Public/Deploy/Core/monitoring/WorkspaceUsage.workbook.json
|
{
"$schema": "https://raw.githubusercontent.com/microsoft/Application-Insights-Workbooks/master/schema/workbook.json", "fromTemplateId": "sentinel-WorkspaceUsage", "version": "Notebook/1.0", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "value::selected" ], "parameters": [ { "id": "ccd5adcd-8d59-4cfe-99ec-98075de2e253", "version": "KqlParameterItem/1.0", "name": "DefaultSubscription_Internal", "type": 1, "isRequired": true, "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId", "crossComponentResources": [ "value::selected" ], "isHiddenWhenLocked": true, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "1ca69445-60fc-4806-b43d-ac7e6aad630a", "version": "KqlParameterItem/1.0", "name": "Subscription", "type": 6, "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\r\n", "crossComponentResources": [ "value::selected" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "value": "" }, { "id": "e94aafa3-c5d9-4523-89f0-4e87aa754511", "version": "KqlParameterItem/1.0", "name": "Workspace", "type": 5, "query": "where type =~ 'microsoft.operationalinsights/workspaces'\n| project id", "crossComponentResources": [ "{Subscription}" ], "value": "", "typeSettings": { "resourceTypeFilter": { "microsoft.operationalinsights/workspaces": true }, "additionalResourceOptions": [] }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "eafaa0ec-7c3a-4ee5-babe-9850080c909d", "version": "KqlParameterItem/1.0", "name": "resourceGroup", "type": 1, "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where id == \"{Workspace}\"\r\n| project resourceGroup", "crossComponentResources": [ "value::selected" ], "isHiddenWhenLocked": true, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "c4b69c01-2263-4ada-8d9c-43433b739ff3", "version": "KqlParameterItem/1.0", "name": "TimeRange", "type": 4, "value": { "durationMs": 2592000000 }, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 172800000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2419200000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ], "allowCustom": true } }, { "id": "27308a9d-46a2-4fca-8035-e813201fb4f8", "version": "KqlParameterItem/1.0", "name": "GiBperday", "type": 1, "description": "Shows Average per Day over selected Duration (GiB)", "query": "union withsource = tt *\r\n| where TimeGenerated > startofday({TimeRange:start}) and TimeGenerated < startofday({TimeRange:end})\r\n// Only look at chargeable Tables\r\n| where _IsBillable == True\r\n| summarize\r\nTotalGBytes =round(sum(_BilledSize/(1024*1024*1024)),2)\r\nby bin(TimeGenerated, 1d)//, Solution=tt\r\n| summarize round(avg(TotalGBytes),2)\r\n", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "c71f3009-a3f4-4aa5-aaf0-d0f667100e56", "version": "KqlParameterItem/1.0", "name": "Help", "label": "Show Help", "type": 10, "description": "This will show some help information to help you understand the page you are on", "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]" }, { "id": "bd9b6f2d-3e7b-4d2c-83b4-f77154f6af42", "version": "KqlParameterItem/1.0", "name": "GiBtotal", "type": 1, "query": "union withsource = tt *\r\n| where TimeGenerated {TimeRange:query}\r\n// Only look at chargeable Tables\r\n| where _IsBillable == True\r\n| summarize TotalGBytes =round(sum(_BilledSize/(1024*1024*1024)),2)", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "above", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "name": "parameters - 1" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "4df9243a-749d-4698-98f6-188e0b687e13", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Workspace Info", "subTarget": "WorkspaceInfo", "style": "link" }, { "id": "4c0faa80-5c85-4d02-989d-37921b12ae87", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Latency", "subTarget": "Latency", "style": "link" }, { "id": "ffceb6e6-3756-466e-860b-c017f0421e9f", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Cost Analysis", "subTarget": "Cost", "style": "link" }, { "id": "25b0dfdf-9de1-4a16-b66f-c5b3822c8018", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Azure Sentinel", "subTarget": "Sentinel", "style": "link" }, { "id": "1e15a92e-c236-4e93-833e-fe95f5b1d6e6", "cellValue": "selectedTab", "linkTarget": "parameter", "linkLabel": "Regular Checks (D/W/M)", "subTarget": "Checks", "style": "link" } ] }, "customWidth": "60", "name": "links - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces' \r\n| where id has \"{Workspace}\"\r\n| extend state = trim(' ', tostring(properties.provisioningState))\r\n\t\t,sku = trim(' ', tostring(properties.sku.name))\r\n ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\r\n\t\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\r\n\t\t,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\r\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\"Not set\")\r\n| extend skuUpdate = iif(strlen(skuUpdate) > 0, skuUpdate,\"Unknown\")\r\n| extend sentinel = iif(toint(retentionDays) < 90,\"If you have Sentinel, you can change your retention to 90days (free)?\",\"\")\r\n| project ['Log Analytics Workspace Name']=id, ['Resource Group']=resourceGroup, location, ['Data Retention(days)']=retentionDays, ['Last known SKU update']=skuUpdate, ['Daily Data Cap']=dailyquotaGB, ['Licence']=sku, CapacityReservation=properties.sku.capacityReservationLevel, ['Notes'] = sentinel", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "gridSettings": { "formatters": [ { "columnMatch": "Data Retention(days)", "formatter": 0, "formatOptions": { "showIcon": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Last known SKU update", "formatter": 18, "formatOptions": { "showIcon": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "is Empty", "thresholdValue": "\" \"", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "Daily Data Cap", "formatter": 18, "formatOptions": { "showIcon": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "not set", "representation": "Unavailable", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "1", "text": "{0}{1}" } ] } }, { "columnMatch": "Data Retention", "formatter": 0, "formatOptions": { "showIcon": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } } ] } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" }, "name": "query - 18" }, { "type": 1, "content": { "json": "## Workspace Health Report \r\n### Change Log\r\nUse this report to analyze the the sizes of the different tables and Latency in your workspace and agents. This report checks the overall workspace health.\r\n\r\n|Version|Description|\r\n|---|---|\r\n|v1.1|Added Events Per Second (EPS) to Workspace Info Tab.| \r\n|v1.2|Added EPS with a breakdown for Device Vendor in CommonSecurityLog\r\n|v1.3|Added EPS Tab and Min, Max values\r\n|v1.4 | Added Checks Tab for Daily, Weekly and Monthly suggested checking routines. Also ASC info in Costs Tab.\r\n|v1.4.2 | Added Groups to all Tabs. Added Price info and Help button.\r\n|v1.4.3 | Added to [COST] tab and report of \"GBytes used per Computer\" \r\n|v1.4.4 | Quick fix to get the TableName duplicate removed. Added value to Y axis of [Cost] trend graph, Remove content (EPS) that is planned for the Azure Sentinel Health workbook. \r\n|v1.4.5 | Added extra Cost info, improve Weekly reports and other grids , testing release ONLY\r\n|v1.4.6 | Moved Price to Costs Analysis Tab (all pricing is now in the same place). Added some table data, description and links to Latency grid. Filter on Queries in Weekly report and Workspace audit filters |\r\n|v1.4.7 | Add Pie chart of % billable vs. free to Cost Analysis. Add count of Rules, Rule Templates and Hunting Queries (just unique ones). Extra ASC report for \"minimal\",\"common\" and \"all\". Additional troubleshooting displays, when Help toggle is on. % used for Tables. User filter for LAqueries.|\r\n|v1.4.8 | [Cost Analysis] is now a Tab with Sub Menus to aid load times and readability. New features:Syslog Cost Analysis, CEF Cost Analysis, in the [OverView] sub menu, there are now reports on capacity / price per Subscription, Resource Group and Tags. The Azure Sentinel tab, has reports for Usage vs. Capacity Reservation and recommendtions for the settings you are on, for Log Analytics and Azure Sentinel. |\r\n\r\nTo do Next: n/a\r\n\r\n" }, "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Change Log" }, "customWidth": "50", "name": "text - 0" }, { "type": 1, "content": { "json": "## Help File\r\n\r\nMore details in the Wiki: https://github.com/CliveW-MSFT/KQLpublic/wiki/Workbook-Usage\r\n\r\n## Usage\r\n\t- Please select your Subscription and Workspace\r\n\t- Time Range: is the time you wish to query back to. i.e 7days from now, into the past.\r\n\t- Help is available in various parts of this Workbook.\r\n## Categories\r\n\t- Azure Monitor Logs (Workspace)\r\n\t- Azure Sentinel\r\n\t- Azure Security Center\r\n## Solutions\r\n|Solution|Description|\r\n|---|---|\r\n| Workspace Infomation | info about the workspace, usage and statistics|\r\n|Latency | Which Tables or machines have latency issues, average, minimun and maximum values|\r\n|Costs Analysis| Looking again at the tables in the [Workspace Info] tab, but also you can select a Price of your choosing (£,$). Sub menus have been added to aid drill-down to sepfic products or data|\r\n|Azure Sentinel | specifc data about Sentinel|\r\n| Regular Checks | Daily, Weekly and Monthly suggested checks you can look at.|\r\n\r\n## Data Sources\r\n\t- Azure Resource Graph (ARG) and Various tables within Azure Monitor Logs (Workspace).\r\n\r\n## Anomoly Detection\r\nSome reports now show anomoly detection, this explains the Score: https://docs.microsoft.com/en-us/azure/data-explorer/anomaly-detection#time-series-anomaly-detection\r\n\r\nAnomaly scores above 1.5 or below -1.5 indicate a mild anomaly rise or decline respectively. Anomaly scores above 3.0 or below -3.0 indicate a strong anomaly." }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "customWidth": "50", "name": "text - 0 - Copy" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Group: Troubleshoot", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Operation | where OperationCategory == 'Data Collection Status'\r\n\r\n// https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-cost-storage#troubleshooting-why-log-analytics-is-no-longer-collecting-data", "size": 4, "title": "Troubleshoot Workspace: Data Collection Issue", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" } ], "name": "query - 10" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Usage | where IsBillable | summarize DataGB = sum(Quantity / 1000.) //| where DataGB > 50\r\n\r\n// https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-cost-storage#create-an-alert-when-data-collection-is-high", "size": 4, "title": "Troubleshoot Workspace: Data sent today", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" } ], "name": "query - 10 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "// This isn't a frequest operation, so you may have to go back a long way in the logs (if you have them)\r\nOperation\r\n| where OperationCategory == \"Workspace Configuration\"\r\n| extend msg = split(Detail,\".\").[0], reason = split(Detail,\".\").[1]", "size": 4, "title": "Troubleshoot Workspace: Configuration changes", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" } ], "name": "query - 10 - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//https://docs.microsoft.com/en-us/azure/azure-monitor/platform/monitor-workspace\r\n_LogOperation \r\n| summarize count() by Level", "size": 4, "title": "Troubleshoot Workspace: Ingestion Operations by type", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "piechart" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" } ], "name": "query - 10 - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//https://docs.microsoft.com/en-us/azure/azure-monitor/platform/monitor-workspace\r\n_LogOperation | where Category == \"Ingestion\" | where Operation == \"Ingestion rate\" | where Level == \"Warning\"", "size": 4, "title": "Troubleshoot Workspace: warning alert when the ingestion volume rate has reached 80% of the limit", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" } ], "name": "query - 10 - Copy - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//https://docs.microsoft.com/en-us/azure/azure-monitor/platform/monitor-workspace\r\n_LogOperation | where Category == \"Ingestion\" | where Operation == \"Data Collection\" | where Level == \"Warning\"", "size": 4, "title": "Troubleshoot Workspace: warning alert when the data collection has reached the daily limit", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" } ], "name": "query - 10 - Copy - Copy - Copy - Copy - Copy" } ] }, "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "group - Troubleshoot" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "price setting", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "170a6d54-0503-41ac-b52b-b0e3db2f427d", "version": "KqlParameterItem/1.0", "name": "Price", "label": "Price estimation", "type": 1, "description": "Enter your price (tip. Use the Azure Pricing Calculator, enter a value of 1GB and divide by 30days), or see Help toggle", "criteriaData": [ { "criteriaContext": { "operator": "Default", "rightValType": "param", "resultValType": "static", "resultVal": "4.0" } } ], "value": "4.0" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 1 - Copy" } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Cost" }, "name": "group - Price" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Group: Workspace info", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by TableName1, _IsBillable\r\n| project ['Table Name'] = TableName1, ['Table Size'] = Size, ['Table Entries'] = Entries,\r\n ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable, ['Latest Record Created'] = last_log //, ['Latest Record Recieved'] =last_ingestion\r\n | order by ['Table Size'] desc\r\n\r\n ", "size": 0, "showAnalytics": true, "title": "{Workspace:name} Status for {TimeRange:label}, Billable Tables have an average use of: {GiBperday} GiB per day, Billable Tables have a Total size of {GiBtotal} GiB", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "Table Name", "exportParameterName": "Table", "exportDefaultValue": "All Tables", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Table Name", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "30ch" } }, { "columnMatch": "Table Size", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Entries", "formatter": 3, "formatOptions": { "min": 0, "palette": "green" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Size per Entry", "formatter": 3, "formatOptions": { "min": 0, "palette": "orange" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "maximumFractionDigits": 2 } } }, { "columnMatch": "IsBillable", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "True", "representation": "green", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "False", "representation": "blueDark", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "blue", "text": "{0}{1}" } ] } }, { "columnMatch": "Latest Record Created", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 24, "options": { "style": "decimal" } }, "tooltipFormat": { "tooltip": "Time when record was created at data source" } }, { "columnMatch": "Latest Record Recieved", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 24, "options": { "style": "decimal" } }, "tooltipFormat": { "tooltip": "Time when Record stored in workspace and available for queries" } }, { "columnMatch": "Estimated Table Price", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Latest Record Created_5", "sortOrder": 2 } ], "labelSettings": [ { "columnId": "Table Name", "label": "" }, { "columnId": "Table Size", "label": "", "comment": "Capacity of the Table" }, { "columnId": "Table Entries", "comment": "Count of Rows in the Table" }, { "columnId": "Size per Entry", "comment": "Capacity of the Rows" }, { "columnId": "IsBillable", "comment": "Is the Table Free or Billable?" } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Latest Record Created_5", "sortOrder": 2 } ] }, "customWidth": "70", "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| make-series Trend=sum(_BilledSize) , count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} \r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| project baseline, Trend //, count_\r\n", "size": 4, "title": "High level - Overview for {TimeRange:label}", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "baseline", "formatter": 21, "formatOptions": { "palette": "purple" } }, { "columnMatch": "Trend", "formatter": 10, "formatOptions": { "palette": "blue" } }, { "columnMatch": "count_", "formatter": 10, "formatOptions": { "palette": "greenDarkDark" } }, { "columnMatch": "TimeGenerated", "formatter": 5 }, { "columnMatch": "anomalies", "formatter": 5 }, { "columnMatch": "score", "formatter": 5 } ], "labelSettings": [ { "columnId": "baseline", "label": "BilledSize Baseline" }, { "columnId": "Trend", "label": "BilledSize" } ] } }, "customWidth": "30", "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" }, "name": "query - 13" }, { "type": 1, "content": { "json": "### Columns explained\r\n- Table Name:The Log Analytics workspace Table\r\n- Table Size: The sum of data stored in the Table. \r\n- Table Entries: The count of each row in the Table. \r\n- Size per Entry: Average capacity size of each row of data.