Framework/Configurations/AlertMonitoring/ADOScannerLAWorkbook.json
{
"contentVersion": "1.0.0.0", "parameters": { "location": { "type": "string", "defaultValue": "" }, "resourcegroup": { "type": "string", "defaultValue": "" }, "organizationName": { "type": "string", "defaultValue": "" }, "subscriptionId": { "type": "string", "defaultValue": "" }, "workspace": { "type": "string", "defaultValue": "" }, "workspaceapiversion": { "type": "string", "defaultValue": "" }, "viewName": { "type": "string", "defaultValue": "" }, "workbookSourceId": { "type": "string", "defaultValue": "[Concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourcegroup'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]", "metadata": { "description": "The id of resource instance to which the workbook will be associated" } }, "workbookId": { "type": "string", "defaultValue": "[newGuid()]", "metadata": { "description": "The unique guid for this workbook instance" } } }, "resources": [ { "name": "[parameters('workbookId')]", "type": "microsoft.insights/workbooks", "location": "[resourceGroup().location]", "apiVersion": "2018-06-17-preview", "dependsOn": [], "kind": "shared", "properties": { "displayName": "[parameters('viewName')]", "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a3017444-7eb8-4d2d-b8a3-659063609b59\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"param_IsBaselineControl_b\",\"label\":\"Baseline\",\"type\":2,\"description\":\"Include Baseline controls?\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"[]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\":\\\"True\\\", \\\"label\\\":\\\"True\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\":\\\"False\\\", \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"ce52583f-eee3-4181-b3ea-fd16a111cffd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"param_IsPreviewBaselineControl_b\",\"label\":\"Preview Baseline\",\"type\":2,\"description\":\"Include preview baseline controls?\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"[]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\":\\\"True\\\", \\\"label\\\":\\\"True\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\":\\\"False\\\", \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"701ed197-3c71-4430-a9a3-e71976e10cd2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"param_SubscriptionName_s\",\"label\":\"Organization Name\",\"type\":2,\"description\":\"Organization filter\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzSK_ADO_CL\\r\\n| distinct tostring(SubscriptionName_s)\\r\\n| sort by SubscriptionName_s asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"[]\"},\"timeContext\":{\"durationMs\":259200000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5fc686c0-d448-4932-8497-b2c6b9501c29\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"param_ResourceType\",\"label\":\"Resource Type\",\"type\":2,\"description\":\"Filter for resource type\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzSK_ADO_CL\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| distinct tostring(ResourceType)\\r\\n| sort by ResourceType asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"[]\"},\"timeContext\":{\"durationMs\":259200000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"056a088f-2df6-4637-9ccd-56033a3ef2da\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"param_ControlSeverity_s\",\"label\":\"Control Severity\",\"type\":2,\"description\":\"Filter for control severity\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzSK_ADO_CL\\r\\n| distinct tostring(ControlSeverity_s)\\r\\n| sort by ControlSeverity_s asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"[]\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e2c3f2e9-f721-445f-b81e-c1ea52d98080\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"param_Env_s\",\"label\":\"Environment\",\"type\":2,\"description\":\"Filter for environment\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AzSK_ADO_CL\\r\\n| extend Env_s = iff(Env_s == \\\"\\\", \\\"NA\\\",Env_s)\\r\\n| distinct tostring(Env_s)\\r\\n| sort by Env_s asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"[]\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a7f5e68c-e880-4de6-9ae4-42a5be5c9fdd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"param_HasRequiredAccess_b\",\"label\":\"Has Required Access?\",\"type\":2,\"description\":\"Filter for control records where the user had the required permissions to run the control\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"True\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"[]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\":\\\"True\\\", \\\"label\\\":\\\"True\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\":\\\"False\\\", \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters-GlobalFilterParameters\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Overview\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Organization Security\",\"subTarget\":\"SubscriptionSecurity\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Project Security\",\"subTarget\":\"ERSecurity\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Resource Security\",\"subTarget\":\"ResourceSecurity\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Explore\",\"subTarget\":\"Explore\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Help\",\"subTarget\":\"Help\",\"style\":\"link\"}]},\"name\":\"tabs-GlobalNavigation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\n| summarize arg_max(TimeGenerated, *) by SubscriptionName_s,ControlId_s\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\n| where FeatureName_s == \\\"Organization\\\"\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\n| summarize AggregatedValue = count() by ControlStatus\\n| sort by AggregatedValue desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Organization Security Summary\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"AggregatedValue\"],\"seriesLabelSettings\":[{\"seriesName\":\"Passed\",\"color\":\"greenDark\"},{\"seriesName\":\"Failed\",\"color\":\"red\"}],\"ySettings\":{}}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},\"name\":\"chart-SubscriptionSecuritySummary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\n| where