{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "fc390156-f146-413e-9a23-d9933bcd1fef",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"value": null,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": false
}
},
{
"id": "adaa5eac-3c59-48c1-a60d-81a7b648cf15",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id, label = name",
"crossComponentResources": [
"{Subscription}"
],
"value": "/subscriptions/7b76bfbc-cb1e-4df1-b6e8-b826eef6c592/resourceGroups/soc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc",
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "1fb4279d-faf4-4d0c-8f6e-427acb9f9aad",
"version": "KqlParameterItem/1.0",
"name": "resourceGroup",
"type": 1,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where id == \"{Workspace}\"\r\n| project resourceGroup",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "aa4ccb3e-5406-4f84-81f9-7f70f32d006a",
"version": "KqlParameterItem/1.0",
"name": "top",
"label": "Limit Results for Incidents",
"type": 2,
"description": "Only shows this many Incidents from the returned results",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": " [{ \"value\": \"249\", \"label\": \"Show < 249\", \"selected\":true },\r\n { \"value\": \"10\", \"label\": \"10\"},\r\n { \"value\": \"20\", \"label\": \"20\"},\r\n { \"value\": \"50\", \"label\": \"50\"},\r\n { \"value\": \"100\", \"label\": \"100\"}]"
},
{
"id": "543e7d3f-7d73-4219-a8ea-10e22a51a3e4",
"version": "KqlParameterItem/1.0",
"name": "apiTimeRange",
"label": "Incident Time select",
"type": 2,
"description": "Select a Incident time to filter from",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/incidents\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-01-01-preview\"},{\"key\":\"$orderby\",\"value\":\"properties/createdTimeUtc desc\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value..properties.createdTimeUtc\",\"columns\":[]}}]}",
"value": null,
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 12
},
{
"id": "d9bafddd-8823-4cb4-83eb-976ef08fce0a",
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "Show Help?",
"type": 10,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Rules",
"subTarget": "Rules",
"style": "link"
},
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Incidents",
"subTarget": "Incidents",
"style": "link"
},
{
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Others",
"subTarget": "Others",
"style": "link"
}
]
},
"name": "links - 11"
},
{
"type": 1,
"content": {
"json": "
\r\n### Please select a Time Range: use [Incident Time select] parameter above \r\n
",
"style": "warning"
},
"conditionalVisibilities": [
{
"parameterName": "apiTimeRange",
"comparison": "isEqualTo"
},
{
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Incidents"
}
],
"name": "text - 6"
},
{
"type": 1,
"content": {
"json": "Clive Watson - Microsoft\r\n### Sentinel API query examples. This is to show the options rather than a full solution. Please adapt as necessary.\r\n\tv1.0 Initial version: This workbook is to show examples of the Sentinel API usage in a workbook. \r\n\tv1.3 Add Connector vs Table . \r\n\tv1.4 Add download controls\r\n\tv1.4.2 Switched Cases to Incidents api, add a filter for comments, icons and colour coding \r\n\tv1.4.3 Added Tabs & Groups. Fixed connector name \r\n\tv1.4.4 Added Orderby, Top and api Time filter \r\n\tv1.4.5 help added and api-version updates\r\n\tv1.4.6 JSON path workaround\r\n\r\n",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Change Log"
},
"name": "text - 5"
},
{
"type": 1,
"content": {
"json": " Useful links\r\n\r\nsource: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples (note these are example OUTPUTs).\r\nhttps://docs.microsoft.com/en-us/rest/api/azure/\r\nhttps://docs.microsoft.com/en-us/rest/api/monitor/microsoft.workloadmonitor/components/listbyresource#uri-parameters and https://www.odata.org/documentation/odata-version-2-0/uri-conventions/\r\nThis and other workbooks: https://github.com/CliveW-MSFT/KQLpublic/tree/master/KQL/Workbooks\r\nFree/Paid connector info with description: https://techcommunity.microsoft.com/t5/azure-sentinel/categorizing-microsoft-alerts-across-data-sources-in-azure/ba-p/1503367\r\n",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 5 - Copy"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Rules",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/alertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"},{\"key\":\"orderby\",\"value\":\"properties/lastModifiedUtc desc\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"properties.lastModifiedUtc\",\"columnid\":\"lastUpdateUtc\"},{\"path\":\"properties.enabled\",\"columnid\":\"Enabled\"},{\"path\":\"properties.severity\",\"columnid\":\"Severity\"},{\"path\":\"properties.tactics\",\"columnid\":\"Tactics\"},{\"path\":\"properties.incidentConfiguration\",\"columnid\":\"IncidentConfig\"},{\"path\":\"kind\",\"columnid\":\"AlertType\"}]}}]}",
"size": 0,
"title": "Active Rules, from the Sentinel API",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "lastUpdateUtc",
"formatter": 1
}
],
"filter": true,
"sortBy": [
{
"itemKey": "lastUpdateUtc",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "lastUpdateUtc",
