Framework/Configurations/AlertMonitoring/WorkbookSerializedData.json
{
"version": "Notebook/1.0", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "a3017444-7eb8-4d2d-b8a3-659063609b59", "version": "KqlParameterItem/1.0", "name": "param_IsBaselineControl_b", "label": "Baseline", "type": 2, "description": "Include Baseline controls?", "multiSelect": true, "quote": "'", "delimiter": ",", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "[]", "showDefault": false }, "jsonData": "[\r\n { \"value\":\"True\", \"label\":\"True\", \"selected\":true },\r\n { \"value\":\"False\", \"label\":\"False\", \"selected\":true }\r\n]" }, { "id": "ce52583f-eee3-4181-b3ea-fd16a111cffd", "version": "KqlParameterItem/1.0", "name": "param_IsPreviewBaselineControl_b", "label": "Preview Baseline", "type": 2, "description": "Include preview baseline controls?", "multiSelect": true, "quote": "'", "delimiter": ",", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "[]", "showDefault": false }, "jsonData": "[\r\n { \"value\":\"True\", \"label\":\"True\", \"selected\":true },\r\n { \"value\":\"False\", \"label\":\"False\", \"selected\":true }\r\n]" }, { "id": "701ed197-3c71-4430-a9a3-e71976e10cd2", "version": "KqlParameterItem/1.0", "name": "param_OrganizationName_s", "label": "Organization Name", "type": 2, "description": "Organization filter", "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AzSK_ADO_CL\r\n| distinct tostring(OrganizationName_s)\r\n| sort by OrganizationName_s asc", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "[]" }, "timeContext": { "durationMs": 259200000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "5fc686c0-d448-4932-8497-b2c6b9501c29", "version": "KqlParameterItem/1.0", "name": "param_ResourceType", "label": "Resource Type", "type": 2, "description": "Filter for resource type", "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AzSK_ADO_CL\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| distinct tostring(ResourceType)\r\n| sort by ResourceType asc", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "[]" }, "timeContext": { "durationMs": 259200000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "056a088f-2df6-4637-9ccd-56033a3ef2da", "version": "KqlParameterItem/1.0", "name": "param_ControlSeverity_s", "label": "Control Severity", "type": 2, "description": "Filter for control severity", "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AzSK_ADO_CL\r\n| distinct tostring(ControlSeverity_s)\r\n| sort by ControlSeverity_s asc", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "[]" }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "e2c3f2e9-f721-445f-b81e-c1ea52d98080", "version": "KqlParameterItem/1.0", "name": "param_Env_s", "label": "Environment", "type": 2, "description": "Filter for environment", "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AzSK_ADO_CL\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| distinct tostring(Env_s)\r\n| sort by Env_s asc", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "[]" }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "a7f5e68c-e880-4de6-9ae4-42a5be5c9fdd", "version": "KqlParameterItem/1.0", "name": "param_HasRequiredAccess_b", "label": "Has Required Access?", "type": 2, "description": "Filter for control records where the user had the required permissions to run the control", "multiSelect": true, "quote": "'", "delimiter": ",", "typeSettings": { "additionalResourceOptions": [ "value::all" ], "selectAllValue": "[]", "showDefault": false }, "jsonData": "[\r\n { \"value\":\"True\", \"label\":\"True\", \"selected\":true },\r\n { \"value\":\"False\", \"label\":\"False\", \"selected\":true }\r\n]" }, { "id": "c28a2ffc-2b51-46ff-99b6-2cd18a1cf5f4", "version": "KqlParameterItem/1.0", "name": "param_ControlId_s", "label": "ControlIds", "type": 2, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AzSK_ADO_CL\r\n| distinct tostring(ControlId_s)\r\n| sort by ControlId_s asc", "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "defaultValue": "value::all", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "value": [] }, { "id": "c0720465-7ff4-4aa7-b706-09e82925790c", "version": "KqlParameterItem/1.0", "name": "param_Tags_s", "label": "Tags", "type": 2, "value": null, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\r\n { \"value\":\"MSW\", \"label\":\"MSW\"}\r\n]" }, { "id": "0575c026-77d7-4578-8154-b7afc56408e8", "version": "KqlParameterItem/1.0", "name": "param_ResourceGroup", "label": "Project", "type": 2, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "AzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| extend ProjectName = iff(ResourceType==\"ADO.Project\", ResourceName_s, ResourceGroup)\r\n| where isnotempty(ProjectName)\r\n| distinct ProjectName", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "timeContext": { "durationMs": 259200000 }, "defaultValue": "value::all", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters-GlobalFilterParameters" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "22c57f37-49a3-4373-8320-977fe64a06a7", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Overview", "subTarget": "Overview", "style": "link" }, { "id": "c8b70fcf-c0f5-4018-9028-211a65c3a3fe", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Organization Security", "subTarget": "OrganizationSecurity", "style": "link" }, { "id": "43482c14-769e-4537-9813-9b7a6a02de9e", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Project Security", "subTarget": "ProjectSecurity", "style": "link" }, { "id": "1db87ed1-09d3-4758-9476-bdf15f3d46d3", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Project Components Security", "subTarget": "ProjectComponentsSecurity", "style": "link" }, { "id": "1e092926-4468-40f7-a31b-a28c1d08e830", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "All Resource Control Security", "subTarget": "ResourceSecurity", "style": "link" }, { "id": "73524be9-8691-443d-94c4-ffb76d7026e2", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Explore", "subTarget": "Explore", "style": "link" }, { "id": "a1049586-66d7-4dbb-b254-54154f40979b", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Help", "subTarget": "Help", "style": "link" } ] }, "name": "tabs-GlobalNavigation" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\nAzSK_ADO_CL\n| where TimeGenerated > ago(3d)\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s,ControlId_s\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\n| where FeatureName_s == \"Organization\"\n|where Tags_s contains '{param_Tags_s}'\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\n| summarize AggregatedValue = count() by ControlStatus\n| sort by AggregatedValue desc", "size": 1, "showAnalytics": true, "title": "Organization Security Summary", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart", "chartSettings": { "yAxis": [ "AggregatedValue" ], "seriesLabelSettings": [ { "seriesName": "Passed", "color": "greenDark" }, { "seriesName": "Failed", "color": "red" } ], "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Overview" }, "customWidth": "0", "name": "chart-OrganizationSecuritySummary" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\nlet sel_param_ResourceGroup = dynamic([{param_ResourceGroup}]);\nAzSK_ADO_CL\n| where TimeGenerated > ago(3d)\n| where FeatureName_s == \"Project\"\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\n| where array_length(sel_param_ResourceGroup) == 0 or ResourceName_s in (sel_param_ResourceGroup)\n|where Tags_s contains '{param_Tags_s}'\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s,ResourceId,ControlId_s\n| summarize AggregatedValue = count() by ControlStatus\n| sort by AggregatedValue desc", "size": 1, "showAnalytics": true, "title": "Project Security Summary", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart", "chartSettings": { "yAxis": [ "AggregatedValue" ], "seriesLabelSettings": [ { "seriesName": "Passed", "color": "greenDark" }, { "seriesName": "Failed", "color": "red" } ], "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Overview" }, "customWidth": "0", "name": "chart-ExpressRouteSecuritySummary" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\nlet sel_param_ResourceGroup = dynamic([{param_ResourceGroup}]);\nAzSK_ADO_CL\n| where TimeGenerated > ago(3d)\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s,ResourceId,ControlId_s\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\n| where array_length(sel_param_ResourceGroup) == 0 or ResourceGroup in (sel_param_ResourceGroup)\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\n| where Tags_s contains '{param_Tags_s}'\n| where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\" \n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\n| summarize AggregatedValue = count() by ControlStatus\n| sort by AggregatedValue desc", "size": 1, "showAnalytics": true, "title": "Project Component Security Summary", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart", "chartSettings": { "yAxis": [ "AggregatedValue" ], "seriesLabelSettings": [ { "seriesName": "Passed", "color": "greenDark" }, { "seriesName": "Failed", "color": "red" } ], "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Overview" }, "customWidth": "0", "name": "chart-ProjectComponentSecuritySummary" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nlet sel_param_ResourceGroup = dynamic([{param_ResourceGroup}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n| where array_length(sel_param_ResourceGroup) == 0 or ResourceGroup in (sel_param_ResourceGroup)\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceId, ControlId_s\r\n| summarize AggregatedValue = count() by ControlStatus\r\n| sort by AggregatedValue desc", "size": 1, "showAnalytics": true, "title": "Resource's Controls Security Summary", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart", "tileSettings": { "titleContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "showIcon": true } }, "showBorder": false }, "chartSettings": { "yAxis": [ "AggregatedValue" ], "seriesLabelSettings": [ { "seriesName": "Passed", "color": "greenDark" }, { "seriesName": "Failed", "color": "red" } ], "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Overview" }, "customWidth": "0", "name": "chart-ResourceSecuritySummary" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| distinct OrganizationName_s\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| sort by OrganizationName_s asc\r\n| join kind= leftouter\r\n(\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s,ControlId_s\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where FeatureName_s == \"Organization\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus==\"Failed\"\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| summarize count() by OrganizationName_s,ControlId_s,ControlStatus_s\r\n| summarize ['# Failed Controls'] = count() by OrganizationName_s\r\n| project OrganizationName_s, ['# Failed Controls']\r\n) on OrganizationName_s\r\n| extend ['# Failed Controls'] = iff(isempty(['# Failed Controls']), 0,['# Failed Controls'])\r\n| project OrganizationName=OrganizationName_s, ['# Failed Controls']\r\n| sort by ['# Failed Controls'] desc, OrganizationName asc", "size": 3, "showAnalytics": true, "title": "Organization failed control count", "noDataMessage": "No failed controls found", "exportFieldName": "OrganizationName", "exportParameterName": "param_selectOrganizationName", "exportDefaultValue": "All Organization", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "# Failed Controls", "formatter": 3, "formatOptions": { "palette": "red" } } ] }, "sortBy": [] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OrganizationSecurity" }, "customWidth": "50", "name": "table-OrganizationFailedControlCount" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nAzSK_ADO_CL\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where FeatureName_s == \"Organization\"\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus==\"Failed\"\r\n| where '{param_selectOrganizationName}' == \"All Organization\" or OrganizationName_s == '{param_selectOrganizationName}'\r\n| extend combined = strcat(ResourceId, \"_\", OrganizationName_s) \r\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(7d), now(), 1d) by OrganizationName_s\r\n| mvexpand dcount_combined, TimeGenerated\r\n| project todatetime(TimeGenerated), OrganizationName_s, toint(dcount_combined)\r\n| render areachart", "size": 0, "showAnalytics": true, "title": "Failed Control Count Trend (last 7d) - {param_selectOrganizationName}", "noDataMessage": "No failed controls for the organization in the last 7 days", "timeContext": { "durationMs": 604800000 }, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "filter": true }, "sortBy": [], "chartSettings": { "xSettings": {}, "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OrganizationSecurity" }, "customWidth": "50", "name": "chart-OrganizationFailedControl_7dTrend" }, { "type": 1, "content": { "json": "_Click on a row in the table above to see more details_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OrganizationSecurity" }, { "parameterName": "param_selectOrganizationName", "comparison": "isEqualTo", "value": "All Organization" } ], "name": "text-OrganizationFailedControl_RowSelect" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s,ControlId_s\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where OrganizationName_s == '{param_selectOrganizationName}'\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where FeatureName_s == \"Organization\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus == \"Failed\"\r\n| project OrganizationName=OrganizationName_s, ControlId=ControlId_s, ControlStatus, Recommendation=Recommendation_s, TimeGenerated, Source_s, ControlStatus_s, ActualVerificationResult_s,RunIdentifier_s, ResourceType, ControlSeverity_s, IsBaselineControl_b \r\n| sort by OrganizationName asc, ControlId asc", "size": 3, "showAnalytics": true, "noDataMessage": "No failed controls for the organization in the last 7 days", "exportedParameters": [ { "fieldName": "Recommendation", "parameterName": "param_subsecRecommendation", "parameterType": 1 }, { "fieldName": "ControlId", "parameterName": "param_subsecControlId", "parameterType": 1 }, { "fieldName": "OrganizationName", "parameterName": "param_subsecOrganizationName", "parameterType": 1 }, { "fieldName": "OrganizationName", "parameterName": "param_subsecOrganizationName", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "# Failed Controls", "formatter": 3, "formatOptions": { "palette": "red" } } ], "filter": true }, "sortBy": [] }, "conditionalVisibilities": [ { "parameterName": "param_selectOrganizationName", "comparison": "isNotEqualTo", "value": "All Organization" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OrganizationSecurity" } ], "name": "table-OrganizationFailedControlDetails", "styleSettings": { "showBorder": true } }, { "type": 1, "content": { "json": "_Click on a row in the table above to see more details_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OrganizationSecurity" }, { "parameterName": "param_selectOrganizationName", "comparison": "isNotEqualTo", "value": "All Organization" }, { "parameterName": "param_subsecControlId", "comparison": "isEqualTo" } ], "name": "text-OrganizationFailedControlDetails_RowSelect" }, { "type": 1, "content": { "json": "### Recommendation for control Id: '{param_subsecControlId}'\r\n{param_subsecRecommendation}\r\n<br/>\r\n<br/>\r\n\r\n### Organization scanning commands for '{param_subsecOrganizationName}'\r\n\r\n**Scan for organization and resource controls** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_subsecOrganizationName}\" \r\n\r\n**Scan for only baseline controls** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_subsecOrganizationName}\" -UseBaselineControls\r\n\r\n**Scan '{param_subsecControlId}' control for the organization** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_subsecOrganizationName}\" -ControlIds \"{param_subsecControlId}\"\r\n\r\n<br/>" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OrganizationSecurity" }, { "parameterName": "param_subsecControlId", "comparison": "isNotEqualTo" } ], "name": "text-OrganizationFailedControlDetails_DrillDownDetails" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\n\r\nAzSK_ADO_CL\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where FeatureName_s == \"Organization\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus==\"Failed\"\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where ControlId_s in (sel_param_ControlId_s)\r\n| where '{param_selectOrganizationName}' == \"All Organization\" or OrganizationName_s == '{param_selectOrganizationName}'\r\n| extend combined = strcat(ResourceId, \"_\", OrganizationName_s) \r\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(30d), now(), 1d) by OrganizationName_s\r\n| mvexpand dcount_combined, TimeGenerated\r\n| project todatetime(TimeGenerated), OrganizationName_s, toint(dcount_combined)\r\n| render areachart", "size": 0, "showAnalytics": true, "title": "Failed Control Count Trend (last 30d) - {param_selectOrganizationName}", "noDataMessage": "No failed controls for the organization in the last 30 days", "timeContext": { "durationMs": 2592000000 }, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "filter": true }, "sortBy": [], "chartSettings": { "xSettings": {}, "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "OrganizationSecurity" }, "name": "OrganizationFailedControl_30dTrend" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nlet sel_param_ResourceGroup = dynamic([{param_ResourceGroup}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where array_length(sel_param_ResourceGroup) == 0 or ResourceName_s in (sel_param_ResourceGroup)\r\n| where FeatureName_s == \"Project\"\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceId, ControlId_s\r\n| where ControlStatus == \"Failed\"\r\n| summarize ['# Failed Controls'] = count() by OrganizationName_s, ResourceName_s\r\n | sort by ['# Failed Controls'] desc | project OrganizationName = OrganizationName_s, ProjectName =ResourceName_s, ['# Failed Controls']", "size": -1, "showAnalytics": true, "title": "Project failed control summary", "noDataMessage": "No failed controls found", "exportFieldName": "ProjectName", "exportParameterName": "param_selectProjectName", "exportDefaultValue": "All", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "# Failed Controls", "formatter": 3, "formatOptions": { "palette": "red" } } ] }, "sortBy": [] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectSecurity" }, "name": "table-PrFailedControlCount" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nlet sel_param_ResourceGroup = dynamic([{param_ResourceGroup}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| where FeatureName_s == \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where '{param_selectProjectName}' == \"All\" or ResourceName_s == '{param_selectProjectName}'\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceId, ControlId_s\r\n| where ControlStatus == \"Failed\"\r\n| summarize ['# Failed Controls'] = count() by ControlId_s\r\n| sort by ['# Failed Controls'] desc", "size": 0, "showAnalytics": true, "title": "Failed control summary", "noDataMessage": "No failed controls found", "exportFieldName": "ControlId_s", "exportParameterName": "param_selectERControl", "exportDefaultValue": "All Controls", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "# Failed Controls", "formatter": 3, "formatOptions": { "palette": "red" } } ] }, "sortBy": [] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectSecurity" }, "customWidth": "50", "name": "table-ERFailedControlCount" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nAzSK_ADO_CL\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where FeatureName_s == \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus == \"Failed\"\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| where '{param_selectProjectName}' == \"All\" or ResourceName_s == '{param_selectProjectName}'\r\n| where '{param_selectERControl}' == \"All Controls\" or ControlId_s == '{param_selectERControl}'\r\n| extend combined = strcat(ResourceId, \"_\", ControlId_s) \r\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(7d), now(), 1d) by ControlId_s\r\n| mvexpand dcount_combined, TimeGenerated\r\n| project todatetime(TimeGenerated), ControlId_s, toint(dcount_combined)\r\n| render areachart", "size": 0, "showAnalytics": true, "title": "Failed Control Count Trend (last 7d) - {param_selectERControl}", "noDataMessage": "No failed controls for this control Id in the last 7 days", "timeContext": { "durationMs": 604800000 }, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "filter": true }, "sortBy": [], "chartSettings": { "xSettings": {}, "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectSecurity" }, "customWidth": "50", "name": "chart-ERFailedControl_7dTrend" }, { "type": 1, "content": { "json": "_Click on a row in the table above to see more details_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectSecurity" }, { "parameterName": "param_selectERControl", "comparison": "isEqualTo", "value": "All Controls" } ], "name": "text-ERFailedControl_RowSelect" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\n\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where FeatureName_s == \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where '{param_selectProjectName}' == \"All\" or ResourceName_s == '{param_selectProjectName}'\r\n| where ControlId_s == '{param_selectERControl}'\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceId, ControlId_s\r\n| where ControlStatus == \"Failed\"\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where ControlId_s in (sel_param_ControlId_s)\r\n| project OrganizationName=OrganizationName_s, ProjectName = ResourceName_s, ResourceName = ResourceName_s, ControlId=ControlId_s, ControlStatus, Recommendation=Recommendation_s, TimeGenerated, Source_s, ControlStatus_s, RunIdentifier_s, ResourceType, ControlSeverity_s, IsBaselineControl_b\r\n| sort