FeatureName_s == \\\"Project\\\"\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\n| summarize arg_max(TimeGenerated, *) by SubscriptionName_s,ResourceId,ControlId_s\\n| summarize AggregatedValue = count() by ControlStatus\\n| sort by AggregatedValue desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Project Security Summary\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"AggregatedValue\"],\"seriesLabelSettings\":[{\"seriesName\":\"Passed\",\"color\":\"greenDark\"},{\"seriesName\":\"Failed\",\"color\":\"red\"}],\"ySettings\":{}}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},\"name\":\"chart-ExpressRouteSecuritySummary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where FeatureName_s != \\\"Organization\\\" and FeatureName_s != \\\"Project\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by SubscriptionId, ResourceId, ControlId_s\\r\\n| summarize AggregatedValue = count() by ControlStatus\\r\\n| sort by AggregatedValue desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Resource Security Summary\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false},\"chartSettings\":{\"yAxis\":[\"AggregatedValue\"],\"seriesLabelSettings\":[{\"seriesName\":\"Passed\",\"color\":\"greenDark\"},{\"seriesName\":\"Failed\",\"color\":\"red\"}],\"ySettings\":{}}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},\"name\":\"chart-ResourceSecuritySummary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| distinct SubscriptionName_s\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| sort by SubscriptionName_s asc\\r\\n| join kind= leftouter\\r\\n(\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| summarize arg_max(TimeGenerated, *) by SubscriptionName_s,ControlId_s\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where FeatureName_s == \\\"Organization\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlStatus==\\\"Failed\\\"\\r\\n| summarize count() by SubscriptionName_s,ControlId_s,ControlStatus_s\\r\\n| summarize ['# Failed Controls'] = count() by SubscriptionName_s\\r\\n| project SubscriptionName_s, ['# Failed Controls']\\r\\n) on SubscriptionName_s\\r\\n| extend ['# Failed Controls'] = iff(isempty(['# Failed Controls']), 0,['# Failed Controls'])\\r\\n| project SubscriptionName=SubscriptionName_s, ['# Failed Controls']\\r\\n| sort by ['# Failed Controls'] desc, SubscriptionName asc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Organization failed control count\",\"noDataMessage\":\"No failed controls found\",\"exportFieldName\":\"SubscriptionName\",\"exportParameterName\":\"param_selectSubscriptionName\",\"exportDefaultValue\":\"All Subscriptions\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"# Failed Controls\",\"formatter\":3,\"formatOptions\":{\"palette\":\"red\"}}]},\"sortBy\":[]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"SubscriptionSecurity\"},\"name\":\"table-SubscriptionFailedControlCount\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where FeatureName_s == \\\"Organization\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlStatus==\\\"Failed\\\"\\r\\n| where '{param_selectSubscriptionName}' == \\\"All Subscriptions\\\" or SubscriptionName_s == '{param_selectSubscriptionName}'\\r\\n| extend combined = strcat(ResourceId, \\\"_\\\", SubscriptionName_s) \\r\\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(7d), now(), 1d) by SubscriptionName_s\\r\\n| mvexpand dcount_combined, TimeGenerated\\r\\n| project todatetime(TimeGenerated), SubscriptionName_s, toint(dcount_combined)\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Control Count Trend (last 7d) - {param_selectSubscriptionName}\",\"noDataMessage\":\"No failed controls for the organization in the last 7 days\",\"timeContext\":{\"durationMs\":604800000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true},\"sortBy\":[],\"chartSettings\":{\"xSettings\":{},\"ySettings\":{}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"SubscriptionSecurity\"},\"name\":\"chart-SubscriptionFailedControl_7dTrend\"},{\"type\":1,\"content\":{\"json\":\"💡_Click on a row in the table above to see more details_\\r\\n<br />\\r\\n<br />\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"SubscriptionSecurity\"},{\"parameterName\":\"param_selectSubscriptionName\",\"comparison\":\"isEqualTo\",\"value\":\"All Subscriptions\"}],\"name\":\"text-SubscriptionFailedControl_RowSelect\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| summarize arg_max(TimeGenerated, *) by SubscriptionName_s,ControlId_s\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where SubscriptionName_s == '{param_selectSubscriptionName}'\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where FeatureName_s == \\\"Organization\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| project OrganizationName=SubscriptionName_s, ControlId=ControlId_s, ControlStatus, Recommendation=Recommendation_s, TimeGenerated, Source_s, ControlStatus_s, ActualVerificationResult_s, AttestedBy_s, AttestedDate_s, ExpiryDate_s, Justification_s, RunIdentifier_s, ResourceType, ControlSeverity_s, IsBaselineControl_b \\r\\n| sort by OrganizationName asc, ControlId asc\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No failed controls for the organization in the last 7 days\",\"exportedParameters\":[{\"fieldName\":\"Recommendation\",\"parameterName\":\"param_subsecRecommendation\",\"parameterType\":1},{\"fieldName\":\"ControlId\",\"parameterName\":\"param_subsecControlId\",\"parameterType\":1},{\"fieldName\":\"OrganizationName\",\"parameterName\":\"param_subsecSubscriptionId\",\"parameterType\":1},{\"fieldName\":\"OrganizationName\",\"parameterName\":\"param_subsecSubscriptionName\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"# Failed Controls\",\"formatter\":3,\"formatOptions\":{\"palette\":\"red\"}}],\"filter\":true},\"sortBy\":[]},\"conditionalVisibilities\":[{\"parameterName\":\"param_selectSubscriptionName\",\"comparison\":\"isNotEqualTo\",\"value\":\"All Subscriptions\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"SubscriptionSecurity\"}],\"name\":\"table-SubscriptionFailedControlDetails\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡_Click on a row in the table above to see more details_\\r\\n<br />\\r\\n<br />\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"SubscriptionSecurity\"},{\"parameterName\":\"param_selectSubscriptionName\",\"comparison\":\"isNotEqualTo\",\"value\":\"All Subscriptions\"},{\"parameterName\":\"param_subsecControlId\",\"comparison\":\"isEqualTo\"}],\"name\":\"text-SubscriptionFailedControlDetails_RowSelect\"},{\"type\":1,\"content\":{\"json\":\"### Recommendation for control Id: '{param_subsecControlId}'\\r\\n{param_subsecRecommendation}\\r\\n<br/>\\r\\n<br/>\\r\\n\\r\\n### Organization scanning and attestation commands for '{param_subsecSubscriptionName}'\\r\\n\\r\\n**Scan for organization and resource controls** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_subsecSubscriptionName}\\\" \\r\\n\\r\\n**Scan for only baseline controls** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_subsecSubscriptionName}\\\" -UseBaselineControls\\r\\n\\r\\n**Scan '{param_subsecControlId}' control for the organization** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_subsecSubscriptionName}\\\" -ControlIds \\\"{param_subsecControlId}\\\"\\r\\n\\r\\n**Attest '{param_subsecControlId}' control for the organization** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_subsecSubscriptionName}\\\" -ControlIds \\\"{param_subsecControlId}\\\" -AttestControls NotAttested\\r\\n<br/>\\r\\n<br/>\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"SubscriptionSecurity\"},{\"parameterName\":\"param_subsecControlId\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"text-SubscriptionFailedControlDetails_DrillDownDetails\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where FeatureName_s == \\\"Organization\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlStatus==\\\"Failed\\\"\\r\\n| where '{param_selectSubscriptionName}' == \\\"All Subscriptions\\\" or SubscriptionName_s == '{param_selectSubscriptionName}'\\r\\n| extend combined = strcat(ResourceId, \\\"_\\\", SubscriptionName_s) \\r\\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(30d), now(), 1d) by SubscriptionName_s\\r\\n| mvexpand dcount_combined, TimeGenerated\\r\\n| project todatetime(TimeGenerated), SubscriptionName_s, toint(dcount_combined)\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Control Count Trend (last 30d) - {param_selectSubscriptionName}\",\"noDataMessage\":\"No failed controls for the organization in the last 30 days\",\"timeContext\":{\"durationMs\":2592000000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true},\"sortBy\":[],\"chartSettings\":{\"xSettings\":{},\"ySettings\":{}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"SubscriptionSecurity\"},\"name\":\"SubscriptionFailedControl_30dTrend\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| extend Env_s = iff(Env_s == \\\"\\\", \\\"NA\\\",Env_s)\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\\r\\n| where FeatureName_s == \\\"Project\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by SubscriptionId, ResourceId, ControlId_s\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| summarize ['# Failed Controls'] = count() by ControlId_s\\r\\n| sort by ['# Failed Controls'] desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Failed control summary\",\"noDataMessage\":\"No failed controls found\",\"exportFieldName\":\"ControlId_s\",\"exportParameterName\":\"param_selectERControl\",\"exportDefaultValue\":\"All Controls\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"# Failed Controls\",\"formatter\":3,\"formatOptions\":{\"palette\":\"red\"}}]},\"sortBy\":[]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ERSecurity\"},\"name\":\"table-ERFailedControlCount\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| extend Env_s = iff(Env_s == \\\"\\\", \\\"NA\\\",Env_s)\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\\r\\n| where FeatureName_s == \\\"Project\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| where '{param_selectERControl}' == \\\"All Controls\\\" or ControlId_s == '{param_selectERControl}'\\r\\n| extend combined = strcat(ResourceId, \\\"_\\\", ControlId_s) \\r\\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(7d), now(), 1d) by ControlId_s\\r\\n| mvexpand dcount_combined, TimeGenerated\\r\\n| project todatetime(TimeGenerated), ControlId_s, toint(dcount_combined)\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Control Count Trend (last 7d) - {param_selectERControl}\",\"noDataMessage\":\"No failed controls for this control Id in the last 7 days\",\"timeContext\":{\"durationMs\":604800000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true},\"sortBy\":[],\"chartSettings\":{\"xSettings\":{},\"ySettings\":{}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ERSecurity\"},\"name\":\"chart-ERFailedControl_7dTrend\"},{\"type\":1,\"content\":{\"json\":\"💡_Click on a row in the table above to see more details_\\r\\n<br />\\r\\n<br />\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ERSecurity\"},{\"parameterName\":\"param_selectERControl\",\"comparison\":\"isEqualTo\",\"value\":\"All Controls\"}],\"name\":\"text-ERFailedControl_RowSelect\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| extend Env_s = iff(Env_s == \\\"\\\", \\\"NA\\\",Env_s)\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\\r\\n| where FeatureName_s == \\\"Project\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlId_s == '{param_selectERControl}'\\r\\n| summarize arg_max(TimeGenerated, *) by SubscriptionName_s, ResourceId, ControlId_s\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| project OrganizationName=SubscriptionName_s, ResourceName = ResourceName_s, ControlId=ControlId_s, ControlStatus, Recommendation=Recommendation_s, TimeGenerated, Source_s, ControlStatus_s, ActualVerificationResult_s, AttestedBy_s, AttestedDate_s, ExpiryDate_s, Justification_s, RunIdentifier_s, ResourceType, ControlSeverity_s, IsBaselineControl_b\\r\\n| sort by OrganizationName asc, tolower(ResourceName) asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Control Details for '{param_selectERControl}'\",\"noDataMessage\":\"No row selected from 'Failed control