\r\n- IsBillable: Shows if the Table is Billable or Free (True/False).\r\n- Last Record Received: What was the time that the last record of data was received? \t \t ", "style": "info" }, "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 8" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| where '{Table}' == 'All Tables' or TableName1 == '{Table}'\r\n| make-series TableSize = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n| mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000\r\n| project TimeGenerated, ['{Table}'] = TableSize", "size": 1, "showAnalytics": true, "title": "Table Entries, count over time: {TimeRange:label}", "color": "green", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "Namespace", "exportParameterName": "Namespace", "exportDefaultValue": "All", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart", "gridSettings": { "formatters": [ { "columnMatch": "Table Entries", "formatter": 3, "formatOptions": { "min": 0, "palette": "green", "showIcon": true }, "numberFormat": { "unit": 17, "options": { "style": "decimal" } } }, { "columnMatch": "Table Size", "formatter": 3, "formatOptions": { "min": 0, "palette": "blue", "showIcon": true }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "Table Size Trend", "formatter": 9, "formatOptions": { "min": 0, "palette": "blue", "showIcon": true } } ], "filter": true } }, "customWidth": "50", "name": "query - 6" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| where '{Table}' == 'All Tables' or TableName1 == '{Table}'\r\n| make-series TableSize = sum(_BilledSize) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} \r\n| mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000\r\n| project TimeGenerated, ['{Table}'] = TableSize", "size": 1, "showAnalytics": true, "title": "Table Size, sum over time of capacity: {TimeRange:label}", "color": "blue", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "Namespace", "exportParameterName": "Namespace", "exportDefaultValue": "All", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart", "gridSettings": { "formatters": [ { "columnMatch": "Table Entries", "formatter": 3, "formatOptions": { "min": 0, "palette": "green", "showIcon": true }, "numberFormat": { "unit": 17, "options": { "style": "decimal" } } }, { "columnMatch": "Table Size", "formatter": 3, "formatOptions": { "min": 0, "palette": "blue", "showIcon": true }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "Table Size Trend", "formatter": 9, "formatOptions": { "min": 0, "palette": "blue", "showIcon": true } } ], "filter": true } }, "customWidth": "50", "name": "query - 7" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| summarize count() by bin(TimeGenerated, 6h), Type\r\n| project Type, TimeGenerated, count_\r\n\r\n\r\n", "size": 0, "showAnalytics": true, "title": "Weekly Average Table Usage ", "color": "blue", "timeContext": { "durationMs": 604800000 }, "exportFieldName": "Namespace", "exportParameterName": "Namespace", "exportDefaultValue": "All", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart", "gridSettings": { "formatters": [ { "columnMatch": "Average Events per Second (eps)", "formatter": 3, "formatOptions": { "palette": "redGreen" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true, "maximumSignificantDigits": 3 } } }, { "columnMatch": "Minimum eps", "formatter": 3, "formatOptions": { "palette": "redGreen" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "Maximum eps", "formatter": 3, "formatOptions": { "palette": "redGreen" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 3 } } }, { "columnMatch": "Estimated Table Price", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Entries", "formatter": 3, "formatOptions": { "min": 0, "palette": "green" }, "numberFormat": { "unit": 17, "options": { "style": "decimal" } } }, { "columnMatch": "Table Size", "formatter": 3, "formatOptions": { "min": 0, "palette": "blue" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "Table Size Trend", "formatter": 9, "formatOptions": { "min": 0, "palette": "blue" } } ], "filter": true }, "sortBy": [], "chartSettings": { "seriesLabelSettings": [ { "seriesName": "Other", "color": "green" } ], "xSettings": {}, "ySettings": {} } }, "customWidth": "100", "name": "query - 7 - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), Type\r\n| project Type, TimeGenerated, count_\r\n\r\n\r\n", "size": 1, "showAnalytics": true, "title": "Monthly Average Table Usage : Time Brush Enabled", "color": "blue", "timeContext": { "durationMs": 2592000000 }, "timeBrushParameterName": "tbMthlyUsage", "exportFieldName": "Namespace", "exportParameterName": "Namespace", "exportDefaultValue": "All", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart", "gridSettings": { "formatters": [ { "columnMatch": "Average Events per Second (eps)", "formatter": 3, "formatOptions": { "palette": "redGreen" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true, "maximumSignificantDigits": 3 } } }, { "columnMatch": "Minimum eps", "formatter": 3, "formatOptions": { "palette": "redGreen" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "Maximum eps", "formatter": 3, "formatOptions": { "palette": "redGreen" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 3 } } }, { "columnMatch": "Estimated Table Price", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Entries", "formatter": 3, "formatOptions": { "min": 0, "palette": "green" }, "numberFormat": { "unit": 17, "options": { "style": "decimal" } } }, { "columnMatch": "Table Size", "formatter": 3, "formatOptions": { "min": 0, "palette": "blue" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "Table Size Trend", "formatter": 9, "formatOptions": { "min": 0, "palette": "blue" } } ], "filter": true }, "sortBy": [], "chartSettings": { "seriesLabelSettings": [ { "seriesName": "Other", "color": "green" } ], "xSettings": {}, "ySettings": {} } }, "customWidth": "100", "name": "query - 7 - mthly table usage " }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| summarize count() by TableName = TableName1, _ResourceId\r\n| order by count_ desc\r\n\r\n\r\n\r\n\r\n ", "size": 1, "showAnalytics": true, "title": "Details from Monthly Average Table Usage : Time brushed to: {tbMthlyUsage:label}", "color": "blue", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "tbMthlyUsage", "timeBrushParameterName": "tbMthlyUsage", "exportFieldName": "Namespace", "exportParameterName": "Namespace", "exportDefaultValue": "All", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "count_", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "filter": true }, "sortBy": [], "chartSettings": { "seriesLabelSettings": [ { "seriesName": "Other", "color": "green" } ], "xSettings": {}, "ySettings": {} } }, "customWidth": "100", "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" }, "name": "query - 7 - mthly table usage - Copy" }, { "type": 1, "content": { "json": "Use the above four charts to check your Records, Size and Weekly/ Monthly averages.\r\nThe Weekly and Monthly charts are especially useful to see if one data type is growing or shrinking.", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 6" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Basic Workspace Details", "expandable": true, "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-08-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[]}}]}", "size": 0, "title": "Workspace Details", "queryType": 12, "sortBy": [] }, "customWidth": "50", "name": "query - 11 - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/intelligencePacks\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-08-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"\",\"columns\":[{\"path\":\"name\",\"columnid\":\"name\"},{\"path\":\"enabled\",\"columnid\":\"enabled\"},{\"path\":\"displayname\",\"columnid\":\"displayname\"}]}}]}", "size": 0, "title": "Intelligence Packs", "queryType": 12, "gridSettings": { "sortBy": [ { "itemKey": "enabled", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "enabled", "sortOrder": 2 } ] }, "customWidth": "50", "name": "query - 11 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/usages\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-08-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[]}}]}", "size": 0, "title": "Workspace Usages", "queryType": 12, "sortBy": [] }, "customWidth": "50", "name": "query - 11 - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/availableServiceTiers\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-08-01\"}],\"batchDisabled\":false,\"transformers\":null}", "size": 0, "title": "Workspace Service Tier", "queryType": 12, "sortBy": [] }, "customWidth": "50", "conditionalVisibility": { "parameterName": "hide", "comparison": "isEqualTo", "value": "hide" }, "name": "query - 11 - Copy - Copy - Copy - Copy" } ] }, "name": "group - Workspace Details" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Advanced Workspace details", "expandable": true, "items": [ { "type": 1, "content": { "json": "You need to enable this for Workspace Query auditing \r\nhttps://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-audit", "style": "warning" }, "name": "text - 12" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "// needs https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-audit\r\nLAQueryLogs\r\n| extend code_ = case(ResponseCode == 200,\"200 OK\", ResponseCode == 400,\"400 Bad Request\", ResponseCode == 401,\"401 Unauthorized\",ResponseCode == 503,\"503 Service Unavailable\",ResponseCode == 504,\"504 Gateway Timeout\",\r\n//else\r\nstrcat(\"Unknown or undefined code: \", ResponseCode))\r\n| summarize count() by ResponseCode, code_\r\n| order by count_ desc\r\n", "size": 1, "title": "LAQuery Diagnostics: count by Status", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "piechart", "chartSettings": { "yAxis": [ "count_" ] } }, "customWidth": "50", "name": "query - 10" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "// needs https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-audit\r\nLAQueryLogs\r\n| summarize count() by RequestClientApp\r\n| order by count_ desc\r\n", "size": 1, "title": "LAQuery Diagnostics: count by product ", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "piechart", "chartSettings": { "yAxis": [ "count_" ] } }, "customWidth": "50", "name": "query - 10 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "// needs https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-audit\r\nLAQueryLogs\r\n| summarize dcount(QueryText) by AADEmail\r\n| where isnotempty(AADEmail)\r\n| order by dcount_QueryText desc\r\n", "size": 1, "title": "LAQuery Diagnostics: count by User", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "piechart", "chartSettings": { "yAxis": [ "dcount_QueryText" ] } }, "customWidth": "50", "name": "query - 10 - Copy - Copy" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "d1f27b79-2133-475a-88de-37bcda5be757", "version": "KqlParameterItem/1.0", "name": "filterProduct", "label": "Filter by product, order by highest count ", "type": 10, "isRequired": true, "query": "LAQueryLogs\r\n| where isnotempty(RequestClientApp)\r\n| summarize count() by RequestClientApp\r\n| order by count_ desc\r\n| extend label = strcat(RequestClientApp,\" (\",count_,\")\")\r\n//| extend a = pack_array(label, \"Show All\")\r\n| project RequestClientApp, label", "crossComponentResources": [ "{Workspace}" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "value": "AppAnalytics" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 14" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "LAQueryLogs\r\n| where RequestClientApp ==\"{filterProduct}\" \r\n| extend code_ = case(ResponseCode == 200,\"200 OK\", ResponseCode == 400,\"400 Bad Request\", ResponseCode == 401,\"401 Unauthorized\",ResponseCode == 503,\"503 Service Unavailable\",ResponseCode == 504,\"504 Gateway Timeout\",\r\n//else\r\nstrcat(\"Unknown or undefined code: \", ResponseCode))\r\n| project TimeGenerated, AADEmail, ResponseCode = code_, RequestClientApp, ResponseRowCount, ResponseDurationMs, StatsCPUTimeMs, StatsDataProcessedKB, StatsDataProcessedStart, StatsDataProcessedEnd, QueryText, AADClientId\r\n| order by TimeGenerated desc", "size": 1, "title": "LAQuery Diagnostics: Statistics for: {filterProduct:label}", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "ResponseCode", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "startsWith", "thresholdValue": "400", "representation": "failed", "text": "{0}{1}" }, { "operator": "startsWith", "thresholdValue": "Unknown", "representation": "unknown", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "ResponseRowCount", "formatter": 8, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "ResponseDurationMs", "formatter": 8, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "StatsCPUTimeMs", "formatter": 8, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "StatsDataProcessedKB", "formatter": 8, "formatOptions": { "palette": "greenRed" } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_ResponseRowCount_4", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_ResponseRowCount_4", "sortOrder": 