by OrganizationName asc, tolower(ResourceName) asc", "size": 0, "showAnalytics": true, "title": "Failed Control Details for '{param_selectERControl}'", "noDataMessage": "No row selected from 'Failed control summary' table", "exportedParameters": [ { "fieldName": "Recommendation", "parameterName": "param_ERSecRecommendation", "parameterType": 1 }, { "fieldName": "ControlId", "parameterName": "param_ERSecControlId", "parameterType": 1 }, { "fieldName": "OrganizationName", "parameterName": "param_ERSecResourceOrgName", "parameterType": 1 }, { "fieldName": "OrganizationName", "parameterName": "param_ERSecResourceRg", "parameterType": 1 }, { "fieldName": "ProjectName", "parameterName": "param_ERSecResourceName", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "ResourceName", "formatter": 5, "formatOptions": {} } ], "filter": true }, "sortBy": [] }, "conditionalVisibilities": [ { "parameterName": "param_selectERControl", "comparison": "isNotEqualTo", "value": "All Controls" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectSecurity" } ], "name": "table-ERFailedControlDetails", "styleSettings": { "showBorder": true } }, { "type": 1, "content": { "json": "_Click on a row in the table above to see more details_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectSecurity" }, { "parameterName": "param_selectERControl", "comparison": "isNotEqualTo", "value": "All Controls" }, { "parameterName": "param_ERSecControlId", "comparison": "isEqualTo" } ], "name": "text-ERFailedControlDetails_RowSelect" }, { "type": 1, "content": { "json": "### Recommendation for control Id: '{param_ERSecControlId}'\r\n{param_ERSecRecommendation}\r\n\r\n<br/>\r\n### Project scanning commands for '{param_ERSecResourceName}'\r\n\r\n**Scan all controls for the project** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_ERSecResourceRg}\" -ProjectNames \"{param_ERSecResourceName}\" -UseBaselineControls\r\n\r\n**Scan '{param_ERSecControlId}' control for the resource** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_ERSecResourceRg}\" -ProjectNames \"{param_ERSecResourceName}\" -ControlIds \"{param_ERSecControlId}\"\r\n\r\n<br/>" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectSecurity" }, { "parameterName": "param_ERSecControlId", "comparison": "isNotEqualTo" } ], "name": "text-ERFailedControlDetails_DrillDownDetails" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\n\r\nAzSK_ADO_CL\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where FeatureName_s == \"Project\"\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where ControlId_s in (sel_param_ControlId_s)\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus == \"Failed\"\r\n| where '{param_selectProjectName}' == \"All\" or ResourceName_s == '{param_selectProjectName}'\r\n| where '{param_selectERControl}' == \"All Controls\" or ControlId_s == '{param_selectERControl}'\r\n| extend combined = strcat(ResourceId, \"_\", ControlId_s) \r\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(30d), now(), 1d) by ControlId_s\r\n| mvexpand dcount_combined, TimeGenerated\r\n| project todatetime(TimeGenerated), ControlId_s, toint(dcount_combined)\r\n| render areachart", "size": 0, "showAnalytics": true, "title": "Failed Control Count Trend (last 30d) - {param_selectERControl}", "timeContext": { "durationMs": 2592000000 }, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "filter": true }, "sortBy": [], "chartSettings": { "xSettings": {}, "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectSecurity" }, "name": "chart-ERFailedControl_30dTrend" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nlet sel_param_ResourceGroup = dynamic([{param_ResourceGroup}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where array_length(sel_param_ResourceGroup) == 0 or ResourceGroup in (sel_param_ResourceGroup)\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceGroup, ResourceId, ControlId_s\r\n| where ControlStatus == \"Failed\"\r\n| summarize ['# Failed Controls'] = count() by OrganizationName_s, ResourceGroup, FeatureName_s \r\n | sort by ['# Failed Controls'] desc | project OrganizationName = OrganizationName_s, ProjectName = ResourceGroup, ResourceType= FeatureName_s, ['# Failed Controls']", "size": -1, "showAnalytics": true, "title": "Project component's failed control summary", "noDataMessage": "No failed controls found", "exportedParameters": [ { "fieldName": "ResourceType", "parameterName": "param_selectPRResourceType", "parameterType": 1 }, { "fieldName": "OrganizationName", "parameterName": "param_selectPROrganizationName", "parameterType": 1 }, { "fieldName": "ProjectName", "parameterName": "param_selectPRProjectName", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "# Failed Controls", "formatter": 3, "formatOptions": { "palette": "red" } } ], "sortBy": [ { "itemKey": "ResourceType", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "ResourceType", "sortOrder": 1 } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectComponentsSecurity" }, "name": "table-PrcFailedControlCountResourceWise" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where '{param_selectPRProjectName}' == \"All\" or ResourceGroup == '{param_selectPRProjectName}'\r\n| where '{param_selectPROrganizationName}' == \"All\" or OrganizationName_s == '{param_selectPROrganizationName}'\r\n| where '{param_selectPRResourceType}' == \"All\" or FeatureName_s == '{param_selectPRResourceType}'\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceGroup, ResourceId, ControlId_s\r\n| where ControlStatus == \"Failed\"\r\n| summarize ['# Failed Controls'] = count() by ControlId_s,OrganizationName_s,ResourceGroup,FeatureName_s\r\n| sort by ['# Failed Controls'] desc | project OrganizationName = OrganizationName_s, ProjectName = ResourceGroup, ResourceType= FeatureName_s, ControlId = ControlId_s, ['# Failed Controls']", "size": 0, "showAnalytics": true, "title": "Failed control summary", "noDataMessage": "No failed controls found", "exportFieldName": "ControlId", "exportParameterName": "param_selectPRCControl", "exportDefaultValue": "All", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "# Failed Controls", "formatter": 3, "formatOptions": { "palette": "red" } } ] }, "sortBy": [] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectComponentsSecurity" }, "customWidth": "48", "name": "table-PRCFailedControlCount" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nAzSK_ADO_CL\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n | extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus == \"Failed\"\r\n| where '{param_selectPRProjectName}' == \"All\" or ResourceGroup == '{param_selectPRProjectName}'\r\n| where '{param_selectPROrganizationName}' == \"All\" or OrganizationName_s == '{param_selectPROrganizationName}'\r\n| where '{param_selectPRResourceType}' == \"All\" or FeatureName_s == '{param_selectPRResourceType}'\r\n| where '{param_selectPRCControl}' == \"All\" or ControlId_s == '{param_selectPRCControl}'\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| extend combined = strcat(ResourceId, \"_\", ControlId_s) \r\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(7d), now(), 1d) by ControlId_s\r\n| mvexpand dcount_combined, TimeGenerated\r\n| project