"sortOrder": 2
}
]
},
"name": "query - Rules"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"},{\"key\":\"$orderby\",\"value\":\"properties/lastModifiedUtc desc\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"DisplayName\"},{\"path\":\"kind\",\"columnid\":\"AlertType\"},{\"path\":\"properties.status\",\"columnid\":\"Status\"},{\"path\":\"properties.createdDateUTC\",\"columnid\":\"createdDateUTC\"},{\"path\":\"properties.requiredDataConnectors\",\"columnid\":\"requiredDataConnectors\"},{\"path\":\"properties.productFilter\",\"columnid\":\"ProductFilter\"},{\"path\":\"properties.requiredDataConnectors[:1].connectorId\",\"columnid\":\"ConnectorName\"},{\"path\":\"properties.requiredDataConnectors[*].dataTypes[0]\",\"columnid\":\"ConnectorTable\"}]}}]}",
"size": 1,
"title": "Rule Templates, from the Sentinel API ",
"exportFieldName": "",
"exportParameterName": "ConnectorTable",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "createdDateUTC",
"formatter": 1
}
],
"filter": true
},
"sortBy": []
},
"name": "query -RuleTemplate"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "a639c897-744f-4eee-86f4-64da0f211515",
"version": "KqlParameterItem/1.0",
"name": "rulesByDate2",
"type": 1,
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.createdDateUTC\",\"columnid\":\"createdDateUTC\"}]}}]}",
"timeContext": {
"durationMs": 86400000
},
"queryType": 12,
"value": null
}
],
"style": "above",
"queryType": 12
},
"conditionalVisibility": {
"parameterName": "hide",
"comparison": "isEqualTo",
"value": "hide"
},
"name": "parameters - list ruleCreated date"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// use a table that exists - Usage was picked but isnt used.\r\nUsage\r\n| project a = split('{rulesByDate2}',\",\")\r\n| limit 1\r\n| mvexpand todynamic(a)\r\n| project b= split(trim(@\"[^\\w]+\",tostring(a)),\"T\").[0]\r\n| summarize count() by todatetime(b)\r\n| order by b asc\r\n| top 10 by b ",
"size": 1,
"title": "Rule templates created by Date",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "categoricalbar",
"gridSettings": {
"sortBy": [
{
"itemKey": "b",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "b",
"sortOrder": 2
}
]
},
"showPin": false,
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\",\"mergeType\":\"union\",\"leftTable\":\"query - Rules\",\"rightTable\":\"query -RuleTemplate\",\"leftColumn\":\"displayName\",\"rightColumn\":\"displayName\"}],\"projectRename\":[{\"originalName\":\"displayName\",\"mergedName\":\"displayName\",\"fromId\":\"unknown\"},{\"originalName\":\"lastUpdateUtc\",\"mergedName\":\"lastUpdateUtc\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].createdDateUTC\",\"mergedName\":\"createdDateUTC\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"Enabled\",\"mergedName\":\"Enabled\",\"fromId\":\"unknown\"},{\"originalName\":\"Severity\",\"mergedName\":\"Severity\",\"fromId\":\"unknown\"},{\"originalName\":\"Tactics\",\"mergedName\":\"Tactics\",\"fromId\":\"unknown\"},{\"originalName\":\"IncidentConfig\",\"mergedName\":\"IncidentConfig\",\"fromId\":\"unknown\"},{\"originalName\":\"AlertType\",\"mergedName\":\"AlertType\",\"fromId\":\"unknown\"},{\"originalName\":\"value\",\"mergedName\":\"value\",\"fromId\":\"unknown\"},{\"originalName\":\"defaultVisualization\",\"mergedName\":\"defaultVisualization\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].displayName\",\"mergedName\":\"displayName\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].AlertType\",\"mergedName\":\"AlertType\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - Rules].displayName\",\"mergedName\":\"displayName1\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query - Rules].lastUpdateUtc\",\"mergedName\":\"lastUpdateUtc1\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query - Rules].Enabled\",\"mergedName\":\"Enabled1\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query - Rules].Severity\",\"mergedName\":\"Severity1\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query - Rules].Tactics\",\"mergedName\":\"Tactics1\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query - Rules].IncidentConfig\",\"mergedName\":\"IncidentConfig1\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query - Rules].AlertType\",\"mergedName\":\"AlertType1\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query -RuleTemplate].status\",\"mergedName\":\"status\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query -RuleTemplate].requiredDataConnectors\",\"mergedName\":\"requiredDataConnectors\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query -RuleTemplate].ProductFilter\",\"mergedName\":\"ProductFilter\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query -RuleTemplate].ConnectorName\",\"mergedName\":\"ConnectorName\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query -RuleTemplate].ConnectorTable\",\"mergedName\":\"ConnectorTable\",\"fromId\":\"3fc7311f-6c43-4361-83ad-0c24f65590ac\"},{\"originalName\":\"[query -RuleTemplate].value\",\"mergedName\":\"value\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].defaultVisualization\",\"mergedName\":\"defaultVisualization\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].value\",\"mergedName\":\"value\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].defaultVisualization\",\"mergedName\":\"defaultVisualization\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].ClientRequestId\",\"mergedName\":\"ClientRequestId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].id\",\"mergedName\":\"id\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].name\",\"mergedName\":\"name\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].type\",\"mergedName\":\"type\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].kind\",\"mergedName\":\"kind\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].properties\",\"mergedName\":\"properties\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].DisplayName\",\"mergedName\":\"DisplayName\",\"fromId\":\"unknown\"},{\"originalName\":\"[query -RuleTemplate].Status\",\"mergedName\":\"Status\",\"fromId\":\"unknown\"}]}",
"size": 0,
"title": "Merged View: [Active Rules] and [Rule Templates]",
"showExportToExcel": true,
"queryType": 7,
"gridSettings": {
"formatters": [
{
"columnMatch": "lastUpdateUtc",
"formatter": 1
},
{
"columnMatch": "createdDateUTC",
"formatter": 1
},
{
"columnMatch": "Enabled",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "true",
"representation": "green",
"text": "Yes"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "redBright",
"text": "No"
}
]
}
}
],
"filter": true
},
"sortBy": []
},
"name": "query - 7"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Rules"
},
"name": "group - rules"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "group Incidents",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/incidents\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"},{\"key\":\"$orderby\",\"value\":\"properties/incidentNumber desc\"},{\"key\":\"$top\",\"value\":\"{top}\"},{\"key\":\"$filter\",\"value\":\"properties/createdTimeUtc le {apiTimeRange}\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.incidentNumber\",\"columnid\":\"Incident_Number\"},{\"path\":\"properties.title\",\"columnid\":\"title\"},{\"path\":\"properties.severity\",\"columnid\":\"severity\"},{\"path\":\"properties.additionalData.commentsCount\",\"columnid\":\"comments\"},{\"path\":\"properties.status\",\"columnid\":\"status\"},{\"path\":\"properties.owner.assignedTo\",\"columnid\":\"Owner\"},{\"path\":\"properties.firstActivityTimeUtc\",\"columnid\":\"firstActivityTimeUtc\"},{\"path\":\"properties.lastActivityTimeUtc\",\"columnid\":\"lastActivityTimeUtc\"},{\"path\":\"properties.createdTimeUtc\",\"columnid\":\"createdTimeUtc\"},{\"path\":\"properties.lastModifiedTimeUtc\",\"columnid\":\"lastModifiedTimeUtc\"},{\"path\":\"properties.additionalData.tactics\",\"columnid\":\"tactics\"},{\"path\":\"properties.relatedAnalyticRuleIds\",\"columnid\":\"relatedAlertIDs\"},{\"path\":\"name\",\"columnid\":\"IncidentID\"}]}}]}",
"size": 0,
"title": "Incidents from the Sentinel API",
"exportFieldName": "IncidentID",
"exportParameterName": "IncidentID",
"showExportToExcel": true,
"queryType": 12,
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "severity",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Low",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Medium",
"representation": "3",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "High",
"representation": "critical",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "comments",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": ">",
"thresholdValue": "0",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "Blank",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "colors",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "New",
"representation": "grayBlue",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Closed",
"representation": "green",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Active",
"representation": "orange",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "gray",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "firstActivityTimeUtc",
"formatter": 1
},
{
"columnMatch": "lastActivityTimeUtc",
"formatter": 1
},
{
"columnMatch": "createdTimeUtc",
"formatter": 1
},
{
"columnMatch": "lastModifiedTimeUtc",
"formatter": 1
},
{
"columnMatch": "relatedAlertIDs",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkIsContextBlade": true
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "createdTimeUtc",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "createdTimeUtc",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "apiTimeRange",
"comparison": "isNotEqualTo"
},
"name": "query - Incidents"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/comments\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.author.name\",\"columnid\":\"userAdded\"},{\"path\":\"properties.author.userPrincipalName\",\"columnid\":\"userPrinicipalName\"},{\"path\":\"properties.message\",\"columnid\":\"comment\"},{\"path\":\"properties.createdTimeUtc\",\"columnid\":\"commentCreated\"}]}}]}",
"size": 0,
"title": "comments from Sentinel api, if the above selected Incident has any? id: {IncidentID}",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "apiTimeRange",
"comparison": "isNotEqualTo"