2 } ] }, "name": "query - 11" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "807f8cec-8875-4156-91e6-2506b97e174d", "version": "KqlParameterItem/1.0", "name": "filterAADuser", "type": 2, "query": "LAQueryLogs\r\n| summarize by AADEmail\r\n| order by AADEmail asc", "crossComponentResources": [ "{Workspace}" ], "value": null, "typeSettings": { "additionalResourceOptions": [] }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "label": "Show Queries by User" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 18" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "LAQueryLogs\r\n| where AADEmail == '{filterAADuser}'\r\n| project TimeGenerated, AADEmail, QueryText, ResponseDurationMs, StatsCPUTimeMs, StatsDataProcessedKB\r\n| order by TimeGenerated desc", "size": 1, "title": "LAQuery Diagnostics: Statistics for: {filterAADuser:label}", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "AADEmail", "formatter": 5 }, { "columnMatch": "QueryText", "formatter": 7, "formatOptions": { "linkTarget": "CellDetails", "linkIsContextBlade": true } }, { "columnMatch": "ResponseDurationMs", "formatter": 3, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "StatsCPUTimeMs", "formatter": 3, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "StatsDataProcessedKB", "formatter": 3, "formatOptions": { "palette": "greenRed" } } ], "filter": true }, "sortBy": [] }, "name": "query - 11 - Copy" } ] }, "name": "group - wsAdvanced" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "WorkspaceInfo" }, "name": "group - workspaceInfo" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Group: Azure Sentinel", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n// Just show Workspaces - will use this to see Creation diff between Workspace and when Azure Sentinel is added \r\n| where type =~ 'microsoft.operationalinsights/workspaces' \r\n| project Workspace=id, WorkspaceName=name, properties.sku.name, properties.sku.capacityReservationLevel, W_CreatedDate=properties.createdDate, W_modifedDate=properties.modifiedDate, properties.sku.lastSkuUpdate", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "gridSettings": { "formatters": [ { "columnMatch": "Days Enabled", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "<=", "thresholdValue": "30", "representation": "yellow", "text": "Free {1}" }, { "operator": "Default", "thresholdValue": null, "representation": "green", "text": "{0}{1}" } ] } } ] } }, "conditionalVisibility": { "parameterName": "Hide", "comparison": "isEqualTo", "value": "Hide" }, "name": "query - ARG All workspaces" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n// Just show Workspaces that have Sentinel enabled\r\n| where type == \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| project s_workspace, name, properties.creationTime, properties.lastModifiedTime , ['Days Enabled'] = datetime_diff('day',now(),todatetime(properties.creationTime)), ['SKU']=properties.sku.name, CapacityReservation=properties.sku.capacityReservationLevel", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "gridSettings": { "formatters": [ { "columnMatch": "Days Enabled", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "<=", "thresholdValue": "30", "representation": "yellow", "text": "Free {1}" }, { "operator": "Default", "thresholdValue": null, "representation": "green", "text": "{0}{1}" } ] } } ], "labelSettings": [ { "columnId": "s_workspace", "label": "Workspace Name" }, { "columnId": "name", "label": "Solution Name", "comment": "Azure Sentinel is present" } ] } }, "conditionalVisibility": { "parameterName": "Hide", "comparison": "isEqualTo", "value": "Hide" }, "name": "query - ARG Azure Sentinel workspaces" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"14b104f4-4935-413b-943d-166bee783118\",\"mergeType\":\"innerunique\",\"leftTable\":\"query - ARG All workspaces\",\"rightTable\":\"query - ARG Azure Sentinel workspaces\",\"leftColumn\":\"WorkspaceName\",\"rightColumn\":\"s_workspace\"}],\"projectRename\":[{\"originalName\":\"[query - ARG All workspaces].Workspace\",\"mergedName\":\"Workspace\",\"fromId\":\"14b104f4-4935-413b-943d-166bee783118\"},{\"originalName\":\"[query - ARG All workspaces].WorkspaceName\",\"mergedName\":\"WorkspaceName\",\"fromId\":\"14b104f4-4935-413b-943d-166bee783118\"},{\"originalName\":\"[query - ARG All workspaces].W_CreatedDate\",\"mergedName\":\"W_CreatedDate\",\"fromId\":\"14b104f4-4935-413b-943d-166bee783118\"},{\"originalName\":\"[query - ARG All workspaces].W_modifedDate\",\"mergedName\":\"W_modifedDate\",\"fromId\":\"14b104f4-4935-413b-943d-166bee783118\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].s_workspace\",\"mergedName\":\"Workspace Name\",\"fromId\":\"14b104f4-4935-413b-943d-166bee783118\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].name\",\"mergedName\":\"Solution Name\",\"fromId\":\"14b104f4-4935-413b-943d-166bee783118\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].properties_creationTime\",\"mergedName\":\"FirstCreated\",\"fromId\":\"14b104f4-4935-413b-943d-166bee783118\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].properties_lastModifiedTime\",\"mergedName\":\"LastModified\",\"fromId\":\"14b104f4-4935-413b-943d-166bee783118\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].Days Enabled\",\"mergedName\":\"Days Enabled\",\"fromId\":\"14b104f4-4935-413b-943d-166bee783118\"},{\"originalName\":\"[query - ARG All workspaces].properties_sku_name\",\"mergedName\":\"properties_sku_name\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG All workspaces].properties_sku_lastSkuUpdate\",\"mergedName\":\"properties_sku_lastSkuUpdate\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].id\",\"mergedName\":\"id\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].type\",\"mergedName\":\"type\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].tenantId\",\"mergedName\":\"tenantId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].kind\",\"mergedName\":\"kind\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].location\",\"mergedName\":\"location\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].resourceGroup\",\"mergedName\":\"resourceGroup\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].subscriptionId\",\"mergedName\":\"subscriptionId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].managedBy\",\"mergedName\":\"managedBy\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].sku\",\"mergedName\":\"sku\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].plan\",\"mergedName\":\"plan\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].properties\",\"mergedName\":\"properties\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].tags\",\"mergedName\":\"tags\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].identity\",\"mergedName\":\"identity\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].zones\",\"mergedName\":\"zones\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].extendedLocation\",\"mergedName\":\"extendedLocation\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].Sentinel SKU\",\"mergedName\":\"Sentinel SKU\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].SKU\",\"mergedName\":\"SKU\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG All workspaces].properties_sku_capacityReservationLevel\",\"mergedName\":\"properties_sku_capacityReservationLevel\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].properties_sku_capacityReservationLevel\",\"mergedName\":\"properties_sku_capacityReservationLevel\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - ARG Azure Sentinel workspaces].CapacityReservation\",\"mergedName\":\"CapacityReservation\",\"fromId\":\"unknown\"}]}", "size": 4, "queryType": 7, "gridSettings": { "formatters": [ { "columnMatch": "WorkspaceName", "formatter": 5 }, { "columnMatch": "Workspace Name", "formatter": 5 }, { "columnMatch": "Solution Name", "formatter": 5 }, { "columnMatch": "Days Enabled", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "<=", "thresholdValue": "30", "representation": "yellow", "text": "{0} (Free Trial)" }, { "operator": "Default", "thresholdValue": null, "representation": "green", "text": "{0}{1}" } ] } } ], "labelSettings": [ { "columnId": "Workspace", "label": "Log Analytics Workspace Name" }, { "columnId": "WorkspaceName" }, { "columnId": "W_CreatedDate", "label": "Workspace Created" }, { "columnId": "W_modifedDate", "label": "Workspace Modified" }, { "columnId": "Workspace Name" }, { "columnId": "Solution Name" }, { "columnId": "FirstCreated" }, { "columnId": "LastModified" }, { "columnId": "Days Enabled" }, { "columnId": "properties_sku_name", "label": "Workspace SKU name", "comment": "Log Analyitcs licence SKU" }, { "columnId": "properties_sku_lastSkuUpdate", "label": "Workspace SKU Last Update" }, { "columnId": "SKU", "label": "Azure Sentinel SKU name", "comment": "Azure Sentinel setting" }, { "columnId": "properties_sku_capacityReservationLevel" }, { "columnId": "CapacityReservation" } ] } }, "showPin": false, "name": "query - 7" }, { "type": 1, "content": { "json": "If an Azure Sentinel Workspace has been enabled for less than 30days is likely to be in the Free Trial period. The report above shows when a Workspace was first created and when Azure Sentinel was associated with it.\r\nAlso on this Page\r\n- Top 10 Operations actions from the AzureActicity log for Azure Sentinel. \r\n- Select a Table (only Azure Sentinel ones are listed) to see more details. ", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Sentinel" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 4" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity \r\n| where ResourceProvider == \"Microsoft.SecurityInsights\" \r\n| where OperationName !in (\"Microsoft.SecurityInsights/Incidents/investigations/write\", \"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action\" )\r\n| summarize count() by OperationName\r\n| top 10 by count_ desc \r\n", "size": 1, "title": "Sentinel ActivityLog Information - Top 10", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "tiles", "gridSettings": { "filter": true }, "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "OperationName", "formatter": 1 }, "leftContent": { "columnMatch": "count_", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Sentinel" }, "name": "query - 22" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity \r\n| where ResourceProvider == \"Microsoft.SecurityInsights\" \r\n//| where OperationName !in (\"Microsoft.SecurityInsights/Incidents/investigations/write\", \"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action\" )\r\n| summarize count() by OperationName, TimeGenerated\r\n| top 10 by count_ desc \r\n| make-series count() on bin(TimeGenerated,1d) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by OperationName\r\n", "size": 1, "title": "Sentinel ActivityLog Information - Top n trending, {TimeRange:label} ", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "count_", "formatter": 9, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "TimeGenerated", "formatter": 5 } ], "filter": true, "labelSettings": [ { "columnId": "OperationName" }, { "columnId": "count_", "label": "Daily Count", "comment": "Trend for selected period" }, { "columnId": "TimeGenerated" } ] }, "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "OperationName", "formatter": 1 }, "leftContent": { "columnMatch": "count_", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Sentinel" }, "name": "query - 22 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Watchlist\r\n| summarize count(_DTItemStatus) by WatchlistAlias\r\n| order by count__DTItemStatus desc", "size": 4, "title": "Watchlists details for: '{exportWatchlistAlias}'", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "WatchlistAlias", "exportParameterName": "exportWatchlistAlias", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "piechart", "sortBy": [] }, "name": "query - 10 - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "_GetWatchlistAlias\r\n| order by WatchlistAlias asc", "size": 0, "title": "Watchlists", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "WatchlistAlias", "exportParameterName": "exportWatchlistAlias", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "sortBy": [ { "itemKey": "WatchlistAlias", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "WatchlistAlias", "sortOrder": 2 } ] }, "customWidth": "50", "name": "query - 10" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Watchlist\r\n| where WatchlistAlias == '{exportWatchlistAlias}'\r\n| project-away TenantId, AzureTenantId, WatchlistId, WatchlistItemId", "size": 0, "title": "Watchlists details for: '{exportWatchlistAlias}'", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "WatchlistAlias", "exportParameterName": "exportWatchlistAlias", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true, "sortBy": [ { "itemKey": "TimeGenerated", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "TimeGenerated", "sortOrder": 2 } ] }, "customWidth": "50", "name": "query - 10 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "ThreatIntelligenceIndicator\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, {TimeRange:grain})\r\n| order by CountOfIndicators desc ", "size": 1, "title": "Threat Intelligence, Indicator Type {TimeRange:label}", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart" }, "name": "query - 13" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "ThreatIntelligenceIndicator\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n| summarize CountOfIndicators = count() by ThreatType , bin(TimeGenerated, {TimeRange:grain})\r\n| order by CountOfIndicators desc ", "size": 1, "title": "Threat Intelligence, Threat Type {TimeRange:label}", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "areachart" }, "name": "query - 13 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourcegroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/metadata\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2017-10-01\"},{\"key\":\"$orderby\",\"value\":\"name\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.tableGroups\",\"columns\":[]}}]}", "size": 1, "title": "Solutions and Table selector", "exportedParameters": [ { "fieldName": "name", "parameterName": "exportDisplayName", "parameterType": 1 }, { "fieldName": "tables", "parameterName": "exportTables", "parameterType": 1 } ], "queryType": 12, "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "id", "formatter": 5 }, { "columnMatch": "source", "formatter": 5 }, { "columnMatch": "tables", "formatter": 5 } ], "filter": true, "hierarchySettings": { "treeType": 1, "groupBy": [ "name" ] }, "sortBy": [ { "itemKey": "$gen_count_$gen_group_0", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "$gen_count_$gen_group_0", "sortOrder": 1 } ], "tileSettings": { "titleContent": { "columnMatch": "displayName", "formatter": 12, "formatOptions": { "palette": "blue" } }, "subtitleContent": { "columnMatch": "name" }, "showBorder": false, "sortCriteriaField": "displayName", "sortOrderField": 1, "size": "auto" } }, "name": "query - 13" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Usage\r\n//| where '{exportDisplayName}' startswith 'Sec'\r\n| project '{exportTables}' \r\n|limit 1\r\n| mv-expand tn = todynamic('{exportTables}')\r\n| extend TableName = split(tn,\"/\")[1]\r\n| order by tostring(TableName) asc\r\n| project TableName\r\n", "size": 0, "title": "Select a Table from: {exportDisplayName}", "timeContext": { "durationMs": 86400000 }, "exportFieldName": "TableName", "exportParameterName": "exportTableName", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "sortBy": [ { "itemKey": "TableName", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "TableName", "sortOrder": 1 } ] }, "customWidth": "33", "name": "query - 14" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Usage\r\n| where '{exportTableName}' == DataType\r\n| summarize [\"last log received\"] = datetime_diff(\"second\",now(), max(TimeGenerated)), \r\n BillableGB = sumif(Quantity,IsBillable==true)/1024, FreeGB = sumif(Quantity,IsBillable==false)/1024 by DataType, IsBillable\r\n| order by [\"last log received\"] desc", "size": 1, "title": "Table selected: {exportTableName}", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "last log received", "formatter": 0, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "BillableGB", "formatter": 0, "numberFormat": { "unit": 5, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "FreeGB", "formatter": 0, "numberFormat": { "unit": 5, "options": { "style": "decimal" } } } ] } }, "customWidth": "66", "name": "query - 15" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/dataConnectors\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"},{\"key\":\"$orderby\",\"value\":\"kind asc\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"kind\",\"columnid\":\"ConnectorName\"},{\"path\":\"properties.dataTypes[*].state\",\"columnid\":\"state\"},{\"path\":\"properties.dataTypes\",\"columnid\":\"Info\"}]}}]}", "size": 1, "title": "Enabled connectors", "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "state", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "enabled", "representation": "success", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } } ], "sortBy": [ { "itemKey": "ConnectorName", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "ConnectorName", "sortOrder": 1 } ] }, "name": "query - 11" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Sentinel" }, "name": "group - Sentinel" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Group: Latency", "items": [ { "type": 1, "content": { "json": "### End to End Latency Report by Table" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, "name": "text - 9" }, { "type": 1, "content": { "json": "In this report we measure the latency of a specific Table by comparing the result of the ingestion_time() function to the TimeGenerated property. \r\n<br />\r\n\r\nSource: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-ingestion-time", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 10" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//\r\n// Add enrichment information about selected Tables\r\n//\r\nlet enrich = datatable (TableName:string,Information:string,link:string)\r\n [\r\n \"Usage\",\"This is common Usage data in all Workspaces\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-cost-storage\",\r\n \"Operation\",\"This is common Operations data in all Workspaces\",\"\",\r\n \"OfficeActivity\",\"This is a PUSH data source, typically <30mins (max ~1day)\",\"https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#what-is-the-maximum-time-i-will-have-to-wait-before-a-notification-is-sent-about-a-given-office-365-event\",\r\n \"Perf\",\"Operational Data source, this can have limited value to Azure Sentinel\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-data-sources\",\r\n \"Event\",\"Windows Server Event Logs\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-data-sources\",\r\n \"Syslog\", \"Syslog messages using Common Event Format (CEF) streamed from variety of security solutions.Learn more\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"SecurityAlert\",\"Security Alerts from various sources\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"Alert\",\"Alerts from Azure Monitor sources\",\"\",\r\n \"AWSCloudTrail\",\"Azure Sentinel: AWS Cloud trail connector\",\"\",\r\n \"Anomalies\",\"Azure Sentinel: This table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel.\",\"\",\r\n \"AADNonInteractiveUserSignInLogs\",\"Non-interactive Azure Active Directory sign-in logs from user\",\"\",\r\n \"SecurityEvent\",\"Data from Azure Security Center or Azure Sentinel\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"CommonSecurityLog\",\"CEF data for Azure Sentinel, from multiple vendors\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"SecurityIncident\",\"Incident events from Azure Sentinel, also see SecurityAlert\",\"\",\r\n \"Heartbeat\", \"MMA info from Log Analytics agents\",\"\",\r\n \"LAQueryLogs\",\"Auditing of the workspace has been set\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-audit\",\r\n \"VMConnection\",\"Azure Monitor for VMs or Service Map\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/vmconnection\",\r\n \"KubeServices\",\"AKS data sources\",\"\",\r\n \"Update\",\"Patching info\",\"\", \r\n \"ThreatIntelligenceIndicator\",\"Azure Sentinel TI data\",\"\", \r\n \"AuditLogs\",\"Azure AAD audit information\",\"\", \r\n \"SigninLogs\",\"Azure AAD Signin information\",\"\", \r\n \"AzureActivity\",\"Azure Activity Logs\",\"\",\r\n \"HuntingBookmark\",\"Azure Sentinel - Hunting book mark data\",\"\", \r\n \"UserPeerAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n \"UserAccessAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n \"IdentityInfo\",\"Azure Sentinel - UEBA\",\"\", \r\n \"BehaviorAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n \"DeviceEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection.\",\"\",\r\n \"DeviceFileEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains File creation, modification, and other file system events.\",\"\", \r\n \"DeviceImageLoadEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains DLL loading events\",\"\", \r\n \"DeviceInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Machine information, including OS information.\",\"\", \r\n \"DeviceLogonEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Sign-ins and other authentication events\",\"\", \r\n \"DeviceNetworkEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network connection and related events.\",\"\", \r\n \"DeviceNetworkInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains.\",\"\", \r\n \"DeviceProcessEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Process creation and related events.\",\"\", \r\n \"DeviceRegistryEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Creation and modification of registry entries.\",\"\", \r\n \"DnsInventory\",\"DNS Analytics (Preview)\",\"\", \r\n \"W3CIISLog\",\"IIS log data from Azure Monitor Logs\",\"\"\r\n ]\r\n; \r\n// Gather and calculate Latency information\r\nunion withsource = TableName1 *\r\n| summarize \r\n ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 ),2)\r\n , ['minimun E2E IngestionLatency'] = round(min(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 ),2) \r\n , ['maximum E2E IngestionLatency'] = round(max(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 ),2)\r\n by TableName = TableName1\r\n| sort by ['average E2E IngestionLatency'] desc\r\n// join to enrichment and remove unwanted columns \r\n| join kind= fullouter (enrich) on TableName\r\n| where isnotempty(TableName)\r\n| project-away TableName1\r\n", "size": 0, "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "average E2E IngestionLatency", "formatter": 3, "formatOptions": { "palette": "greenRed", "compositeBarSettings": { "labelText": "", "columnSettings": [ { "columnName": "average E2E IngestionLatency", "color": "blue" }, { "columnName": "minimun E2E IngestionLatency", "color": "green" }, { "columnName": "maximum E2E IngestionLatency", "color": "redBright" } ] } }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "minimun E2E IngestionLatency", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 24, "options": { "style": "decimal" } } }, { "columnMatch": "maximum E2E IngestionLatency", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "link", "formatter": 7, "formatOptions": { "linkTarget": "Url" } }, { "columnMatch": "TotalGBytes", "formatter": 3, "formatOptions": { "aggregation": "Count" } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_bar_maximum E2E IngestionLatency_3", "sortOrder": 1 } ], "labelSettings": [ { "columnId": "average E2E IngestionLatency", "label": "avg E2E Ingestion Latency" }, { "columnId": "minimun E2E IngestionLatency", "label": "min E2E Ingestion Latency" }, { "columnId": "maximum E2E IngestionLatency", "label": "max E2E Ingestion Latenc" } ] }, "sortBy": [ { "itemKey": "$gen_bar_maximum E2E IngestionLatency_3", "sortOrder": 1 } ], "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "SolutionName", "formatter": 1 }, "leftContent": { "columnMatch": "TotalGBytes", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "graphSettings": { "type": 0, "topContent": { "columnMatch": "SolutionName", "formatter": 1 }, "centerContent": { "columnMatch": "TotalGBytes", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, "name": "query - 8" }, { "type": 1, "content": { "json": "## Computer Heartbeat and Latency : {TimeRange}" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, "name": "text - 11" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Subscription}" ], "parameters": [ { "id": "759ca753-ed9f-4ca0-8bf1-d929d77e8128", "version": "KqlParameterItem/1.0", "name": "ComputerName", "type": 5, "isRequired": true, "query": "resources\r\n| where type == \"microsoft.compute/virtualmachines\" or type == \"microsoft.hybridcompute/machines\"\r\n| project name", "crossComponentResources": [ "{Subscription}" ], "value": null, "typeSettings": { "additionalResourceOptions": [] }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "e0fb3c9a-f42f-4dfb-a86c-f4dd36584904", "version": "KqlParameterItem/1.0", "name": "UnhealthyCriteria", "label": "Unhealthy Criteria", "type": 2, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\r\n { \"value\":\"1m\", \"label\":\"1 minute without heartbeat\", \"selected\":false },\r\n { \"value\":\"5m\", \"label\":\"5 minutes without heartbeat\", \"selected\":false },\r\n { \"value\":\"30m\", \"label\":\"30 minutes without heartbeat\", \"selected\":false },\r\n { \"value\":\"1h\", \"label\":\"1 hour without heartbeat\", \"selected\":true },\r\n { \"value\":\"2h\", \"label\":\"2 hours without heartbeat\", \"selected\":false },\r\n { \"value\":\"8h\", \"label\":\"8 hours without heartbeat\", \"selected\":false },\r\n { \"value\":\"1d\", \"label\":\"1 day without heartbeat\", \"selected\":false },\r\n { \"value\":\"2d\", \"label\":\"2 days without heartbeat\", \"selected\":false },\r\n { \"value\":\"7d\", \"label\":\"7 days without heartbeat\", \"selected\":false }\r\n]", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange" } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, "name": "parameters - 13" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat \r\n| where Computer startswith \"{ComputerName}\"\r\n| summarize HeartBeatperHour = count() by bin(TimeGenerated,1h) ", "size": 0, "title": "HeartBeat", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "linechart", "chartSettings": { "showLegend": true } }, "customWidth": "50", "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, "name": "query - 13" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat \r\n| where Computer startswith \"{ComputerName}\"\r\n| extend E2EIngestionLatency = todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 \r\n| extend AgentLatency = todouble(datetime_diff(\"Second\",_TimeReceived,TimeGenerated))/60 \r\n| summarize avg(E2EIngestionLatency),avg(AgentLatency) by bin(TimeGenerated,1h) \r\n| project TimeGenerated, avgE2Elatency = avg_E2EIngestionLatency, avgAgentLatency = avg_AgentLatency\r\n", "size": 0, "title": "Latency", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "timechart", "gridSettings": { "formatters": [ { "columnMatch": "avgE2E", "formatter": 0, "formatOptions": { "showIcon": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal" } } } ] }, "tileSettings": { "showBorder": false }, "chartSettings": { "showLegend": true, "ySettings": { "unit": 24, "min": null, "max": null } } }, "customWidth": "50", "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, "name": "query - 14" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize LastHeartbeat = max(TimeGenerated) by Computer\r\n| extend State = iff(LastHeartbeat < ago({UnhealthyCriteria}), 'Unhealthy', 'Healthy')\r\n| extend TimeFromNow = now() - LastHeartbeat\r\n| extend [\"TimeAgo\"] = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n| join (\r\nHeartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| extend Packed = pack_all()\r\n) on Computer\r\n| where TimeGenerated == LastHeartbeat\r\n| join (\r\nHeartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| make-series InternalTrend=iff(count() > 0, 1, 0) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {UnhealthyCriteria} by Computer\r\n| extend Trend=array_slice(InternalTrend, array_length(InternalTrend) - 30, array_length(InternalTrend)-1)\r\n| extend (s_min, s_minId, s_max, s_maxId, s_avg, s_var, s_stdev) = series_stats(Trend)\r\n| project Computer, Trend, s_avg\r\n) on Computer\r\n| order by State, s_avg asc, TimeAgo\r\n| project [\"_ComputerName_\"] = Computer, [\"Computer\"]=Computer, State, [\"Environment\"] = iff(ComputerEnvironment == \"Azure\", ComputerEnvironment, Category), [\"OS\"]=iff(isempty(OSName), OSType, OSName), [\"Azure Resource\"]=ResourceId, [\"Time\"]=strcat('🕒 ', TimeAgo), [\"Heartbeat Trend\"]=Trend, [\"Details\"]=Packed", "size": 0, "title": "All Agent Heartbeat info : {TimeRange:label}", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "Computer", "exportParameterName": "exportComputer", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "_ComputerName_", "formatter": 5, "formatOptions": { "showIcon": true } }, { "columnMatch": "Computer", "formatter": 0, "formatOptions": { "showIcon": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "State", "formatter": 18, "formatOptions": { "showIcon": true, "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Healthy", "representation": "green", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Unhealthy", "representation": "redBright", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "blue", "text": "{0}{1}" } ] } }, { "columnMatch": "Environment", "formatter": 18, "formatOptions": { "showIcon": true, "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Azure", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "Direct Agent", "representation": "magenta", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "SCOM Agent", "representation": "purple", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "SCOM Management Server", "representation": "gray", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "blue", "text": "{0}{1}" } ] }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Heartbeat Trend", "formatter": 10, "formatOptions": { "palette": "redGreen", "showIcon": true } }, { "columnMatch": "Details", "formatter": 5, "formatOptions": { "showIcon": true } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_thresholds_Environment_3", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "$gen_thresholds_Environment_3", "sortOrder": 1 } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, "name": "query - 16" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where type =~ \"microsoft.compute/virtualmachines\"\r\n| where name =~ '{exportComputer}'\r\n| extend status = tostring(properties.extended.instanceView.powerState.displayStatus)\r\n| summarize by status, id, name\r\n", "size": 4, "title": "Azure PowerState: {exportComputer} ", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ] }, "name": "query - 9" }, { "type": 1, "content": { "json": "Measures the HeartBeat of a specific Computer, and then shows latency by comparing the result of the ingestion_time() function to the TimeGenerated property", "style": "info" }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, "name": "text - 15" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Latency" }, "name": "group - latency" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Group: Cost", "items": [ { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "b2d72148-33fb-4afc-9860-476d2afb7b7f", "cellValue": "selectedTab1", "linkTarget": "parameter", "linkLabel": "Overview", "subTarget": "overview", "style": "link" }, { "id": "bb092bc8-2753-40d1-9044-507915dcbbe8", "cellValue": "selectedTab1", "linkTarget": "parameter", "linkLabel": "Table Analysis ", "subTarget": "table", "style": "link" }, { "id": "ed5e9da0-5b84-413d-a198-0338b248f2b7", "cellValue": "selectedTab1", "linkTarget": "parameter", "linkLabel": "Azure Sentinel ", "subTarget": "sentinel", "style": "link" }, { "id": "f23e1ce4-a2b5-4947-9dc3-6211e1021765", "cellValue": "selectedTab1", "linkTarget": "parameter", "linkLabel": "Azure Security Center", "subTarget": "asc", "style": "link" }, { "id": "68478fa5-e791-4eb7-836f-4c7ba3002fda", "cellValue": "selectedTab1", "linkTarget": "parameter", "linkLabel": "Syslog", "subTarget": "syslog", "style": "link" }, { "id": "7728c496-7831-4089-afc2-133fbe5fa06b", "cellValue": "selectedTab1", "linkTarget": "parameter", "linkLabel": "Common Security Format (CEF)", "subTarget": "cef", "style": "link" } ] }, "name": "links - 20" }, { "type": 1, "content": { "json": "### Workspace Pricing\r\n\r\nPrice Parameter: Please provide an estimated cost so that we can get a value in the \"Estimated Table Price\" column, in the [Workspace Info] tab. \r\ni.e If your Log Analytics PAYG is £2.00 per GB enter 2.00. You can enter an interger (without a currency symbol), in format 1.0, 2.0, 3.1 etc... \r\nIf you want to see the combined Log Analytics + Azure Sentinel estimated cost please use both PAYG prices i.e. 2.00 + 2.00 = 4.00. Please see the licence pages for both products.\r\n\r\nBase value on 7th July 2020, using an example of Azure Sentinel ($2.46 US Central PAYG) + Log Analytics ($2.76 US Central PAYG) \r\n\r\n\r\nNote: No capacity reservation is taken into account.\r\n\r\n\r\n### Anomoly Detection\r\nSome reports now show anomoly detection, this explains the Score:\r\nhttps://docs.microsoft.com/en-us/azure/data-explorer/anomaly-detection#time-series-anomaly-detection\r\n\r\nAnomaly scores above 1.5 or below -1.5 indicate a mild anomaly rise or decline respectively. Anomaly scores above 3.0 or below -3.0 indicate a strong anomaly.", "style": "info" }, "customWidth": "48", "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Cost" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 15" }, { "type": 1, "content": { "json": "### Azure Security Center \r\n\r\nASC allows for 500MB/day (0.5GBytes) of *free* data to be sent by each Computer. Please see the licencing link at the bottom of this text box.\r\nYou have two variables\r\n1. The total allowed: < number of computers> * 0.5GB (this is a pooled metric). \t\r\n\te.g 4 computers * 0.5GB = 2.0GB, the maximum value which is allowed to be sent for free. Any data over this number will have the standard (Azure Sentinel + Log Analytics) charge applied. \r\n2. The actual data sent by each computer\r\n\te.g 4 * computers * 0.1GB = 0.4GB, which is allowed for free.\r\n\r\nTo fully calculate the Azure Sentinel average GBytes per day, if ASC data is present, we need to take #1 from the total or #2. This is shown as the \"Revised GiB Number\". \r\n\r\n### Note: Licencing is subject to change, you must fully investigate and understand from the current documentation the implications.\r\nhttps://azure.microsoft.com/en-us/pricing/details/security-center/ correct as of 17th September 2020. \r\nRESOURCE TYPE\tFREE TIER\tSTANDARD TIER (a.k.a \"Azure Defender ON\")\r\nVirtual Machine\tFree\t$0.02/Server/Hour\r\nIncluded data - 500 MB/day", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Cost" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 15 - Copy" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Sentinel Usage", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Subscription}" ], "parameters": [ { "id": "923d55a3-75ac-4ce2-8820-50b4a530a553", "version": "KqlParameterItem/1.0", "name": "SentinelPrice", "type": 1, "description": "Enter a value for Azure Sentinel Data cost, default: 2.0", "value": "2.0", "timeContext": { "durationMs": 86400000 } }, { "id": "f87b71cc-4738-41b7-8625-63656640e6ad", "version": "KqlParameterItem/1.0", "name": "SentinelCap", "type": 1, "query": "resources\r\n// Just show Workspaces that have Azure Sentinel enabled\r\n| where type == \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| extend sku = tolower(properties.sku.name)\r\n| extend capacityReservationLevel = properties.sku.capacityReservationLevel\r\n// add fake level for testing\r\n//| extend capacityReservationLevel = 200 , sku = \"capacityreservation\"\r\n//\r\n| project capacityReservationLevel\r\n\r\n\r\n", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "72f36500-a03a-42ed-bac1-db83d92ca534", "version": "KqlParameterItem/1.0", "name": "discountRate", "type": 1, "query": "resources\r\n// Just show Workspaces that have Azure Sentinel enabled\r\n| where type == \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| extend sku = tolower(properties.sku.name)\r\n| extend capacityReservationLevel = properties.sku.capacityReservationLevel\r\n// add fake level for testing\r\n//| extend capacityReservationLevel = 200 , sku = \"capacityreservation\"\r\n| extend discountRate = case(\r\ncapacityReservationLevel == 100,50,\r\ncapacityReservationLevel == 200,55,\r\ncapacityReservationLevel == 300,57,\r\ncapacityReservationLevel == 400,58,\r\ncapacityReservationLevel == 500,60,\r\ncapacityReservationLevel >= 500,60,\r\n// else\r\n0\r\n)\r\n| project discountRate\r\n\r\n", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "version": "KqlParameterItem/1.0", "name": "lawCap", "type": 1, "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces' \r\n| where id has \"{Workspace}\"\r\n| project capacityReservationLevel = properties.sku.capacityReservationLevel\r\n", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "id": "2665b7ce-d7df-4130-a67f-1486b598edb7" }, { "id": "2b57d534-a06f-43c3-a6da-b01158540eab", "version": "KqlParameterItem/1.0", "name": "SentinelSku", "type": 1, "query": "resources\r\n// Just show Workspaces that have Azure Sentinel enabled\r\n| where type == \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| project sku = tolower(properties.sku.name)", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" } ], "style": "pills", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "name": "parameters - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n// Just show Workspaces that have Azure Sentinel enabled\r\n| where type == \"microsoft.operationsmanagement/solutions\"\r\n| where name has \"SecurityInsights\"\r\n| parse name with * '(' s_workspace ')'*\r\n| extend sku = tolower(properties.sku.name)\r\n| extend capacityReservationLevel = properties.sku.capacityReservationLevel\r\n// add fake level for testing\r\n//| extend capacityReservationLevel = 100 , sku = \"capacityreservation\"\r\n//\r\n| extend pricingTier = case(\r\nsku == 'capacityreservation' and capacityReservationLevel == 100,\r\n'100 GB/day Capacity Reservation',\r\nsku == 'capacityreservation' and capacityReservationLevel == 200,\r\n'200 GB/day Capacity Reservation',\r\nsku == 'capacityreservation' and capacityReservationLevel == 300,\r\n'300 GB/day Capacity Reservation',\r\nsku == 'capacityreservation' and capacityReservationLevel == 400,\r\n'400 GB/day Capacity Reservation',\r\nsku == 'capacityreservation' and capacityReservationLevel >= 500,\r\n'500 GB/day and above Capacity Reservation',\r\nsku == 'free',\r\n'Free',\r\nsku == 'standard',\r\n'Standard',\r\nsku == 'premium',\r\n'Premium',\r\nsku == 'standalone',\r\n'Standalone',\r\nsku == 'pernode',\r\n'Per Node',\r\nsku == 'lacluster',\r\n'Cluster Level Capacity Reservation',\r\nsku == 'pergb2018' or sku == 'pergb',\r\n'Pay-as-you-go',\r\nstrcat('Unknown:',sku))\r\n| extend discountRate = case(\r\ncapacityReservationLevel == 100,50,\r\ncapacityReservationLevel == 200,55,\r\ncapacityReservationLevel == 300,57,\r\ncapacityReservationLevel == 400,58,\r\ncapacityReservationLevel == 500,60,\r\ncapacityReservationLevel >= 500,60,\r\n// else\r\n0\r\n)\r\n| project ['Workspace Name']=s_workspace, location, sku, capacityReservationLevel, discountRate , tags\r\n\r\n\r\n", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "sortBy": [] }, "name": "query - 16" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//let lookBack = 31;\r\nunion *\r\n| where _IsBillable == true\r\n| summarize dataPerDay = round(sum(_BilledSize)/(1024*1024*1024),0) by bin(TimeGenerated,1d), SentinelCR='{SentinelCap}'\r\n| extend higherCR = case(\r\n dataPerDay < 100, 100,\r\n dataPerDay > 100 and dataPerDay < 200, 200,\r\n dataPerDay > 200 and dataPerDay < 300, 300,\r\n dataPerDay > 300 and dataPerDay < 400, 400,\r\n dataPerDay > 400 and dataPerDay < 500, 500,\r\n dataPerDay > 500 and dataPerDay < 1000, 1000,\r\n dataPerDay > 1000 and dataPerDay < 10000, 10000,\r\n // else\r\n 0\r\n )\r\n| extend lowerCR= (higherCR - 100)\r\n//| project TimeGenerated, dataPerDay, lowerCR, higherCR, SentinelCR\r\n\r\n\r\n", "size": 1, "aggregation": 3, "showAnnotations": true, "title": "Actual Data Volume and Capacity Reservation. Data from: {TimeRange:label}. ", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "y", "exportParameterName": "yAxis", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "timechart", "gridSettings": { "formatters": [ { "columnMatch": "Column1", "formatter": 5 }, { "columnMatch": "dataPerDay", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 2 } } } ] }, "sortBy": [], "chartSettings": { "yAxis": [ "dataPerDay", "higherCR", "lowerCR", "SentinelCR" ] } }, "name": "query - chart of CR" }, { "type": 1, "content": { "json": "### Capacity Reservation Insight\r\nThis report, shows the Average GB/day (based on the TimeRange parameter), which is rounded up to the nearest whole number, this is the number the Azure Pricing Calculator requires. https://azure.microsoft.com/en-us/pricing/calculator/ for Azure Sentinel.\r\n- The Pay as You Go (PAYG_estimate) is the GB/day multiplied by the [Azure Sentinel Price] parameter, default is 2.0 (the price in $ for EAST US). This is location and currency neutral, so adjust to your own preferred value. This is the Daily estimate of the price.\r\n- The Pay as You Go (PAYG_estimate_mthly) is the Monthly (31day) estimate of the price.\r\n- CR_Estimate_Monthly is the (PAYG_estimate_mthly) minus any discount for the Capacity Reservation Tier that is *currently* set." }, "name": "text - 5 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": " project actual_ = '{GiBperday}' , roundUp_ = round(toreal('{GiBperday}'),0)\r\n| extend lookBack = 31\r\n| extend roundUp_ = iif(isnan(roundUp_),toreal(0),toreal(roundUp_))\r\n| extend PAYG_estimate = roundUp_ * {SentinelPrice}\r\n| extend discountRate = iif(isempty('{discountRate}'),\"0\",'{discountRate}') \r\n| extend PAYG_estimate_mthly = (PAYG_estimate * lookBack)\r\n| extend CR_estimate_mthly = PAYG_estimate_mthly * tolong(discountRate) / 100\r\n| summarize by ['avg GB/day']=roundUp_, PAYG_estimate, PAYG_estimate_mthly, CR_estimate_mthly", "size": 4, "aggregation": 5, "showAnnotations": true, "title": "Capacity Reservation. Price per GB:{SentinelPrice}, Discount %: {discountRate} ", "exportFieldName": "y", "exportParameterName": "yAxis", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "PAYG_estimate", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 2 } } }, { "columnMatch": "PAYG_estimate_mthly", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "avgDataPerDay", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "PAYG_estimate_daily", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 2 } } } ] }, "sortBy": [] }, "name": "query - billing - Copy" }, { "type": 1, "content": { "json": "### Capacity Reservation for your Average GB/day value? \r\nThis report helps you decide:\r\n- A green circle in a Status column 🟢 indicates your are on the Optimal setting, based on your average data ingestion (GB/day) and Pay As You Go/Capacity reservation settings.\r\n- A recommend value of \"0\" / zero, means that you are on a setting (SKU) such as Free, PerGB etc.. rather than a Capacity Reservation setting.\r\n- If the 'recommend' Azure Sentinel or Workspace setting doesn't match the 'current' setting you will get a Blue Cirlce in the Status columns 🔵.\r\n- Please read https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/ and https://azure.microsoft.com/en-us/pricing/details/monitor/ before deciding. " }, "name": "text - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": " project actual_ = '{GiBperday}' , roundUp_ = round(toreal('{GiBperday}'),0)\r\n| extend lookBack = 31\r\n| extend i = roundUp_ //* 100\r\n| extend i = iif(isnan(i),toreal(0),toreal(i))\r\n// Azure Sentinel Capacity Reservation logic\r\n| extend recommendedSentinelCR = case(\r\n i <= 50,\"0\",\r\n i between (51 .. 140),\"100\",\r\n i between (141 .. 240),\"200\",\r\n i between (241 .. 335),\"300\",\r\n i between (336 .. 434),\"400\",\r\n i >= 435 ,\"500\",\r\n //else\r\n strcat(\"unknown Sentinel CR: \", i)\r\n)\r\n// Azure Log Analytics (LAW) Capacity Reservation logic\r\n| extend recommendedWorkspaceCR = case(\r\n i <= 85,\"0\",\r\n i between (86 .. 174),\"100\",\r\n i between (175 .. 274),\"200\",\r\n i between (275 .. 372),\"300\",\r\n i between (373 .. 