectors/","urlParams":[{"key":"api-version","value":"2020-01-01"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value","columns":[{"path":"kind","columnid":"connectorName "},{"path":"name","columnid":"name"},{"path":"properties.tenantId","columnid":"TenantId"},{"path":"properties.dataTypes.alerts.state","columnid":"State"}]}}]}",
"size": 0,
"title": "Sentinel API, Microsoft Data Connectors (excluding CEF & 3rd party)",
"queryType": 12,
"gridSettings": {
"sortBy": [
{
"itemKey": "TenantId",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "TenantId",
"sortOrder": 1
}
]
},
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/aggregations/Cases/","urlParams":[{"key":"api-version","value":"2019-01-01-preview"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.properties","columns":[]}}]}",
"size": 1,
"title": "Aggregated Cases ",
"queryType": 12
},
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.Logic/workflows/","urlParams":[{"key":"api-version","value":"2019-05-01"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value","columns":[{"path":"name","columnid":"name"},{"path":"properties.provisioningState","columnid":"state"},{"path":"location","columnid":"location"}]}}]}",
"size": 1,
"title": "Logic Apps",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "name",
"formatter": 16,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true,
"templateRunContext": {
"componentIdSource": "parameter",
"templateUriSource": "static",
"templateParameters": [],
"titleSource": "static",
"descriptionSource": "static",
"runLabelSource": "static"
},
"bladeOpenContext": {
"bladeParameters": []
}
}
}
],
"filter": true
}
},
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.Logic/workflows/","urlParams":[{"key":"api-version","value":"2019-05-01"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$,value","columns":[{"path":"properties.accessEndpoint","columnid":"accessEndpoint"},{"path":"id","columnid":"id"},{"path":"name","columnid":"name"},{"path":"location","columnid":"location"},{"path":"properties.definition.parameters","columnid":"parameters"},{"path":"properties.definition.triggers","columnid":"TriggerName"},{"path":"properties.definition.actions","columnid":"Actions"},{"path":"properties.definition.outputs","columnid":"outputs"}]}}]}",
"size": 1,
"title": "Run a Playbook - test",
"queryType": 12
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.SecurityInsights/entities/","urlParams":[{"key":"api-version","value":"2019-01-01-preview"}],"batchDisabled":false,"transformers":null}",
"size": 1,
"title": "Entities",
"queryType": 12
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/providers/Microsoft.Security/secureScores/ascScore","urlParams":[{"key":"api-version","value":"2020-01-01-preview"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"","columns":[{"path":"name","columnid":"name"},{"path":"properties.score.max","columnid":"max"},{"path":"properties.score.current","columnid":"current"},{"path":"id","columnid":"id"}]}}]}",
"size": 1,
"title": "ASC SecureScore for: {Subscription:name}",
"queryType": 12
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{"version":"ARMEndpoint/1.0","data":null,"headers":[],"method":"GET","path":"/subscriptions/{Subscription:id}/providers/Microsoft.Security/secureScoreControls","urlParams":[{"key":"api-version","value":"2020-01-01-preview"}],"batchDisabled":false,"transformers":[{"type":"jsonpath","settings":{"tablePath":"$.value","columns":[{"path":"properties.displayName","columnid":"displayName"},{"path":"properties.score.max","columnid":"maxScore"},{"path":"properties.score.current","columnid":"currentScore"},{"path":"properties.healthyResourceCount","columnid":"healthyResourceCount"},{"path":"properties.unhealthyResourceCount","columnid":"unhealthyResourceCount"},{"path":"properties.notApplicableResourceCount","columnid":"notApplicableResourceCount"},{"path":"id","columnid":"id"}]}}]}",
"size": 1,
"title": "secureScoreControls for: {Subscription:name}",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"filter": true,
"sortBy": [
{
"itemKey": "displayName",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "displayName",
"sortOrder": 1
}
]
},
"name": "query - 6"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Others"
},
"name": "group - others"
}
],
"fallbackResourceIds": [
"Azure Monitor"
],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}