summary' table\",\"exportedParameters\":[{\"fieldName\":\"Recommendation\",\"parameterName\":\"param_ERSecRecommendation\",\"parameterType\":1},{\"fieldName\":\"ControlId\",\"parameterName\":\"param_ERSecControlId\",\"parameterType\":1},{\"fieldName\":\"OrganizationName\",\"parameterName\":\"param_ERSecResourceSubId\",\"parameterType\":1},{\"fieldName\":\"OrganizationName\",\"parameterName\":\"param_ERSecResourceRg\",\"parameterType\":1},{\"fieldName\":\"ResourceName\",\"parameterName\":\"param_ERSecResourceName\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceName\",\"formatter\":5,\"formatOptions\":{}}],\"filter\":true},\"sortBy\":[]},\"conditionalVisibilities\":[{\"parameterName\":\"param_selectERControl\",\"comparison\":\"isNotEqualTo\",\"value\":\"All Controls\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ERSecurity\"}],\"name\":\"table-ERFailedControlDetails\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡_Click on a row in the table above to see more details_\\r\\n<br />\\r\\n<br />\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ERSecurity\"},{\"parameterName\":\"param_selectERControl\",\"comparison\":\"isNotEqualTo\",\"value\":\"All Controls\"},{\"parameterName\":\"param_ERSecControlId\",\"comparison\":\"isEqualTo\"}],\"name\":\"text-ERFailedControlDetails_RowSelect\"},{\"type\":1,\"content\":{\"json\":\"### Recommendation for control Id: '{param_ERSecControlId}'\\r\\n{param_ERSecRecommendation}\\r\\n\\r\\n<br/>\\r\\n### Project scanning and attestation commands for '{param_ERSecResourceName}'\\r\\n\\r\\n**Scan all controls for the project** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_ERSecResourceRg}\\\" -ProjectNames \\\"{param_ERSecResourceName}\\\" -UseBaselineControls\\r\\n\\r\\n**Scan '{param_ERSecControlId}' control for the resource** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_ERSecResourceRg}\\\" -ProjectNames \\\"{param_ERSecResourceName}\\\" -ControlIds \\\"{param_ERSecControlId}\\\"\\r\\n\\r\\n**Attest any unattested baseline controls** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_ERSecResourceRg}\\\" -ProjectNames \\\"{param_ERSecResourceName}\\\" -UseBaselineControls -AttestControls NotAttested\\r\\n\\r\\n**Attest '{param_ERSecControlId}' control** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_ERSecResourceRg}\\\" -ProjectNames \\\"{param_ERSecResourceName}\\\" -ControlIds \\\"{param_ERSecControlId}\\\" -AttestControls NotAttested\\r\\n\\r\\n\\r\\n<br/>\\r\\n<br/>\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ERSecurity\"},{\"parameterName\":\"param_ERSecControlId\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"text-ERFailedControlDetails_DrillDownDetails\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| extend Env_s = iff(Env_s == \\\"\\\", \\\"NA\\\",Env_s)\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\\r\\n| where FeatureName_s == \\\"Project\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| where '{param_selectERControl}' == \\\"All Controls\\\" or ControlId_s == '{param_selectERControl}'\\r\\n| extend combined = strcat(ResourceId, \\\"_\\\", ControlId_s) \\r\\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(30d), now(), 1d) by ControlId_s\\r\\n| mvexpand dcount_combined, TimeGenerated\\r\\n| project todatetime(TimeGenerated), ControlId_s, toint(dcount_combined)\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Control Count Trend (last 30d) - {param_selectERControl}\",\"timeContext\":{\"durationMs\":2592000000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true},\"sortBy\":[],\"chartSettings\":{\"xSettings\":{},\"ySettings\":{}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ERSecurity\"},\"name\":\"chart-ERFailedControl_30dTrend\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| extend Env_s = iff(Env_s == \\\"\\\", \\\"NA\\\",Env_s)\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\\r\\n| where FeatureName_s != \\\"Organization\\\" and FeatureName_s != \\\"Project\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by SubscriptionId, ResourceId, ControlId_s\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| summarize ['# Failed Controls'] = count() by ControlId_s\\r\\n| sort by ['# Failed Controls'] desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Failed control summary\",\"noDataMessage\":\"No failed controls found\",\"exportFieldName\":\"ControlId_s\",\"exportParameterName\":\"param_selectResourceControl\",\"exportDefaultValue\":\"All Controls\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"# Failed Controls\",\"formatter\":3,\"formatOptions\":{\"palette\":\"red\"}}]},\"sortBy\":[]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ResourceSecurity\"},\"name\":\"table-ResourceFailedControlCount\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| extend Env_s = iff(Env_s == \\\"\\\", \\\"NA\\\",Env_s)\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\\r\\n| where FeatureName_s != \\\"Organization\\\" and FeatureName_s != \\\"Project\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| where '{param_selectResourceControl}' == \\\"All Controls\\\" or ControlId_s == '{param_selectResourceControl}'\\r\\n| extend combined = strcat(ResourceId, \\\"_\\\", ControlId_s) \\r\\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(7d), now(), 1d) by ControlId_s\\r\\n| mvexpand dcount_combined, TimeGenerated\\r\\n| project todatetime(TimeGenerated), ControlId_s, toint(dcount_combined)\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Control Count Trend (last 7d) - {param_selectResourceControl}\",\"noDataMessage\":\"No failed controls for this control Id in the last 7 days\",\"timeContext\":{\"durationMs\":604800000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true},\"sortBy\":[],\"chartSettings\":{\"xSettings\":{},\"ySettings\":{}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ResourceSecurity\"},\"name\":\"chart-ResourceFailedControl_7dTrend\"},{\"type\":1,\"content\":{\"json\":\"💡_Click on a row in the table above to see more details_\\r\\n<br />\\r\\n<br />\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ResourceSecurity\"},{\"parameterName\":\"param_selectResourceControl\",\"comparison\":\"isEqualTo\",\"value\":\"All Controls\"}],\"name\":\"text-ResourceFailedControl_RowSelect\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| extend Env_s = iff(Env_s == \\\"\\\", \\\"NA\\\",Env_s)\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\\r\\n| where