470),\"400\",\r\n i >= 471 ,\"500\",\r\n //else\r\n strcat(\"unknown LAW CR: \", i)\r\n)\r\n| extend avgDataPerDay = i\r\n| extend currentSentinelCR = iif(isempty('{SentinelCap}'),\"0\",'{SentinelCap}')\r\n| extend currentWorkspaceCR = iif(isempty('{lawCap}'),\"0\",'{lawCap}')\r\n| extend sentinelOptimal = iif(recommendedSentinelCR == currentSentinelCR,1,0)\r\n| extend lawOptimal = iif(recommendedWorkspaceCR == currentWorkspaceCR,1,0)\r\n//| project avgDataPerDay,sentinelOptimal, lawOptimal, recommendedSentinelCR, recommendedWorkspaceCR,actualSentinelCR, actualWorkspaceCR\r\n| summarize by ['avg GB/day']=avgDataPerDay,['Azure Sentinel Status']=sentinelOptimal, ['Log Analytics Status']=lawOptimal, recommendedSentinelCR, recommendedWorkspaceCR,currentSentinelCR, currentWorkspaceCR", "size": 4, "title": "Capacity Reservation Recommendations", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Azure Sentinel Status", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "1", "representation": "success", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "pending", "text": "" } ] }, "tooltipFormat": { "tooltip": "If Current and Recommended settings dont match the avg. GB/day - look to adjust? " } }, { "columnMatch": "Log Analytics Status", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "1", "representation": "success", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "pending", "text": "" } ] }, "tooltipFormat": { "tooltip": "If Current and Recommended settings dont match the avg. GB/day - look to adjust? " } } ] } }, "name": "query - CR optimal" } ] }, "conditionalVisibility": { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "sentinel" }, "name": "group - capReservation" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "ASC Usage", "items": [ { "type": 1, "content": { "json": "## Azure Security Center: Usage Reports\r\n- - - " }, "name": "text - 15" }, { "type": 1, "content": { "json": "The following two charts help you understand Azure Secutrity Center / SecuityEvent data if its present.\r\n- Top 10 computers, sending that SecuityEvent logs information & the capcity SecuityEvent \r\n- The final chart shows the potential allowance (each Azure Defender ON licence allows for 500MB/day). Azure Defender ON was formally ASC standard. You can see what was Used vs. Allowed (where allowed = 500MB * < count of servers>) " }, "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 8" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource = tt *\r\n| where TimeGenerated > ago(30d)\r\n| where _IsBillable == True\r\n// Calculate the daily GiB size per billable Table and unique Server count \r\n| summarize allGBytes =sum(_BilledSize)/(1024*1024*1024), ascGBytes=sumif(_BilledSize, Type == \"SecurityEvent\")/(1024*1024*1024), ascComputerCount = dcountif(Computer,tt == \"SecurityEvent\") by bin(TimeGenerated, 1d)\r\n// Calculate daily GiB average, and average ASC server count. Each Server is allowed max 0.5GB each\r\n| summarize avg(allGBytes), avg(ascGBytes),ascComputers=round(avg(ascComputerCount),0),ascMaxGB = avg(ascComputerCount) * 0.5\r\n// If ASC sends less than the allowed max, revise the GB averge per day, else use the max allowed (all servers * 0.5)\r\n| extend revisedNumber = iif(avg_ascGBytes <= ascMaxGB, allMinusASCused = (avg_allGBytes - avg_ascGBytes),allMinusASCused = (avg_allGBytes - ascMaxGB) )\r\n| extend withinPool = iif(avg_ascGBytes >= ascMaxGB,\"Yes\",\"No\")\r\n| extend overBy = iif(round(avg_ascGBytes,2) - round(ascMaxGB,2) < 0 , toreal(0), round(avg_ascGBytes,2) - round(ascMaxGB,2) )\r\n| project ['Raw Average GiB'] = avg_allGBytes,\r\n ['ASC has used, GiB'] = strcat(round(avg_ascGBytes,1),\" GiB of \" ,round(ascMaxGB,1), \" GiB across \", ascComputers , \" Computers\"), \r\n ['Revised GiB Number']= round(revisedNumber,2),\r\n ['Help'] =\"Please toggle [Show Help] to Yes, for more information\", \r\n ['Sent more than allocation?'] = withinPool,\r\n ['Overage in GiB'] = overBy\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", "size": 4, "aggregation": 3, "title": "Average GiB per day: past 30days only", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Raw Average GiB", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "ASC has used, GiB", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 3 } } }, { "columnMatch": "Sent more than allocation?", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "yes", "representation": "2", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "ASC has used", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 3 } } }, { "columnMatch": "Revised Number", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 3 } } }, { "columnMatch": "Average GiB/day", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 3 } } }, { "columnMatch": "Average GB per day", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "Adjusted for ASC standard 500MB allowance", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "sum_ASCs", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "ASCsize", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "Adjusted for ASC standard", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "avg_TotalGBytes", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ] }, "sortBy": [], "chartSettings": { "showMetrics": false, "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ] } }, "name": "query - 20" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n| summarize MBytes=sum(_BilledSize) by Computer\r\n| top 10 by MBytes desc", "size": 1, "aggregation": 3, "title": "Top 10 Computers, using Azure Defender ON, from: {TimeRange:label} ", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "barchart", "gridSettings": { "formatters": [ { "columnMatch": "MBytes", "formatter": 0, "formatOptions": {}, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Size", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "bill", "formatter": 0, "formatOptions": {}, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ] }, "chartSettings": { "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ], "xSettings": {}, "ySettings": { "numberFormatSettings": { "unit": 2, "options": { "style": "decimal", "useGrouping": true } } } } }, "name": "query - 20 - Copy - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n// ASC Standard allows 500MB per machine - in a pool \r\n| summarize allowedMBytes=524288000 * dcount(Computer), usedMBytes=sum(_BilledSize) , dcount(Computer) by bin(TimeGenerated,{TimeRange:grain})\r\n", "size": 0, "aggregation": 3, "title": "Azure Defender ON, allowance vs. in use, Last 30days", "timeContext": { "durationMs": 2592000000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "unstackedbar", "gridSettings": { "formatters": [ { "columnMatch": "MBytes", "formatter": 0, "formatOptions": {}, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Size", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "bill", "formatter": 0, "formatOptions": {}, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "sortBy": [ { "itemKey": "TimeGenerated", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "TimeGenerated", "sortOrder": 2 } ], "chartSettings": { "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ], "xSettings": {}, "ySettings": { "numberFormatSettings": { "unit": 2, "options": { "style": "decimal", "useGrouping": true } } } } }, "name": "query - 20 - Copy - Copy - Copy - Copy - Copy" }, { "type": 1, "content": { "json": "The following three charts help you understand SecuityEvent data if its present.\r\n- SecurityEvents are captured in Groups: All, Common, Minimal and None\r\n- Using https://docs.microsoft.com/en-gb/azure/data-explorer/kusto/query/series-decompose-anomaliesfunction we will look at this data\r\n- There are displays for Activity and EventIds that are captured in _Minimal_ and _Common_. Note _Minimal_ is a subset of _Common_\r\n- _\"All\"_ is a special case, as there isn't a list of those, I have listed any EventIds found, but only those not within _Common_\r\n- Using anomoliesfunction, we look at the expected count, actual count, give that a score (the higer varienences are marked in Red), a baseline and and Trend for the TimeRange ", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Cost" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text -ASC help for minimal common and all " }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "9f998673-d827-4bbf-97c3-16bd0b85bd5f", "version": "KqlParameterItem/1.0", "name": "AnomolyTuning", "type": 10, "description": "Anomaly scores above 1.5 or below -1.5 indicate a mild anomaly rise or decline respectively. Anomaly scores above 3.0 or below -3.0 indicate a strong anomaly. 2.0 added for a Medium range.", "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\r\n { \"value\": \"0\", \"label\": \"None\" },\r\n { \"value\": \"1.5\", \"label\": \"Mild\" },\r\n { \"value\": \"2.0\", \"label\": \"Medium\", \"selected\":true },\r\n { \"value\": \"3.0\", \"label\": \"Strong\"}\r\n]\r\n", "timeContext": { "durationMs": 86400000 } } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 10" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//\r\n// source: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-collection-tier\r\n//\r\nlet minimal = dynamic([1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755,\r\n4756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,8222]);\r\nSecurityEvent\r\n| where EventID in (minimal)\r\n| summarize Count = count(), BilledSize= sum(_BilledSize) by EventID, Activity\r\n| order by EventID asc \r\n| join \r\n( \r\n SecurityEvent\r\n | make-series Trend = count() on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step {TimeRange:grain} by EventID\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n | extend Score = score[-1]\r\n | extend expectedEventCounts=baseline[-1], actualEventCount=Trend[-1], Score = score[-1], Trend\r\n | project-away score\r\n) on EventID\r\n| where Score > {AnomolyTuning} or Score < toreal(strcat(\"-\",{AnomolyTuning}))\r\n| project-away EventID1\r\n| project Activity, expectedEventCounts, actualEventCount, Score, Trend, baseline, anomalies, Count, BilledSize\r\n//https://docs.microsoft.com/en-us/azure/data-explorer/anomaly-detection#time-series-anomaly-detection", "size": 1, "title": "ASC : \"minimal\" data set - {TimeRange:label}. anomaly-detection:{AnomolyTuning:label}", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "expectedEventCounts", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2 } } }, { "columnMatch": "Score", "formatter": 8, "formatOptions": { "palette": "greenRed", "customColumnWidthSetting": "10ch" } }, { "columnMatch": "Trend", "formatter": 10, "formatOptions": { "palette": "pink" } }, { "columnMatch": "baseline", "formatter": 21, "formatOptions": { "palette": "purple" } }, { "columnMatch": "anomalies", "formatter": 10, "formatOptions": { "palette": "redBright" } }, { "columnMatch": "BilledSize", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 36, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "EventID", "formatter": 5 }, { "columnMatch": "count_", "formatter": 4, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "TimeGenerated", "formatter": 5 } ], "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Score_3", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Score_3", "sortOrder": 2 } ], "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "Activity", "formatter": 1 }, "leftContent": { "columnMatch": "EventID", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "graphSettings": { "type": 2, "topContent": { "columnMatch": "Activity", "formatter": 1 }, "centerContent": { "columnMatch": "EventID", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } }, "nodeIdField": "Activity", "sourceIdField": "Activity", "targetIdField": "EventID", "graphOrientation": 3, "showOrientationToggles": false, "nodeSize": null, "staticNodeSize": 100, "colorSettings": { "nodeColorField": "GBytes", "type": 1, "colorPalette": "cool" }, "hivesMargin": 5 } }, "name": "query - ASC minimal" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//\r\n// source: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-collection-tier\r\n//\r\nlet common = dynamic([1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622,\r\n4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,\r\n4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737,\r\n4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,\r\n4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,\r\n4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,\r\n6273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004]);\r\nSecurityEvent\r\n| where EventID in (common)\r\n| summarize Count = count(), BilledSize= sum(_BilledSize) by EventID, Activity\r\n| order by EventID asc \r\n| join \r\n( \r\n SecurityEvent\r\n | make-series Trend = count() on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step {TimeRange:grain} by EventID\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n | extend Score = score[-1]\r\n | extend expectedEventCounts=baseline[-1], actualEventCount=Trend[-1], Score = score[-1], Trend\r\n | project-away score\r\n) on EventID\r\n| where Score > {AnomolyTuning} or Score < toreal(strcat(\"-\",{AnomolyTuning}))\r\n| project-away EventID1\r\n| project Activity, expectedEventCounts, actualEventCount, Score, Trend, baseline, anomalies, Count, BilledSize", "size": 1, "title": "ASC : \"common\" data set - {TimeRange:label}. anomaly-detection:{AnomolyTuning:label}", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "expectedEventCounts", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2 } } }, { "columnMatch": "Score", "formatter": 8, "formatOptions": { "palette": "greenRed", "customColumnWidthSetting": "10ch" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "minimumFractionDigits": 2, "maximumSignificantDigits": 1 } }, "tooltipFormat": { "tooltip": "Look for large positive numbers" } }, { "columnMatch": "Trend", "formatter": 10, "formatOptions": { "palette": "pink" } }, { "columnMatch": "baseline", "formatter": 21, "formatOptions": { "palette": "purple" } }, { "columnMatch": "anomalies", "formatter": 10, "formatOptions": { "palette": "redBright" } }, { "columnMatch": "BilledSize", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 36, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "EventID", "formatter": 5 }, { "columnMatch": "count_", "formatter": 4, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "TimeGenerated", "formatter": 5 } ], "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Score_3", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Score_3", "sortOrder": 2 } ], "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "Activity", "formatter": 1 }, "leftContent": { "columnMatch": "EventID", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "graphSettings": { "type": 2, "topContent": { "columnMatch": "Activity", "formatter": 1 }, "centerContent": { "columnMatch": "EventID", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } }, "nodeIdField": "Activity", "sourceIdField": "Activity", "targetIdField": "EventID", "graphOrientation": 3, "showOrientationToggles": false, "nodeSize": null, "staticNodeSize": 100, "colorSettings": { "nodeColorField": "GBytes", "type": 1, "colorPalette": "cool" }, "hivesMargin": 5 } }, "name": "query - ASC common" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//\r\n// source: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-collection-tier\r\n//\r\nlet common = dynamic([1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622,\r\n4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,\r\n4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737,\r\n4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,\r\n4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,\r\n4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,\r\n6273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004]);\r\nSecurityEvent\r\n| where