},
"name": "query - comments"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/bookmarks\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"},{\"key\":\"$orderby\",\"value\":\"properties/created desc\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"properties.updatedBy.email\",\"columnid\":\"updatedBy\"},{\"path\":\"properties.notes\",\"columnid\":\"notes\"},{\"path\":\"properties.created\",\"columnid\":\"created\"}]}}]}",
"size": 0,
"title": "Bookmarks from Sentinel api",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"filter": true,
"sortBy": [
{
"itemKey": "created",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "created",
"sortOrder": 2
}
]
},
"name": "query - 9"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Incidents"
},
"name": "group - Incidents"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group Others",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/dataConnectors/\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"kind\",\"columnid\":\"connectorName \"},{\"path\":\"name\",\"columnid\":\"name\"},{\"path\":\"properties.tenantId\",\"columnid\":\"TenantId\"},{\"path\":\"properties.dataTypes.alerts.state\",\"columnid\":\"State\"}]}}]}",
"size": 0,
"title": "Sentinel API, Microsoft Data Connectors (excluding CEF & 3rd party)",
"queryType": 12,
"gridSettings": {
"sortBy": [
{
"itemKey": "TenantId",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "TenantId",
"sortOrder": 1
}
]
},
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/aggregations/Cases/\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-01-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.properties\",\"columns\":[]}}]}",
"size": 1,
"title": "Aggregated Cases ",
"queryType": 12
},
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.Logic/workflows/\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-05-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"name\",\"columnid\":\"name\"},{\"path\":\"properties.provisioningState\",\"columnid\":\"state\"},{\"path\":\"location\",\"columnid\":\"location\"}]}}]}",
"size": 1,
"title": "Logic Apps",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"formatters": [
{
"columnMatch": "name",
"formatter": 16,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true,
"templateRunContext": {
"componentIdSource": "parameter",
"templateUriSource": "static",
"templateParameters": [],
"titleSource": "static",
"descriptionSource": "static",
"runLabelSource": "static"
},
"bladeOpenContext": {
"bladeParameters": []
}
}
}
],
"filter": true
}
},
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.Logic/workflows/\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-05-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$,value\",\"columns\":[{\"path\":\"properties.accessEndpoint\",\"columnid\":\"accessEndpoint\"},{\"path\":\"id\",\"columnid\":\"id\"},{\"path\":\"name\",\"columnid\":\"name\"},{\"path\":\"location\",\"columnid\":\"location\"},{\"path\":\"properties.definition.parameters\",\"columnid\":\"parameters\"},{\"path\":\"properties.definition.triggers\",\"columnid\":\"TriggerName\"},{\"path\":\"properties.definition.actions\",\"columnid\":\"Actions\"},{\"path\":\"properties.definition.outputs\",\"columnid\":\"outputs\"}]}}]}",
"size": 1,
"title": "Run a Playbook - test",
"queryType": 12
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.SecurityInsights/entities/\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-01-01-preview\"}],\"batchDisabled\":false,\"transformers\":null}",
"size": 1,
"title": "Entities",
"queryType": 12
},
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/providers/Microsoft.Security/secureScores/ascScore\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"\",\"columns\":[{\"path\":\"name\",\"columnid\":\"name\"},{\"path\":\"properties.score.max\",\"columnid\":\"max\"},{\"path\":\"properties.score.current\",\"columnid\":\"current\"},{\"path\":\"id\",\"columnid\":\"id\"}]}}]}",
"size": 1,
"title": "ASC SecureScore for: {Subscription:name}",
"queryType": 12
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/providers/Microsoft.Security/secureScoreControls\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01-preview\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"properties.score.max\",\"columnid\":\"maxScore\"},{\"path\":\"properties.score.current\",\"columnid\":\"currentScore\"},{\"path\":\"properties.healthyResourceCount\",\"columnid\":\"healthyResourceCount\"},{\"path\":\"properties.unhealthyResourceCount\",\"columnid\":\"unhealthyResourceCount\"},{\"path\":\"properties.notApplicableResourceCount\",\"columnid\":\"notApplicableResourceCount\"},{\"path\":\"id\",\"columnid\":\"id\"}]}}]}",
"size": 1,
"title": "secureScoreControls for: {Subscription:name}",
"showExportToExcel": true,
"queryType": 12,
"gridSettings": {
"filter": true,
"sortBy": [
{
"itemKey": "displayName",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "displayName",
"sortOrder": 1
}
]
},
"name": "query - 6"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Others"
},
"name": "group - others"
}
],
"fallbackResourceIds": [
"Azure Monitor"
],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}