FeatureName_s != \\\"Organization\\\" and FeatureName_s != \\\"Project\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlId_s == '{param_selectResourceControl}'\\r\\n| summarize arg_max(TimeGenerated, *) by SubscriptionName_s, ResourceId, ControlId_s\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| project OrganizationName=SubscriptionName_s, ProjectName=ResourceGroup,ResourceName=ResourceName_s, ControlId=ControlId_s, ControlStatus, Recommendation=Recommendation_s, TimeGenerated, Source_s, ControlStatus_s, ActualVerificationResult_s, AttestedBy_s, AttestedDate_s, ExpiryDate_s, Justification_s, RunIdentifier_s, ResourceType, ControlSeverity_s, IsBaselineControl_b\\r\\n| sort by OrganizationName asc, ProjectName asc, tolower(ResourceName) asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Control Details for '{param_selectResourceControl}'\",\"noDataMessage\":\"No row selected from 'Failed control summary' table\",\"exportedParameters\":[{\"fieldName\":\"Recommendation\",\"parameterName\":\"param_resourceSecRecommendation\",\"parameterType\":1},{\"fieldName\":\"ControlId\",\"parameterName\":\"param_resourceSecControlId\",\"parameterType\":1},{\"fieldName\":\"OrganizationName\",\"parameterName\":\"param_resourceSecResourceSubId\",\"parameterType\":1},{\"fieldName\":\"ProjectName\",\"parameterName\":\"param_resourceSecResourceRg\",\"parameterType\":1},{\"fieldName\":\"ResourceName\",\"parameterName\":\"param_resourceSecResourceName\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceName\",\"formatter\":5,\"formatOptions\":{}}],\"filter\":true},\"sortBy\":[]},\"conditionalVisibilities\":[{\"parameterName\":\"param_selectResourceControl\",\"comparison\":\"isNotEqualTo\",\"value\":\"All Controls\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ResourceSecurity\"}],\"name\":\"table-ResourceFailedControlDetails\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡_Click on a row in the table above to see more details_\\r\\n<br />\\r\\n<br />\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ResourceSecurity\"},{\"parameterName\":\"param_selectResourceControl\",\"comparison\":\"isNotEqualTo\",\"value\":\"All Controls\"},{\"parameterName\":\"param_resourceSecControlId\",\"comparison\":\"isEqualTo\"}],\"name\":\"text-ResourceFailedControlDetails_RowSelect\"},{\"type\":1,\"content\":{\"json\":\"### Recommendation for control Id: '{param_resourceSecControlId}'\\r\\n{param_resourceSecRecommendation}\\r\\n\\r\\n<br/>\\r\\n### Resource scanning and attestation commands for '{param_resourceSecResourceName}'\\r\\n\\r\\n**Scan all controls for the resource** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_resourceSecResourceSubId}\\\" -ProjectNames \\\"{param_resourceSecResourceRg}\\\" -ResourceNames \\\"{param_resourceSecResourceName}\\\" -UseBaselineControls\\r\\n\\r\\n**Scan '{param_resourceSecControlId}' control for the resource** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_resourceSecResourceSubId}\\\" -ProjectNames \\\"{param_resourceSecResourceRg}\\\" -ResourceNames \\\"{param_resourceSecResourceName}\\\" -ControlIds \\\"{param_resourceSecControlId}\\\"\\r\\n\\r\\n**Attest any unattested baseline controls** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_resourceSecResourceSubId}\\\" -ProjectNames \\\"{param_resourceSecResourceRg}\\\" -ResourceNames \\\"{param_resourceSecResourceName}\\\" -UseBaselineControls -AttestControls NotAttested\\r\\n\\r\\n**Attest '{param_resourceSecControlId}' control** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_resourceSecResourceSubId}\\\" -ProjectNames \\\"{param_resourceSecResourceRg}\\\" -ResourceNames \\\"{param_resourceSecResourceName}\\\" -ControlIds \\\"{param_resourceSecControlId}\\\" -AttestControls NotAttested\\r\\n\\r\\n\\r\\n<br/>\\r\\n<br/>\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ResourceSecurity\"},{\"parameterName\":\"param_resourceSecControlId\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"text-ResourceFailedControlDetails_DrillDownDetails\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| extend Env_s = iff(Env_s == \\\"\\\", \\\"NA\\\",Env_s)\\r\\n| extend ResourceType = iff(ResourceType == \\\"\\\", \\\"NA\\\",ResourceType)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_SubscriptionName_s) == 0 or SubscriptionName_s in (sel_param_SubscriptionName_s)\\r\\n| where array_length(sel_param_ResourceType) == 0 or ResourceType in (sel_param_ResourceType)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where array_length(sel_param_Env_s) == 0 or Env_s in (sel_param_Env_s)\\r\\n| where FeatureName_s != \\\"Organization\\\"\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| where '{param_selectResourceControl}' == \\\"All Controls\\\" or ControlId_s == '{param_selectResourceControl}'\\r\\n| extend combined = strcat(ResourceId, \\\"_\\\", ControlId_s) \\r\\n| make-series dcount(combined) default=0 on TimeGenerated in range(ago(30d), now(), 1d) by ControlId_s\\r\\n| mvexpand dcount_combined, TimeGenerated\\r\\n| project todatetime(TimeGenerated), ControlId_s, toint(dcount_combined)\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Control Count Trend (last 30d) - {param_selectResourceControl}\",\"timeContext\":{\"durationMs\":2592000000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true},\"sortBy\":[],\"chartSettings\":{\"xSettings\":{},\"ySettings\":{}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"ResourceSecurity\"},\"name\":\"chart-ResourceFailedControl_30dTrend\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| summarize arg_max(TimeGenerated, *) by SubscriptionName_s\\r\\n| project SubscriptionName=SubscriptionName_s, LastScanTime=TimeGenerated, SubscriptionId\\r\\n| join kind=leftouter\\r\\n(\\r\\n AzSK_ADO_CL\\r\\n | where ScannedBy_s == ''\\r\\n | summarize arg_max(TimeGenerated, *) by SubscriptionName_s\\r\\n | project SubscriptionName=SubscriptionName_s, LastCAScanTime=TimeGenerated\\r\\n)\\r\\non SubscriptionName\\r\\n| join kind=leftouter\\r\\n(\\r\\n AzSK_ADO_CL\\r\\n | where ScannedBy_s != ''\\r\\n | summarize arg_max(TimeGenerated, *) by SubscriptionName_s\\r\\n | project SubscriptionName=SubscriptionName_s, LastUserScanTime=TimeGenerated, LastUserScannedBy=ScannedBy_s\\r\\n)\\r\\non