todatetime(TimeGenerated), ControlId_s, toint(dcount_combined)\r\n| render areachart", "size": 0, "showAnalytics": true, "title": "Failed Control Count Trend (last 7d) - {param_selectPRCControl}", "noDataMessage": "No failed controls for this control Id in the last 7 days", "timeContext": { "durationMs": 604800000 }, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "filter": true }, "sortBy": [], "chartSettings": { "xSettings": {}, "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectComponentsSecurity" }, "customWidth": "48", "name": "chart-PRCFailedControl_7dTrend" }, { "type": 1, "content": { "json": "_Click on a row in the table above to see more details_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectComponentsSecurity" }, { "parameterName": "param_selectPRCControl", "comparison": "isEqualTo", "value": "All" } ], "name": "text-PRCFailedControl_RowSelect" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus == \"Failed\"\r\n| where '{param_selectPRProjectName}' == \"All\" or ResourceGroup == '{param_selectPRProjectName}'\r\n| where '{param_selectPROrganizationName}' == \"All\" or OrganizationName_s == '{param_selectPROrganizationName}'\r\n| where '{param_selectPRResourceType}' == \"All\" or FeatureName_s == '{param_selectPRResourceType}'\r\n| where ControlId_s == '{param_selectPRCControl}'\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceGroup, ResourceId, ControlId_s\r\n| where ControlStatus == \"Failed\"\r\n| project OrganizationName=OrganizationName_s, ProjectName = ResourceGroup, Name = ResourceName_s, ResourceName = ResourceName_s, ControlId=ControlId_s, ResourceId, ControlStatus, Recommendation=Recommendation_s, TimeGenerated, Source_s, ControlStatus_s, RunIdentifier_s, ResourceType, ControlSeverity_s, IsBaselineControl_b\r\n| sort by OrganizationName asc, tolower(ResourceName) asc", "size": 0, "showAnalytics": true, "title": "Failed Control Details for '{param_selectPRCControl}'", "noDataMessage": "No row selected from 'Failed control summary' table", "exportedParameters": [ { "fieldName": "Recommendation", "parameterName": "param_PRCSecRecommendation", "parameterType": 1 }, { "fieldName": "ControlId", "parameterName": "param_ERSecControlId", "parameterType": 1 }, { "fieldName": "OrganizationName", "parameterName": "param_PRCSecORganizationName", "parameterType": 1 }, { "fieldName": "ProjectName", "parameterName": "param_PRCSecProjectName", "parameterType": 1 }, { "fieldName": "ResourceType", "parameterName": "param_PRCSecResourceType", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "ResourceName", "formatter": 5, "formatOptions": {} } ], "filter": true }, "sortBy": [] }, "conditionalVisibilities": [ { "parameterName": "param_selectPRCControl", "comparison": "isNotEqualTo", "value": "All" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectComponentsSecurity" } ], "name": "table-PRCFailedControlDetails", "styleSettings": { "showBorder": true } }, { "type": 1, "content": { "json": "_Click on a row in the table above to see more details_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectComponentsSecurity" }, { "parameterName": "param_selectPRCControl", "comparison": "isNotEqualTo", "value": "All" }, { "parameterName": "param_ERSecControlId", "comparison": "isEqualTo" } ], "name": "text-PRCFailedControlDetails_RowSelect" }, { "type": 1, "content": { "json": "### Recommendation for control Id: '{param_ERSecControlId}'\r\n{param_PRCSecRecommendation}\r\n\r\n<br/>\r\n### Resource scanning commands for '{param_ERSecResourceName}'\r\n\r\n**Scan all controls for the resource** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_PRCSecORganizationName}\" -ProjectNames \"{param_PRCSecProjectName}\" -ResourceTypeNames \"{param_PRCSecResourceType}\" -UseBaselineControls\r\n\r\n**Scan '{param_ERSecControlId}' control for the resource** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_PRCSecORganizationName}\" -ProjectNames \"{param_PRCSecProjectName}\" -ResourceTypeNames \"{param_PRCSecResourceType}\" -ControlIds \"{param_ERSecControlId}\"\r\n\r\n<br/>" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ProjectComponentsSecurity" }, { "parameterName": "param_ERSecControlId", "comparison": "isNotEqualTo" } ], "name": "text-PRCFailedControlDetails_DrillDownDetails" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nlet sel_param_ResourceGroup = dynamic([{param_ResourceGroup}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType) \r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_ResourceGroup) == 0 or ResourceGroup in (sel_param_ResourceGroup)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceId, ControlId_s\r\n| where ControlStatus == \"Failed\"\r\n| summarize ['# Failed Controls'] = count() by ControlId_s\r\n| sort by ['# Failed Controls'] desc", "size": 3, "showAnalytics": true, "title": "All failed control summary", "noDataMessage": "No failed controls found", "exportFieldName": "ControlId_s", "exportParameterName": "param_selectResourceControl", "exportDefaultValue": "All Controls", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "# Failed Controls", "formatter": 3, "formatOptions": { "palette": "red" } } ], "sortBy": [ { "itemKey": "$gen_bar_# Failed Controls_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_bar_# Failed Controls_1", "sortOrder": 2 } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ResourceSecurity" }, "customWidth": "50", "name": "table-ResourceFailedControlCount" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nAzSK_ADO_CL\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus == \"Failed\"\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| where '{param_selectResourceControl}' == \"All Controls\" or ControlId_s == '{param_selectResourceControl}'\r\n| extend combined = strcat(ResourceId, \"_\", ControlId_s) \r\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(7d), now(), 1d) by ControlId_s\r\n| mvexpand dcount_combined, TimeGenerated\r\n| project todatetime(TimeGenerated), ControlId_s, toint(dcount_combined)\r\n| render areachart", "size": 0, "showAnalytics": true, "title": "Failed Control Count Trend (last 7d) - {param_selectResourceControl}", "noDataMessage": "No failed controls for this control Id in the last 7 days", "timeContext": { "durationMs": 604800000 }, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "filter": true }, "sortBy": [], "chartSettings": { "xSettings": {}, "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ResourceSecurity" }, "customWidth": "50", "name": "chart-ResourceFailedControl_7dTrend" }, { "type": 1, "content": { "json": "_Click on a row in the table above to see more details_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ResourceSecurity" }, { "parameterName": "param_selectResourceControl", "comparison": "isEqualTo", "value": "All Controls" } ], "name": "text-ResourceFailedControl_RowSelect" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where array_length(sel_param_ControlId_s) == 0 or ControlId_s in (sel_param_ControlId_s)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlId_s == '{param_selectResourceControl}'\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceId, ControlId_s\r\n| where ControlStatus == \"Failed\"\r\n| project