EventID !in (common)\r\n| summarize Count = count(), BilledSize=sum(_BilledSize) by EventID, Activity, TimeGenerated\r\n| order by EventID asc \r\n| join \r\n( \r\n SecurityEvent\r\n //\r\n // anomalies - seasonality baseline that captures the repetitive pattern. Outliers can be clearly spotted in the Score\r\n //\r\n | make-series Trend = count() on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step {TimeRange:grain} by EventID\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Trend, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n | extend Score = score[-1]\r\n | extend expectedEventCounts=baseline[-1], actualEventCount=Trend[-1], Score = score[-1], Trend\r\n | project-away score\r\n) on EventID\r\n| where Score > {AnomolyTuning} or Score < toreal(strcat(\"-\",{AnomolyTuning}))\r\n| project-away EventID1\r\n| project Activity, expectedEventCounts, actualEventCount, Score, Trend, baseline, anomalies, Count, BilledSize\r\n", "size": 0, "title": "ASC : possible \"all\" data set - EventsIDs found that are not in \"common\" or \"minmal\" - {TimeRange:label}. anomaly-detection:{AnomolyTuning:label}", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "expectedEventCounts", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true, "maximumFractionDigits": 2 } } }, { "columnMatch": "Score", "formatter": 8, "formatOptions": { "palette": "greenRed", "customColumnWidthSetting": "10ch" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true, "maximumFractionDigits": 2, "maximumSignificantDigits": 2 } } }, { "columnMatch": "Trend", "formatter": 10, "formatOptions": { "palette": "pink" } }, { "columnMatch": "baseline", "formatter": 21, "formatOptions": { "palette": "purple" } }, { "columnMatch": "anomalies", "formatter": 10, "formatOptions": { "palette": "redBright" } }, { "columnMatch": "BilledSize", "formatter": 0, "numberFormat": { "unit": 36, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "TimeGenerated", "formatter": 5 }, { "columnMatch": "sum__BilledSize", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 36, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 2 } } }, { "columnMatch": "score", "formatter": 5, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true, "maximumFractionDigits": 2 } } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Score_3", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Score_3", "sortOrder": 2 } ], "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "Activity", "formatter": 1 }, "leftContent": { "columnMatch": "EventID", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "graphSettings": { "type": 2, "topContent": { "columnMatch": "Activity", "formatter": 1 }, "centerContent": { "columnMatch": "EventID", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } }, "nodeIdField": "Activity", "sourceIdField": "Activity", "targetIdField": "EventID", "graphOrientation": 3, "showOrientationToggles": false, "nodeSize": null, "staticNodeSize": 100, "colorSettings": { "nodeColorField": "GBytes", "type": 1, "colorPalette": "cool" }, "hivesMargin": 5 } }, "name": "query - All SecurityEvents with Trend" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let _lookback = 31;\r\nSecurityEvent\r\n| where TimeGenerated > startofday(ago(31d))\r\n| where _IsBillable == True\r\n| extend _ResourceId = iif(isempty(_ResourceId),Computer,_ResourceId)\r\n| parse _ResourceId with * \"/subscriptions/\" SubscriptionId \"/resourcegroups/\" resourceGroups \"/\" *\r\n| summarize sum(_BilledSize) by _ResourceId, SubscriptionId, resourceGroups\r\n//| project DeviceName =_ResourceId, sum__BilledSize, ['Estimated Price'] = (sum__BilledSize/(1024*1024*1024) - ( 0.5 * _lookback)) * {Price} \r\n| project DeviceName =_ResourceId, sum__BilledSize, adjustedNumber = (sum__BilledSize/(1024*1024*1024) - ( 0.5 * _lookback)) * {Price} , SubscriptionId, resourceGroups\r\n| extend adjustedNumber = iif(adjustedNumber <= 0,toreal(\"Included\"),adjustedNumber) \r\n| order by adjustedNumber desc\r\n", "size": 0, "title": "ASC: BilledSize vs. Overage per resource, Month View", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "sum__BilledSize", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "adjustedNumber", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "is Empty", "thresholdValue": "0", "representation": "Blank", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "Blank", "text": "{0} Overage" } ] }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2 } } }, { "columnMatch": "Estimated Price", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2 } } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_number_sum__BilledSize_1", "sortOrder": 2 } ], "labelSettings": [ { "columnId": "DeviceName" }, { "columnId": "sum__BilledSize", "label": "BilledSize" }, { "columnId": "adjustedNumber", "label": "Estimated Price" } ] }, "sortBy": [ { "itemKey": "$gen_number_sum__BilledSize_1", "sortOrder": 2 } ] }, "name": "query - 9" } ] }, "conditionalVisibility": { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "asc" }, "name": "group - ASC" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "CEF Usage", "items": [ { "type": 1, "content": { "json": "## CommonSecurityLog (CEF) Insights\r\n- - - " }, "name": "text - 15" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where _IsBillable == true\r\n| summarize count(), sum(_BilledSize), estimatedPrice = sum(_BilledSize)/(1024*1024*1024) * {Price} by DeviceVendor\r\n| order by sum__BilledSize desc\r\n", "size": 0, "aggregation": 3, "title": "CEF DeviceVendor, count of activity and BilledSize", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "count_", "formatter": 8, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "sum__BilledSize", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "estimatedPrice", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "gb", "formatter": 8, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "MBytes", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Size", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "bill", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "labelSettings": [ { "columnId": "DeviceVendor" }, { "columnId": "count_", "label": "Count" }, { "columnId": "sum__BilledSize", "label": "BilledSize" }, { "columnId": "estimatedPrice" } ] }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "DeviceVendor", "formatter": 1 }, "leftContent": { "columnMatch": "gb", "formatter": 1, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } }, "tooltipFormat": { "tooltip": "BilledSize" } }, "secondaryContent": { "columnMatch": "estimatedPrice", "formatter": 12, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 18, "options": { "style": "decimal", "useGrouping": false } }, "tooltipFormat": { "tooltip": "Estimated Cost" } }, "showBorder": false }, "chartSettings": { "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ], "ySettings": { "numberFormatSettings": { "unit": 2, "options": { "style": "decimal", "useGrouping": true } } } } }, "customWidth": "50", "name": "query - CEF chart" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where _IsBillable == true\r\n| summarize count(LogSeverity),sum(_BilledSize) by LogSeverity \r\n| join (CommonSecurityLog\r\n | make-series Trend = count(LogSeverity) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by LogSeverity\r\n) on LogSeverity\r\n//| extend LogSeverity = round(tolong(LogSeverity),2)\r\n| order by LogSeverity asc\r\n", "size": 0, "title": "CEF count by Severity, BilledSize and Trend", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "tiles", "tileSettings": { "titleContent": { "columnMatch": "LogSeverity", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "is Empty", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] }, "tooltipFormat": { "tooltip": "Log Severity Value" } }, "subtitleContent": { "columnMatch": "sum__BilledSize", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } }, "tooltipFormat": { "tooltip": "BilledSize" } }, "leftContent": { "columnMatch": "count_LogSeverity", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } }, "tooltipFormat": { "tooltip": "" } }, "secondaryContent": { "columnMatch": "Trend", "formatter": 21, "formatOptions": { "palette": "green" } }, "showBorder": false } }, "customWidth": "50", "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where _IsBillable == true\r\n// add price column \r\n| summarize sum(_BilledSize), estimatedPrice = sum(_BilledSize)/(1024*1024*1024) * {Price} by DeviceVendor, DeviceName, DeviceProduct\r\n| order by DeviceVendor asc\r\n// add cost by facility \r\n", "size": 1, "aggregation": 3, "title": "Data by CEF Vendors, from: {TimeRange:label} ", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "sum__BilledSize", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "estimatedPrice", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "Table Size", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true, "hierarchySettings": { "treeType": 1, "groupBy": [ "DeviceVendor", "DeviceName" ] }, "sortBy": [ { "itemKey": "$gen_count_$gen_group_0", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_count_$gen_group_0", "sortOrder": 2 } ], "chartSettings": { "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ], "xSettings": {}, "ySettings": { "numberFormatSettings": { "unit": 2, "options": { "style": "decimal", "useGrouping": true } } } } }, "name": "query - CEF chart - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where _IsBillable == true\r\n| summarize count(), sum(_BilledSize), estimatedPrice = sum(_BilledSize)/(1024*1024*1024) * {Price} by DeviceEventClassID, DeviceVendor, DeviceName, DeviceProduct, LogSeverity\r\n| order by sum__BilledSize, estimatedPrice desc\r\n", "size": 1, "aggregation": 3, "title": "Data by CEF Vendors, from: {TimeRange:label} , filter by DeviceEventClassID", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "LogSeverity", "formatter": 8, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "sum__BilledSize", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "estimatedPrice", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "Table Size", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true, "hierarchySettings": { "treeType": 1, "groupBy": [ "DeviceVendor", "DeviceName" ] } }, "chartSettings": { "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ], "xSettings": {}, "ySettings": { "numberFormatSettings": { "unit": 2, "options": { "style": "decimal", "useGrouping": true } } } } }, "name": "query - CEF DeviceEventClassID" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| summarize dcount(DeviceEventClassID), sum(_BilledSize), estimatedPrice = sum(_BilledSize)/(1024*1024*1024) * {Price} by DeviceVendor, SourceIP, DestinationIP, _ResourceId\r\n", "size": 1, "title": "CEF: data set - {TimeRange:label}", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "_ResourceId", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "25ch" } }, { "columnMatch": "count_", "formatter": 4, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "BilledSize", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 36, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "estimatedPrice", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "expectedEventCounts", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2 } } }, { "columnMatch": "Score", "formatter": 8, "formatOptions": { "palette": "greenRed", "customColumnWidthSetting": "10ch" } }, { "columnMatch": "Trend", "formatter": 10, "formatOptions": { "palette": "pink" } }, { "columnMatch": "baseline", "formatter": 21, "formatOptions": { "palette": "purple" } }, { "columnMatch": "anomalies", "formatter": 10, "formatOptions": { "palette": "redBright" } }, { "columnMatch": "EventID", "formatter": 5 }, { "columnMatch": "TimeGenerated", "formatter": 5 } ], "filter": true, "labelSettings": [ { "columnId": "DeviceVendor" }, { "columnId": "SourceIP" }, { "columnId": "DestinationIP" }, { "columnId": "_ResourceId" }, { "columnId": "dcount_DeviceEventClassID", "label": "Count of unique ClassIDs", "comment": "DeviceEventClassIDs" }, { "columnId": "sum__BilledSize", "label": "BilledSize" }, { "columnId": "estimatedPrice", "label": "Estimated Price" } ] }, "sortBy": [], "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "Activity", "formatter": 1 }, "leftContent": { "columnMatch": "EventID", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "graphSettings": { "type": 2, "topContent": { "columnMatch": "Activity", "formatter": 1 }, "centerContent": { "columnMatch": "EventID", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } }, "nodeIdField": "Activity", "sourceIdField": "Activity", "targetIdField": "EventID", "graphOrientation": 3, "showOrientationToggles": false, "nodeSize": null, "staticNodeSize": 100, "colorSettings": { "nodeColorField": "GBytes", "type": 1, "colorPalette": "cool" }, "hivesMargin": 5 } }, "name": "query - CEF events" } ] }, "conditionalVisibility": { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "cef" }, "name": "group - CEF" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Syslog Usage", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Syslog\r\n| where _IsBillable == true\r\n| summarize count(), sum(_BilledSize), estimatedPrice = sum(_BilledSize)/(1024*1024*1024) * {Price} by Facility\r\n| order by count_ desc\r\n", "size": 0, "title": "Syslog Facility, count of activity and BilledSize", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "count_", "formatter": 8, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "sum__BilledSize", "formatter": 3, "formatOptions": { "palette": "greenRed", "customColumnWidthSetting": "50ch" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "estimatedPrice", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } } ], "filter": true, "labelSettings": [ { "columnId": "Facility" }, { "columnId": "count_", "label": "Count" }, { "columnId": "sum__BilledSize", "label": "BilledSize" } ] }, "sortBy": [] }, "customWidth": "50", "name": "query - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Syslog\r\n| where _IsBillable == true\r\n| summarize count(SeverityLevel), sum(_BilledSize) by SeverityLevel \r\n| join (Syslog\r\n | make-series Trend = count(SeverityLevel) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SeverityLevel\r\n) on SeverityLevel\r\n", "size": 0, "title": "Syslog count by Severity, BilledSize and Trend", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "tiles", "gridSettings": { "formatters": [ { "columnMatch": "count_", "formatter": 8, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "sum__BilledSize", "formatter": 3, "formatOptions": { "palette": "greenRed", "customColumnWidthSetting": "50ch" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } } ], "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "SeverityLevel", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "info", "representation": "1", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "warn", "representation": "2", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "notice", "representation": "Important", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "err", "representation": "error", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "alert", "representation": "warning", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] }, "tooltipFormat": {} }, "subtitleContent": { "columnMatch": "sum__BilledSize", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "maximumSignificantDigits": 