SubscriptionName\\r\\n| join kind=leftouter\\r\\n(\\r\\n AzSK_ADO_CL\\r\\n | extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n | where ControlStatus == \\\"Failed\\\"\\r\\n | summarize arg_max(TimeGenerated, *) by SubscriptionName_s\\r\\n | project SubscriptionName=SubscriptionName_s, LastFailedControlTime=TimeGenerated\\r\\n)\\r\\non SubscriptionName\\r\\n| extend FullScanCommand = strcat(\\\"Get-AzSKADOSecurityStatus -OrganizationName \\\\\\\"\\\", SubscriptionName, \\\"\\\\\\\" -UseBaselineControls -ScanAllArtifact\\\")\\r\\n| extend SubscriptionScanCommand = strcat(\\\"Get-AzSKADOSecurityStatus -OrganizationName \\\\\\\"\\\", SubscriptionId, \\\"\\\\\\\" -UseBaselineControls -ResourceTypeName Organization\\\")\\r\\n| extend ResourceScanCommand = strcat(\\\"Get-AzSKADOSecurityStatus -OrganizationName \\\\\\\"\\\", SubscriptionId, \\\"\\\\\\\" -UseBaselineControls -ResourceTypeName Build_Release_SvcConn_AgentPool_User\\\")\\r\\n| project SubscriptionName, LastScanTime, LastCAScanTime, LastUserScanTime, LastUserScannedBy, LastFailedControlTime, FullScanCommand, SubscriptionScanCommand, ResourceScanCommand\\r\\n| sort by SubscriptionName asc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Connected Organizations\",\"timeContext\":{\"durationMs\":2592000000},\"exportedParameters\":[{\"fieldName\":\"FullScanCommand\",\"parameterName\":\"param_infoFullScan\",\"parameterType\":1},{\"fieldName\":\"SubscriptionName\",\"parameterName\":\"param_infoSubName\",\"parameterType\":1},{\"fieldName\":\"SubscriptionScanCommand\",\"parameterName\":\"param_infoSubScan\",\"parameterType\":1},{\"fieldName\":\"ResourceScanCommand\",\"parameterName\":\"param_infoResourceScan\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FullScanCommand\",\"formatter\":5,\"formatOptions\":{}},{\"columnMatch\":\"SubscriptionScanCommand\",\"formatter\":5,\"formatOptions\":{}},{\"columnMatch\":\"ResourceScanCommand\",\"formatter\":5,\"formatOptions\":{}}]},\"sortBy\":[]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},\"name\":\"table-ConnectedSubscriptions\"},{\"type\":1,\"content\":{\"json\":\"### Organization scanning commands\\r\\n\\r\\n**Scan '{param_infoSubName}' for organization and resource controls** <br/>\\r\\n{param_infoFullScan}\\r\\n\\r\\n**Scan '{param_infoSubName}' for only organization controls** <br/>\\r\\n{param_infoSubScan}\\r\\n\\r\\n**Scan '{param_infoSubName}' for only resource controls** <br/>\\r\\n{param_infoResourceScan}\\r\\n\\r\\n<br/>\\r\\n<br/>\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},{\"parameterName\":\"param_infoSubName\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"text-ConnectedSubscriptions_DrillDownDetails\"},{\"type\":1,\"content\":{\"json\":\"💡_Click on a row in the table above to generate organization scanning commands_\\r\\n<br />\\r\\n<br />\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},{\"parameterName\":\"param_infoSubName\",\"comparison\":\"isEqualTo\"}],\"name\":\"text-ConnectedSubscriptions_RowSelect\"},{\"type\":1,\"content\":{\"json\":\"<br />\\r\\n<br />\\r\\n### Enter a resource name to get AzSK.AzureDevops scan details and useful commands\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},\"name\":\"text-ExploreResource\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c23e8784-78c9-4312-9c7b-763861a26e7e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"param_ExploreResourceName\",\"label\":\"Resource Name\",\"type\":1,\"description\":\"Enter a resource name to display all currently failed controls\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},\"name\":\"parameters-ExploreResource\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| where FeatureName_s != \\\"Organization\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ResourceId\\r\\n| where ResourceName_s =~ '{param_ExploreResourceName}'\\r\\n| project ResourceId, ResourceName=ResourceName_s, LastScanTime=TimeGenerated, SubscriptionName=SubscriptionName_s, SubscriptionId, ResourceGroup, ResourceType\\r\\n| join kind=leftouter\\r\\n(\\r\\n AzSK_ADO_CL\\r\\n | where ScannedBy_s == ''\\r\\n | where FeatureName_s != \\\"Organization\\\" and FeatureName_s != \\\"Project\\\"\\r\\n | summarize arg_max(TimeGenerated, *) by ResourceId\\r\\n | where ResourceName_s =~ '{param_ExploreResourceName}'\\r\\n | project ResourceId, LastCAScanTime=TimeGenerated\\r\\n)\\r\\non ResourceId\\r\\n| join kind=leftouter\\r\\n(\\r\\n AzSK_ADO_CL\\r\\n | where ScannedBy_s != ''\\r\\n | where FeatureName_s != \\\"Organization\\\" and FeatureName_s != \\\"Project\\\"\\r\\n | summarize arg_max(TimeGenerated, *) by ResourceId\\r\\n | where ResourceName_s =~ '{param_ExploreResourceName}'\\r\\n | project ResourceId, LastUserScanTime=TimeGenerated, LastUserScannedBy=ScannedBy_s\\r\\n)\\r\\non ResourceId\\r\\n| join kind=leftouter\\r\\n(\\r\\n AzSK_ADO_CL\\r\\n | where FeatureName_s != \\\"Organization\\\"\\r\\n | extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n | where ControlStatus == \\\"Failed\\\"\\r\\n | summarize arg_max(TimeGenerated, *) by ResourceId\\r\\n | where ResourceName_s =~ '{param_ExploreResourceName}'\\r\\n | project ResourceId, LastFailedControlTime=TimeGenerated\\r\\n)\\r\\non ResourceId\\r\\n| project Resource=ResourceId, LastScanTime, LastCAScanTime, LastUserScanTime, LastUserScannedBy, LastFailedControlTime, ResourceGroup, ResourceName, SubscriptionId, ResourceType\",\"size\":3,\"showAnalytics\":true,\"title\":\"Resource Explore\",\"timeContext\":{\"durationMs\":2592000000},\"exportedParameters\":[{\"fieldName\":\"SubscriptionId\",\"parameterName\":\"param_infoResourceSubId\",\"parameterType\":1},{\"fieldName\":\"ResourceGroup\",\"parameterName\":\"param_infoResourceRg\",\"parameterType\":1},{\"fieldName\":\"ResourceName\",\"parameterName\":\"param_infoResourceName\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceName\",\"formatter\":5,\"formatOptions\":{}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},\"name\":\"table-ExploreResource\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡_Click on a row in the table above to generate resource scanning commands_\\r\\n<br />\\r\\n<br />\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},{\"parameterName\":\"param_infoResourceName\",\"comparison\":\"isEqualTo\"}],\"name\":\"text-ResourceExplore_RowSelect\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let sel_param_HasRequiredAccess_b = dynamic([{param_HasRequiredAccess_b}]);\\r\\nlet sel_param_IsBaselineControl_b = dynamic([{param_IsBaselineControl_b}]);\\r\\nlet sel_param_IsPreviewBaselineControl_b = dynamic([{param_IsPreviewBaselineControl_b}]);\\r\\nlet sel_param_SubscriptionName_s = dynamic([{param_SubscriptionName_s}]);\\r\\nlet sel_param_ResourceType = dynamic([{param_ResourceType}]);\\r\\nlet sel_param_ControlSeverity_s = dynamic([{param_ControlSeverity_s}]);\\r\\nlet sel_param_Env_s = dynamic([{param_Env_s}]);\\r\\nAzSK_ADO_CL\\r\\n| where TimeGenerated > ago(3d)\\r\\n| where array_length(sel_param_HasRequiredAccess_b) == 0 or HasRequiredAccess_b in (sel_param_HasRequiredAccess_b)\\r\\n| where array_length(sel_param_IsBaselineControl_b) == 0 or IsBaselineControl_b in (sel_param_IsBaselineControl_b)\\r\\n| where array_length(sel_param_IsPreviewBaselineControl_b) == 0 or IsPreviewBaselineControl_b in (sel_param_IsPreviewBaselineControl_b)\\r\\n| where array_length(sel_param_ControlSeverity_s) == 0 or ControlSeverity_s in (sel_param_ControlSeverity_s)\\r\\n| where FeatureName_s != \\\"Organization\\\"\\r\\n| where ResourceName_s =~ '{param_ExploreResourceName}'\\r\\n| extend ControlStatus = iff(ControlStatus_s == \\\"Passed\\\", \\\"Passed\\\",\\\"Failed\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by SubscriptionId, ResourceId, ControlId_s\\r\\n| where ControlStatus == \\\"Failed\\\"\\r\\n| project Resource=ResourceId, ControlId=ControlId_s, ResourceGroup, SubscriptionId, ResourceName=ResourceName_s, ResourceType\\r\\n| sort by ControlId asc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Current failed controls - '{param_ExploreResourceName}'\",\"noDataMessage\":\"There are no failed controls for the given resource or the filter is empty\",\"exportedParameters\":[{\"fieldName\":\"ControlId\",\"parameterName\":\"param_infoResourceFailedControlId\",\"parameterType\":1},{\"fieldName\":\"SubscriptionId\",\"parameterName\":\"param_infoResourceFailedSubscriptionId\",\"parameterType\":1},{\"fieldName\":\"ResourceGroup\",\"parameterName\":\"param_infoResourceFailedResourceGroup\",\"parameterType\":1},{\"fieldName\":\"ResourceName\",\"parameterName\":\"param_infoResourceFailedResourceName\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceName\",\"formatter\":5,\"formatOptions\":{}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},\"name\":\"table-ExploreResourceFailedControls\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡_Click on a row in the table above to generate resource scanning commands_\\r\\n<br />\\r\\n<br />\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},{\"parameterName\":\"param_infoResourceName\",\"comparison\":\"isEqualTo\"},{\"parameterName\":\"param_infoResourceFailedControlId\",\"comparison\":\"isEqualTo\"}],\"name\":\"text-ExploreResourceFailedControls_RowSelect\"},{\"type\":1,\"content\":{\"json\":\"### Resource scanning and attestation commands for resource '{param_ExploreResourceName}'\\r\\n\\r\\n**Scan all controls for the resource** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_infoResourceRg}\\\" -ProjectNames \\\"{param_infoResourceName}\\\" -UseBaselineControls\\r\\n\\r\\n**Attest any unattested baseline controls** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_infoResourceRg}\\\" -ProjectNames \\\"{param_infoResourceName}\\\" -UseBaselineControls -AttestControls NotAttested\\r\\n\\r\\n<br/>\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},{\"parameterName\":\"param_infoResourceName\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"text-ExploreResource_DrillDownDetails\"},{\"type\":1,\"content\":{\"json\":\"### Scanning and attestation commands for '{param_infoResourceFailedControlId}' control on resource '{param_infoResourceFailedResourceName}'\\r\\n\\r\\n**Scan '{param_infoResourceFailedControlId}' control for the resource** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_infoResourceFailedResourceGroup}\\\" -ProjectNames \\\"{param_infoResourceFailedResourceName}\\\" -ControlIds \\\"{param_infoResourceFailedControlId}\\\"\\r\\n\\r\\n**Attest '{param_infoResourceFailedControlId}' control for the resource** <br/>\\r\\nGet-AzSKADOSecurityStatus -OrganizationName \\\"{param_infoResourceFailedResourceGroup}\\\" -ProjectNames \\\"{param_infoResourceFailedResourceName}\\\" -ControlIds \\\"{param_infoResourceFailedControlId}\\\" -AttestControls NotAttested\\r\\n\\r\\n\\r\\n<br/>\\r\\n<br/>\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Explore\"},{\"parameterName\":\"param_infoResourceFailedControlId\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"text-ExploreResourceFailedControls_DrillDownDetails\"},{\"type\":1,\"content\":{\"json\":\"# Using this workbook\\r\\nThis workbook contains multiple tabs to help you discover, troubleshoot and remediate AzSK.AzureDevops controls. Each tab has a particular focus from high-level overview, to detailed control data. Many sections will also generate ready-to-run commands for scanning and attestation to quickly target the organizations, resources and controls you need to address.\\r\\n\\r\\nEvery tab depicts baseline control events received by your Log Analytics workspace for the last scan done within last 3 days. Typically these would be events generated via Continuous Assurance (CA) scanning. However, manual scan results can also come here if AzSK.AzureDevops is configured to forward local scan events to Log Analytics.\\r\\n\\r\\nIt is important to understand that, per the current plan, CA scanning will be turned on for various resource types/controls in waves. At any stage, this view will only show the baseline controls which have been (centrally) enabled for CA scanning. This is to improve our security posture in multiple 'waves'. If you would like to determine and fix controls beyond the ones currently enabled, you can manually run the scan commands and look at the CSV (or this view if you have local Log Analytics forwarding enabled in AzSK.AzureDevops).