OrganizationName=OrganizationName_s, ProjectName=ResourceGroup, Name=ResourceName_s, ResourceName=ResourceName_s, ControlId=ControlId_s, ResourceId, ControlStatus, Recommendation=Recommendation_s, TimeGenerated, Source_s, ControlStatus_s, RunIdentifier_s, ResourceType, ControlSeverity_s, IsBaselineControl_b\r\n| sort by OrganizationName asc, ProjectName asc, tolower(ResourceName) asc", "size": 0, "showAnalytics": true, "title": "Failed Control Details for '{param_selectResourceControl}'", "noDataMessage": "No row selected from 'Failed control summary' table", "exportedParameters": [ { "fieldName": "Recommendation", "parameterName": "param_resourceSecRecommendation", "parameterType": 1 }, { "fieldName": "ControlId", "parameterName": "param_resourceSecControlId", "parameterType": 1 }, { "fieldName": "OrganizationName", "parameterName": "param_resourceSecResourceOrgName", "parameterType": 1 }, { "fieldName": "ProjectName", "parameterName": "param_resourceSecResourceRg", "parameterType": 1 }, { "fieldName": "ResourceName", "parameterName": "param_resourceSecResourceName", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "ResourceName", "formatter": 5, "formatOptions": {} } ], "filter": true }, "sortBy": [] }, "conditionalVisibilities": [ { "parameterName": "param_selectResourceControl", "comparison": "isNotEqualTo", "value": "All Controls" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ResourceSecurity" } ], "name": "table-ResourceFailedControlDetails", "styleSettings": { "showBorder": true } }, { "type": 1, "content": { "json": "_Click on a row in the table above to see more details_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ResourceSecurity" }, { "parameterName": "param_selectResourceControl", "comparison": "isNotEqualTo", "value": "All Controls" }, { "parameterName": "param_resourceSecControlId", "comparison": "isEqualTo" } ], "name": "text-ResourceFailedControlDetails_RowSelect" }, { "type": 1, "content": { "json": "### Recommendation for control Id: '{param_resourceSecControlId}'\r\n{param_resourceSecRecommendation}\r\n\r\n<br/>\r\n### Resource scan commands for '{param_resourceSecResourceName}'\r\n\r\n**Scan all controls for the resource** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_resourceSecResourceOrgName}\" -ProjectNames \"{param_resourceSecResourceRg}\" -ResourceNames \"{param_resourceSecResourceName}\" -UseBaselineControls\r\n\r\n**Scan '{param_resourceSecControlId}' control for the resource** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_resourceSecResourceOrgName}\" -ProjectNames \"{param_resourceSecResourceRg}\" -ResourceNames \"{param_resourceSecResourceName}\" -ControlIds \"{param_resourceSecControlId}\"\r\n\r\n<br/>" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ResourceSecurity" }, { "parameterName": "param_resourceSecControlId", "comparison": "isNotEqualTo" } ], "name": "text-ResourceFailedControlDetails_DrillDownDetails" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\n\r\nAzSK_ADO_CL\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| extend Env_s = iff(Env_s == \"\", \"NA\",Env_s)\r\n| extend ResourceType = iff(ResourceType == \"\", \"NA\",ResourceType)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_OrganizationName_s) == 0 or OrganizationName_s in (sel_param_OrganizationName_s)\r\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\r\n| where FeatureName_s != \"Organization\"\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| where ControlStatus == \"Failed\"\r\n| where '{param_selectResourceControl}' == \"All Controls\" or ControlId_s == '{param_selectResourceControl}'\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where ControlId_s in (sel_param_ControlId_s)\r\n| extend combined = strcat(ResourceId, \"_\", ControlId_s) \r\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(30d), now(), 1d) by ControlId_s\r\n| mvexpand dcount_combined, TimeGenerated\r\n| project todatetime(TimeGenerated), ControlId_s, toint(dcount_combined)\r\n| render areachart", "size": 0, "showAnalytics": true, "title": "Failed Control Count Trend (last 30d) - {param_selectResourceControl}", "timeContext": { "durationMs": 2592000000 }, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "filter": true }, "sortBy": [], "chartSettings": { "xSettings": {}, "ySettings": {} } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "ResourceSecurity" }, "name": "chart-ResourceFailedControl_30dTrend" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s\r\n| project OrganizationName=OrganizationName_s, LastScanTime=TimeGenerated, OrganizationName_s\r\n| join kind=leftouter\r\n(\r\n AzSK_ADO_CL\r\n | where ScannedBy_s == ''\r\n | summarize arg_max(TimeGenerated, *) by OrganizationName_s\r\n | project OrganizationName=OrganizationName_s, LastCAScanTime=TimeGenerated\r\n)\r\non OrganizationName\r\n| join kind=leftouter\r\n(\r\n AzSK_ADO_CL\r\n | where ScannedBy_s != ''\r\n | summarize arg_max(TimeGenerated, *) by OrganizationName_s\r\n | project OrganizationName=OrganizationName_s, LastUserScanTime=TimeGenerated, LastUserScannedBy=ScannedBy_s\r\n)\r\non OrganizationName\r\n| join kind=leftouter\r\n(\r\n AzSK_ADO_CL\r\n | extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n | where ControlStatus == \"Failed\"\r\n | summarize arg_max(TimeGenerated, *) by OrganizationName_s\r\n | project OrganizationName=OrganizationName_s, LastFailedControlTime=TimeGenerated\r\n)\r\non OrganizationName\r\n| extend FullScanCommand = strcat(\"Get-AzSKADOSecurityStatus -OrganizationName \\\"\", OrganizationName, \"\\\" -UseBaselineControls -ScanAllArtifact\")\r\n| extend OrganizationScanCommand = strcat(\"Get-AzSKADOSecurityStatus -OrganizationName \\\"\", OrganizationName_s, \"\\\" -UseBaselineControls -ResourceTypeName Organization\")\r\n| extend ResourceScanCommand = strcat(\"Get-AzSKADOSecurityStatus -OrganizationName \\\"\", OrganizationName_s, \"\\\" -UseBaselineControls -ResourceTypeName Build_Release_SvcConn_AgentPool_VarGroup_User_CommonSVTResources\")\r\n| project OrganizationName, LastScanTime, LastCAScanTime, LastUserScanTime, LastUserScannedBy, LastFailedControlTime, FullScanCommand, OrganizationScanCommand, ResourceScanCommand\r\n| sort by OrganizationName asc", "size": 3, "showAnalytics": true, "title": "Connected Organizations", "timeContext": { "durationMs": 2592000000 }, "exportedParameters": [ { "fieldName": "FullScanCommand", "parameterName": "param_infoFullScan", "parameterType": 1 }, { "fieldName": "OrganizationName", "parameterName": "param_infoOrgName", "parameterType": 1 }, { "fieldName": "OrganizationScanCommand", "parameterName": "param_infoOrgScan", "parameterType": 1 }, { "fieldName": "ResourceScanCommand", "parameterName": "param_infoResourceScan", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "FullScanCommand", "formatter": 5, "formatOptions": {} }, { "columnMatch": "OrganizationScanCommand", "formatter": 5, "formatOptions": {} }, { "columnMatch": "ResourceScanCommand", "formatter": 5, "formatOptions": {} } ] }, "sortBy": [] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, "name": "table-ConnectedOrganizations" }, { "type": 1, "content": { "json": "### Organization scan commands\r\n\r\n**Scan '{param_infoOrgName}' for organization and resource controls** <br/>\r\n{param_infoFullScan}\r\n\r\n**Scan '{param_infoOrgName}' for only organization controls** <br/>\r\n{param_infoOrgScan}\r\n\r\n**Scan '{param_infoOrgName}' for only