\\r\\n\\r\\nIf multiple organizations have been configured to use this Log Analytics workspace then the view aggregates data from all organizations. (You can use/apply filters to view the data for a specific organization.)\\r\\n\\r\\nNote that, although it should serve the needs of a lot of scenarios, this is still just a sample view. There are lots of possible ways other views can be generated by you (or you can integrate one or more blades from this view into your own views).\\r\\n\\r\\n## There are 5 tabs in this workbook\\r\\n\\r\\n1. **Overview** <br/>\\r\\nThis tab contains an \\\"at-a-glance\\\" summary of the health for AzSK.AzureDevops controls for all organizations sending data to the workspace.\\r\\n\\r\\n1. **Organization Security** <br/>\\r\\nThis tab contains details about organization security controls in your organizations. Control failures in this area will typically need organization owner privilege to fix. Multiple drill downs are available to highlight the most useful information, including ready-to-paste scanning and attestation commands. 7 and 30 day trending charts are also avaialable to help you understand when controls started or stopped failing.\\r\\n\\r\\n1. **Project Security** <br/>\\r\\nThis tab contains details about ptojrct security controls in your organizations. \\r\\n\\r\\n1. **Resource Security** <br/>\\r\\nThis tab contains details about resource security controls in your organizations. Multiple drill downs are available to highlight the most useful information, including ready-to-paste scanning and attestation commands. 7 and 30 day trending charts are also avaialable to help you understand when controls started or stopped failing.\\r\\n\\r\\n1. **Explore** <br/>\\r\\nThis tab contains tools to explore you AzSK.AzureDevops log analytics data.\\r\\n - **Connected organizations** - Explore what organizations have sent data to your log analytics workspace in the last 30 days. You'll see detailed information like that date of the last Continuous Assurance or user scan and what the username was. Clicking on rows in this table will provide copy/paste organization scanning commands you can use to perform manual scans required by some AzSK.AzureDevops controls.\\r\\n - **Resource exploration** - In this section you can enter the name of a resource to get more details. You'll see detailed information like that date of the last Continuous Assurance or user scan for that resource and what the username was. You'll also see a table outlining the current failed controls for this resource. Clicking on a row from either table will provide additional copy/paste resource scanning and attestation commands you can use to perform targetted manual scans or attestations.\\r\\n\\r\\n1. **Help** <br/>\\r\\nThis tab provides details on how to use this workbook. You are on this tab.\\r\\n\\r\\n## Filters\\r\\nYou can apply filters to this view to evaluate all queries with additional conditions. The filters will appear at the top of every tab and will affect every query with a few exceptions (e.g. Connected organizations table on the 'Explore' tab). Filters are applied instantly. Multiple options on a single filter can be selected at once in addition to using multiple filters at once.\\r\\n\\r\\n### Available filters:\\r\\n\\r\\n1. **Baseline:** Select whether to include baseline controls (Default: True)\\r\\n1. **Preview Baseline:** Select whether to include preview (extended) baseline controls (Default: False)\\r\\n1. **Organization Name:** Select which organization(s) to include (Default: All)\\r\\n1. **Severity:** Select which severities to include. AzSK.AzureDevops controls are classified into categories: Critical, High, Medium, and Low (Default: All)\\r\\n1. **Resource Type:** Select which resource type to include. e.g. \\\"AppSerice\\\", \\\"Automation\\\", and more. (Default: All)\\r\\n1. **Environment:** Select which Environment to include. You can tag your resource groups with \\\"Env\\\" tag using which you'll be able to filter results accordingly. For instance, you can Tag multiple resource groups as \\\"Production\\\" and view the scan results for production resources only. (Default: All)\\r\\n1. **Has Required Access?** Select whether to include controls for which the scanner did not have required access to evaluate (Default: True)\\r\\n\\r\\n## Additional workbook features\\r\\n### Drill Downs\\r\\nMany tables include the ability to click on a row and drill down to gain additional details without being redirected to a log analytics query window. Tables that have this option will have a message noted with the light bulb icon 💡. When a row is selected, additional tables and text boxes may become visible or some content may be further filtered. Your selection may be cleared by clicking the 'undo' icon in the top right corner of the table.\\r\\n\\r\\n### Resource Links\\r\\nThis powerful tool let's you investigate your Azure resources without leaving the context of the workbook. Whenever you see a clickable link in a table you can use it to navigate directly to the resource. When done investigating, you can navigate back to the workbook by clicking on the workbook name in the top left corner of the Azure portal. When you return, the workbook is as you left it.\\r\\n\\r\\n### Exporting Options\\r\\nIf you want to export or explore your data further there are two options.\\r\\n - **Open query in Log Analytics Log view** - Clicking the Log Analytics icon in the top right corner of a table or chart will open your query in the Log Analytics log view where you can edit it further to get the data you need.\\r\\n - **Export to Excel** - Clicking the download icon in the top right corner of a table or chart will download the current query results to an XLSX file.\\r\\n\\r\\nHappy Security Monitoring!\\r\\n\\r\\n## Support\\r\\nThis workbook is provided with AzSK.AzureDevops.\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Help\"},\"name\":\"text-Help\"}],\"isLocked\":false,\"fallbackResourceIds\":\"\",\"styleSettings\":{\"paddingStyle\":\"none\"}}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "workbook" } } ], "outputs": { "workbookId": { "type": "string", "value": "[resourceId( 'microsoft.insights/workbooks', parameters('workbookId'))]" } }, "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#" } |