resource controls** <br/>\r\n{param_infoResourceScan}\r\n\r\n<br/>\r\n<br/>" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, { "parameterName": "param_infoOrgName", "comparison": "isNotEqualTo" } ], "name": "text-ConnectedOrganizations_DrillDownDetails" }, { "type": 1, "content": { "json": "_Click on a row in the table above to generate organization scanning commands_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, { "parameterName": "param_infoOrgName", "comparison": "isEqualTo" } ], "name": "text-ConnectedOrganizations_RowSelect" }, { "type": 1, "content": { "json": "<br />\r\n<br />\r\n### Enter a resource name to get AzSK.ADO scan details and useful commands" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, "name": "text-ExploreResource" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "c23e8784-78c9-4312-9c7b-763861a26e7e", "version": "KqlParameterItem/1.0", "name": "param_ExploreResourceName", "label": "Resource Name", "type": 1, "description": "Enter a resource name to display all currently failed controls", "value": "" } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, "name": "parameters-ExploreResource" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where FeatureName_s != \"Organization\"\r\n| summarize arg_max(TimeGenerated, *) by ResourceId\r\n| where ResourceName_s =~ '{param_ExploreResourceName}'\r\n| project ResourceId, ResourceName=ResourceName_s, LastScanTime=TimeGenerated, OrganizationName=OrganizationName_s, OrganizationName_s, ResourceGroup, ResourceType\r\n| join kind=leftouter\r\n(\r\n AzSK_ADO_CL\r\n | where ScannedBy_s == ''\r\n | where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n | summarize arg_max(TimeGenerated, *) by ResourceId\r\n | where ResourceName_s =~ '{param_ExploreResourceName}'\r\n | project ResourceId, LastCAScanTime=TimeGenerated\r\n)\r\non ResourceId\r\n| join kind=leftouter\r\n(\r\n AzSK_ADO_CL\r\n | where ScannedBy_s != ''\r\n | where FeatureName_s != \"Organization\" and FeatureName_s != \"Project\"\r\n | summarize arg_max(TimeGenerated, *) by ResourceId\r\n | where ResourceName_s =~ '{param_ExploreResourceName}'\r\n | project ResourceId, LastUserScanTime=TimeGenerated, LastUserScannedBy=ScannedBy_s\r\n)\r\non ResourceId\r\n| join kind=leftouter\r\n(\r\n AzSK_ADO_CL\r\n | where FeatureName_s != \"Organization\"\r\n | extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n | where ControlStatus == \"Failed\"\r\n | summarize arg_max(TimeGenerated, *) by ResourceId\r\n | where ResourceName_s =~ '{param_ExploreResourceName}'\r\n | project ResourceId, LastFailedControlTime=TimeGenerated\r\n)\r\non ResourceId\r\n| project Resource=ResourceId, LastScanTime, LastCAScanTime, LastUserScanTime, LastUserScannedBy, LastFailedControlTime, ResourceGroup, ResourceName, OrganizationName_s, ResourceType", "size": 3, "showAnalytics": true, "title": "Resource Explore", "timeContext": { "durationMs": 2592000000 }, "exportedParameters": [ { "fieldName": "OrganizationName_s", "parameterName": "param_infoResourceOrgId", "parameterType": 1 }, { "fieldName": "ResourceGroup", "parameterName": "param_infoResourceRg", "parameterType": 1 }, { "fieldName": "ResourceName", "parameterName": "param_infoResourceName", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "ResourceName", "formatter": 5, "formatOptions": {} } ] } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, "name": "table-ExploreResource", "styleSettings": { "showBorder": true } }, { "type": 1, "content": { "json": "_Click on a row in the table above to generate resource scanning commands_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, { "parameterName": "param_infoResourceName", "comparison": "isEqualTo" } ], "name": "text-ResourceExplore_RowSelect" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\r\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\r\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\r\nlet sel_param_OrganizationName_s = dynamic([{param_OrganizationName_s}]);\r\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\r\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\r\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\r\nlet sel_param_ControlId_s = dynamic([{param_ControlId_s}]);\r\nAzSK_ADO_CL\r\n| where TimeGenerated > ago(3d)\r\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\r\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\r\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\r\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\r\n| where FeatureName_s != \"Organization\"\r\n| where ResourceName_s =~ '{param_ExploreResourceName}'\r\n| where Tags_s contains '{param_Tags_s}'\r\n| where ControlId_s in (sel_param_ControlId_s)\r\n| extend ControlStatus = iff(ControlStatus_s == \"Passed\", \"Passed\",\"Failed\")\r\n| summarize arg_max(TimeGenerated, *) by OrganizationName_s, ResourceId, ControlId_s\r\n| where ControlStatus == \"Failed\"\r\n| project Resource=ResourceId, ControlId=ControlId_s, ResourceGroup, OrganizationName_s, ResourceName=ResourceName_s, ResourceType\r\n| sort by ControlId asc", "size": 3, "showAnalytics": true, "title": "Current failed controls - '{param_ExploreResourceName}'", "noDataMessage": "There are no failed controls for the given resource or the filter is empty", "exportedParameters": [ { "fieldName": "ControlId", "parameterName": "param_infoResourceFailedControlId", "parameterType": 1 }, { "fieldName": "OrganizationName_s", "parameterName": "param_infoResourceFailedOrganizationName", "parameterType": 1 }, { "fieldName": "ResourceGroup", "parameterName": "param_infoResourceFailedResourceGroup", "parameterType": 1 }, { "fieldName": "ResourceName", "parameterName": "param_infoResourceFailedResourceName", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ { "columnMatch": "ResourceName", "formatter": 5, "formatOptions": {} } ] } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, "name": "table-ExploreResourceFailedControls", "styleSettings": { "showBorder": true } }, { "type": 1, "content": { "json": "_Click on a row in the table above to generate resource scanning commands_\r\n<br />\r\n<br />" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, { "parameterName": "param_infoResourceName", "comparison": "isEqualTo" }, { "parameterName": "param_infoResourceFailedControlId", "comparison": "isEqualTo" } ], "name": "text-ExploreResourceFailedControls_RowSelect" }, { "type": 1, "content": { "json": "### Resource scan commands for resource '{param_ExploreResourceName}'\r\n\r\n**Scan all controls for the resource** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_infoResourceRg}\" -ProjectNames \"{param_infoResourceName}\" -UseBaselineControls\r\n\r\n<br/>" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, { "parameterName": "param_infoResourceName", "comparison": "isNotEqualTo" } ], "name": "text-ExploreResource_DrillDownDetails" }, { "type": 1, "content": { "json": "### Scan commands for '{param_infoResourceFailedControlId}' control on resource '{param_infoResourceFailedResourceName}'\r\n\r\n**Scan '{param_infoResourceFailedControlId}' control for the resource** <br/>\r\nGet-AzSKADOSecurityStatus -OrganizationName \"{param_infoResourceFailedResourceGroup}\" -ProjectNames \"{param_infoResourceFailedResourceName}\" -ControlIds \"{param_infoResourceFailedControlId}\"\r\n\r\n\r\n<br/>" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Explore" }, { "parameterName": "param_infoResourceFailedControlId", "comparison": "isNotEqualTo" } ], "name": "text-ExploreResourceFailedControls_DrillDownDetails" }, { "type": 1, "content": { "json": "# Using this workbook\r\nThis workbook contains multiple tabs to help you discover, troubleshoot and remediate AzSK.ADO controls. Each tab has a particular focus from high-level overview, to detailed control data. Many sections will also generate ready-to-run commands for scanning to quickly target the organizations, resources and controls you need to address.\r\n\r\nEvery tab depicts baseline control events received by your Log Analytics workspace for the last scan done within last 3 days. Typically these would be events generated via Continuous Assurance (CA) scanning. However, manual scan results can also come here if AzSK.ADO is configured to forward local scan events to Log Analytics.\r\n\r\nIt is important to understand that, per the current plan, CA scanning will be turned on for various resource types/controls in waves. At any stage, this view will only show the baseline controls which have been (centrally) enabled for CA scanning. This is to improve our security posture in multiple 'waves'. If you would like to determine and fix controls beyond the ones currently enabled, you can manually run the scan commands and look at the CSV (or this view if you have local Log Analytics forwarding enabled in AzSK.ADO).\r\n\r\nIf multiple organizations have been configured to use this Log Analytics workspace then the view aggregates data from all organizations. (You can use/apply filters to view the data for a specific organization.)\r\n\r\nNote that, although it should serve the needs of a lot of scenarios, this is still just a sample view. There are lots of possible ways other views can be generated by you (or you can integrate one or more blades from this view into your own views).\r\n\r\n## There are 5 tabs in this workbook\r\n\r\n1. **Overview** <br/>\r\nThis tab contains an \"at-a-glance\" summary of the health for AzSK.ADO controls for all organizations sending data to the workspace.\r\n\r\n1. **Organization Security** <br/>\r\nThis tab contains details about organization security controls in your organizations. Control failures in this area will typically need organization owner privilege to fix. Multiple drill downs are available to highlight the most useful information, including ready-to-paste scanning and attestation commands. 7 and 30 day trending charts are also avaialable to help you understand when controls started or stopped failing.\r\n\r\n1. **Project Security** <br/>\r\nThis tab contains details about ptojrct security controls in your organizations. \r\n\r\n1. **Resource Security** <br/>\r\nThis tab contains details about resource security controls in your organizations. Multiple drill downs are available to highlight the most useful information, including ready-to-paste scanning commands. 7 and 30 day trending charts are also avaialable to help you understand when controls started or stopped failing.\r\n\r\n1. **Explore** <br/>\r\nThis tab contains tools to explore you AzSK.ADO log analytics data.\r\n - **Connected organizations** - Explore what organizations have sent data to your log analytics workspace in the last 30 days. You'll see detailed information like that date of the last Continuous Assurance or user scan and what the username was. Clicking on rows in this table will provide copy/paste organization scanning commands you can use to perform manual scans required by some AzSK.ADO controls.\r\n - **Resource exploration** - In this section you can enter the name of a resource to get more details. You'll see detailed information like that date of the last Continuous Assurance or user scan for that resource and what the username was. You'll also see a table outlining the current failed controls for this resource. Clicking on a row from either table will provide additional copy/paste resource scanning commands you can use to perform targetted manual scans or attestations.\r\n\r\n1. **Help** <br/>\r\nThis tab provides details on how to use this workbook. You are on this tab.\r\n\r\n## Filters\r\nYou can apply filters to this view to evaluate all queries with additional conditions. The filters will appear at the top of every tab and will affect every query with a few exceptions (e.g. Connected organizations table on the 'Explore' tab). Filters are applied instantly. Multiple options on a single filter can be selected at once in addition to using multiple filters at once.\r\n\r\n### Available filters:\r\n\r\n1. **Baseline:** Select whether to include baseline controls (Default: True)\r\n1. **Preview Baseline:** Select whether to include preview (extended) baseline controls (Default: False)\r\n1. **Organization Name:** Select which organization(s) to include (Default: All)\r\n1. **Severity:** Select which severities to include. AzSK.ADO controls are classified into categories: Critical, High, Medium, and Low (Default: All)\r\n1. **Resource Type:** Select which resource type to include. e.g. \"AppSerice\", \"Automation\", and more. (Default: All)\r\n1. **Environment:** Select which Environment to include. You can tag your resource groups with \"Env\" tag using which you'll be able to filter results accordingly. For instance, you can Tag multiple resource groups as \"Production\" and view the scan results for production resources only. (Default: All)\r\n1. **Has Required Access?** Select whether to include controls for which the scanner did not have required access to evaluate (Default: True)\r\n\r\n## Additional workbook features\r\n### Drill Downs\r\nMany tables include the ability to click on a row and drill down to gain additional details without being redirected to a log analytics query window. Tables that have this option will have a message noted with the light bulb icon. When a row is selected, additional tables and text boxes may become visible or some content may be further filtered. Your selection may be cleared by clicking the 'undo' icon in the top right corner of the table.\r\n\r\n### Resource Links\r\nThis powerful tool let's you investigate your Azure resources without leaving the context of the workbook. Whenever you see a clickable link in a table you can use it to navigate directly to the resource. When done investigating, you can navigate back to the workbook by clicking on the workbook name in the top left corner of the Azure portal. When you return, the workbook is as you left it.\r\n\r\n### Exporting Options\r\nIf you want to export or explore your data further there are two options.\r\n - **Open query in Log Analytics Log view** - Clicking the Log Analytics icon in the top right corner of a table or chart will open your query in the Log Analytics log view where you can edit it further to get the data you need.\r\n - **Export to Excel** - Clicking the download icon in the top right corner of a table or chart will download the current query results to an XLSX file.\r\n\r\nHappy Security Monitoring!\r\n\r\n## Support\r\nThis workbook is provided with AzSK.ADO.\r\n" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Help" }, "name": "text-Help" } ], "styleSettings": { "paddingStyle": "none" } } |