3 } }, "tooltipFormat": { "tooltip": "BilledSize" } }, "leftContent": { "columnMatch": "count_SeverityLevel", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } }, "tooltipFormat": { "tooltip": "Count" } }, "secondaryContent": { "columnMatch": "Trend", "formatter": 21, "formatOptions": { "palette": "blue" }, "tooltipFormat": { "tooltip": "Trend" } }, "showBorder": false } }, "customWidth": "50", "name": "query - 0 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Syslog\r\n| where _IsBillable == true\r\n| summarize sum(_BilledSize), estimatedPrice = sum(_BilledSize)/(1024*1024*1024) * {Price} by HostName, SeverityLevel, Facility, SyslogMessage, ProcessName\r\n| order by sum__BilledSize desc ", "size": 0, "title": "Syslog by Hostname: detailed view", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "SeverityLevel", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "warn", "representation": "2", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "info", "representation": "info", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "err", "representation": "error", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "alert", "representation": "2", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "notice", "representation": "Normal", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] } }, { "columnMatch": "sum__BilledSize", "formatter": 3, "formatOptions": { "palette": "greenRed", "customColumnWidthSetting": "50ch" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "estimatedPrice", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "count_", "formatter": 8, "formatOptions": { "palette": "greenRed" } } ], "rowLimit": 500, "filter": true, "hierarchySettings": { "treeType": 1, "groupBy": [ "HostName", "Facility" ] }, "labelSettings": [ { "columnId": "HostName" }, { "columnId": "SeverityLevel" }, { "columnId": "Facility" }, { "columnId": "SyslogMessage" }, { "columnId": "ProcessName" }, { "columnId": "sum__BilledSize", "label": "BilledSize" } ] }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "SeverityLevel", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "info", "representation": "1", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "warn", "representation": "2", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "notice", "representation": "Important", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "err", "representation": "error", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "alert", "representation": "warning", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}{1}" } ] }, "tooltipFormat": {} }, "subtitleContent": { "columnMatch": "sum__BilledSize", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "maximumSignificantDigits": 3 } }, "tooltipFormat": { "tooltip": "BilledSize" } }, "leftContent": { "columnMatch": "count_SeverityLevel", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } }, "tooltipFormat": { "tooltip": "Count" } }, "secondaryContent": { "columnMatch": "Trend", "formatter": 21, "formatOptions": { "palette": "blue" }, "tooltipFormat": { "tooltip": "Trend" } }, "showBorder": false } }, "name": "query - 0 - Copy - Copy" } ] }, "conditionalVisibility": { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "syslog" }, "name": "group - syslog" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Cost Overview", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| where TimeGenerated > ago(30d)\r\n| summarize Entries = count(), Size = sumif(_BilledSize, _IsBillable==true), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by TableName1, _IsBillable\r\n| project ['Table Name'] = TableName1, ['Table Size'] = Size , ['% of Total GiB'] = (Size /(1024*1024*1024)) / {GiBtotal} * 100,['IsBillable'] = _IsBillable, ['Last Record Received'] = last_log , ['Estimated Table Price'] = (estimate/(1024*1024*1024)) * {Price}\r\n | order by ['Table Size'] desc\r\n\r\n ", "size": 0, "showAnalytics": true, "title": "{Workspace:name} Details for 30days, total: {GiBtotal} GiB", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "Table Name", "exportParameterName": "Table", "exportDefaultValue": "All Tables", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Table Size", "formatter": 3, "formatOptions": { "min": 0, "palette": "coldHot" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "IsBillable", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "True", "representation": "green", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "False", "representation": "blueDark", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "blue", "text": "{0}{1}" } ] } }, { "columnMatch": "Last Record Received", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "Estimated Table Price", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "%", "formatter": 1, "formatOptions": { "customColumnWidthSetting": "15ch" }, "numberFormat": { "unit": 1, "options": { "style": "decimal", "useGrouping": true, "maximumFractionDigits": 2, "maximumSignificantDigits": 2 } } }, { "columnMatch": "Table Entries", "formatter": 3, "formatOptions": { "min": 0, "palette": "green" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Size per Entry", "formatter": 3, "formatOptions": { "min": 0, "palette": "orange" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "maximumFractionDigits": 2 } } }, { "columnMatch": "Table Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" } } ], "filter": true, "labelSettings": [ { "columnId": "Table Name" }, { "columnId": "Table Size", "label": "", "comment": "Capacity of the Table" }, { "columnId": "IsBillable", "comment": "Is the Table Free or Billable?" }, { "columnId": "Last Record Received", "comment": "When did the last record arrive?" }, { "columnId": "Estimated Table Price" } ] }, "sortBy": [] }, "customWidth": "75", "name": "query - 2 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize Size = sum(_BilledSize) by _IsBillable\r\n\r\n\r\n\r\n ", "size": 1, "showAnalytics": true, "title": "{Workspace:name} Data use %", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "Table Name", "exportParameterName": "Table", "exportDefaultValue": "All Tables", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "piechart", "gridSettings": { "formatters": [ { "columnMatch": "Table Size", "formatter": 3, "formatOptions": { "min": 0, "palette": "coldHot" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Entries", "formatter": 3, "formatOptions": { "min": 0, "palette": "green" }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Size per Entry", "formatter": 3, "formatOptions": { "min": 0, "palette": "orange" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "maximumFractionDigits": 2 } } }, { "columnMatch": "IsBillable", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "True", "representation": "green", "text": "{0}{1}" }, { "operator": "==", "thresholdValue": "False", "representation": "blueDark", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "blue", "text": "{0}{1}" } ] } }, { "columnMatch": "Last Record Received", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "Estimated Table Price", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" } } ], "filter": true, "labelSettings": [ { "columnId": "IsBillable", "comment": "Is the Table Free or Billable?" } ] }, "sortBy": [], "chartSettings": { "seriesLabelSettings": [ { "seriesName": "True", "label": "Billable" }, { "seriesName": "False", "label": "Free" } ], "ySettings": { "numberFormatSettings": { "unit": 2, "options": { "style": "decimal", "useGrouping": true, "maximumSignificantDigits": 2 } } } } }, "customWidth": "25", "name": "query - 2 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//\r\n// Predict data volume for the next month\r\n//\r\nlet startDate = {TimeRange:start}; // go back in time nn days\r\nlet endDate = now(); // what is the date now\r\nlet projectTo = now()+90d; // project forward nn days\r\nlet projectForward = 90; // must be same as projectTo value\r\nunion withsource = TableName1 *\r\n//| where TimeGenerated between (startDate .. endDate )\r\n| where _IsBillable == True\r\n| make-series GBytesToday=sum(_BilledSize)/(1024*1024*1024) default=0 on TimeGenerated from startDate to projectTo step 1d \r\n| extend GBytesForecast = series_decompose_forecast(GBytesToday, projectForward)\r\n\r\n", "size": 0, "aggregation": 5, "showAnnotations": true, "title": "Actual Data Volume vs. 90 day Prediction. Data from: {TimeRange:label}. Minimum 30days suggested, ideally 90days ", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "exportFieldName": "y", "exportParameterName": "yAxis", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "linechart", "sortBy": [], "chartSettings": { "seriesLabelSettings": [ { "seriesName": "GBytesToday", "color": "blueDark" }, { "seriesName": "GBytesForecast", "color": "redBright" } ], "ySettings": { "numberFormatSettings": { "unit": 5, "options": { "style": "decimal", "useGrouping": true, "maximumSignificantDigits": 3 } } } } }, "name": "query - 20 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//\r\n// Predict data volume for the next month\r\n//\r\nlet startDate = {TimeRange:start}; // go back in time nn days\r\nlet endDate = now(); // what is the date now\r\nlet projectTo = now()+90d; // project forward nn days\r\nlet projectForward = 90; // must be same as projectTo value\r\nunion withsource = TableName1 *\r\n//| where TimeGenerated between (startDate .. endDate )\r\n| where _IsBillable == True\r\n| make-series GBytesToday=sum(_BilledSize)/(1024*1024*1024) default=0 on TimeGenerated from startDate to projectTo step 1d \r\n| extend GBytesForecast = series_decompose_forecast(GBytesToday, projectForward)\r\n| extend dayBacks = (toint('{TimeRange:seconds}') / toint(86400))-1\r\n| extend todayVolume = array_slice(GBytesToday, dayBacks, dayBacks)[0], \r\n predictionVolume = array_slice(GBytesForecast, array_length( GBytesForecast)-1, array_length( GBytesForecast)-1)[0]\r\n| project priceToday = todayVolume * {Price},\r\n pricePrediction = predictionVolume * {Price}, todayVolume, predictionVolume\r\n\r\n", "size": 4, "title": "Actual Data Volume and Price vs. 90 day Prediction. ", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "priceToday", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "pricePrediction", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 3 } } }, { "columnMatch": "todayVolume", "formatter": 0, "numberFormat": { "unit": 5, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "predictionVolume", "formatter": 0, "numberFormat": { "unit": 5, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "UserSelectedAxis", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ] }, "sortBy": [], "chartSettings": { "seriesLabelSettings": [ { "seriesName": "GBytesToday", "color": "blueDark" }, { "seriesName": "GBytesForecast", "color": "redBright" } ], "ySettings": { "numberFormatSettings": { "unit": 5, "options": { "style": "decimal", "useGrouping": true } } } } }, "customWidth": "69", "name": "query - Price Predict" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "print volume = {yAxis}, price = {yAxis} * {Price}", "size": 4, "title": "User selected Y-Axis details. ", "noDataMessage": "Please click on a point on the trend line in the graph above.", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "volume", "formatter": 0, "numberFormat": { "unit": 5, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "price", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 3 } } } ] } }, "customWidth": "29", "name": "query - 14" }, { "type": 1, "content": { "json": "This Tables show the details of which Data is changing, the Top billable Tables and a breakdown by resources and Windows Events. \r\n- Use these to identify a change in data use, or the most costly data Tables or Resources.", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Cost" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 9 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource = _TableName *\r\n| make-series bill_ = sum(_BilledSize) on TimeGenerated from ago(90d) to now() step 1d by _TableName\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(bill_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)\r\n| where anomalies[-1] == 1 or anomalies[-1] == -1 \r\n| extend Score = score[-1]\r\n| where Score > 3 or Score < -3\r\n| project [\"Table Name\"] = _TableName, expectedCounts=baseline[-1], actualCount=bill_[-1] , Score = score[-1], Trend = bill_, Baseline = baseline\r\n\r\n// https://docs.microsoft.com/en-us/azure/data-explorer/anomaly-detection#time-series-anomaly-detection\r\n// Anomaly scores above 1.5 or below -1.5 indicate a mild anomaly rise or decline respectively. Anomaly scores above 3.0 or below -3.0 indicate a strong anomaly.", "size": 1, "title": "BilledSize Anomalies: 90day, fixed look back period. anomaly-detection: Strong", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "expectedCounts", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2 } } }, { "columnMatch": "actualCount", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "maximumFractionDigits": 2 } } }, { "columnMatch": "Score", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } }, "tooltipFormat": { "tooltip": " Anomaly scores above 3.0 or below -3.0 indicate a strong anomaly" } }, { "columnMatch": "Trend", "formatter": 10, "formatOptions": { "palette": "pink" } }, { "columnMatch": "Baseline", "formatter": 21, "formatOptions": { "palette": "purple" } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_number_Score_3", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_number_Score_3", "sortOrder": 2 } ] }, "name": "query - billedSize Anomalies" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource = TableName1 *\r\n| where _IsBillable == True\r\n| summarize totalGBytes =round(sum(_BilledSize/(1024*1024*1024)),2) by bin(TimeGenerated, 7d)\r\n| order by TimeGenerated asc\r\n| serialize \r\n| extend changeInGB = totalGBytes - prev(totalGBytes,1)\r\n| extend pctChange = (changeInGB * 100) / prev(totalGBytes,1)\r\n| extend TimeGenerated = strcat( format_datetime(TimeGenerated, 'yyyy-MM-dd'), \", Week of year: \", week_of_year(TimeGenerated) )\r\n", "size": 0, "aggregation": 3, "title": "Data change (GBytes) and % , from: {TimeRange:label} grouping: Weekly", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "numberFormat": { "unit": 27, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "changeInGB", "formatter": 8, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "pctChange", "formatter": 0, "numberFormat": { "unit": 1, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "labelSettings": [ { "columnId": "TimeGenerated" }, { "columnId": "totalGBytes" }, { "columnId": "changeInGB", "label": "Change from last period (GBytes)" }, { "columnId": "pctChange", "label": "% Change" } ] }, "chartSettings": { "showMetrics": false, "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ] } }, "customWidth": "50", "name": "query - 20 - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource = TableName1 *\r\n| where _IsBillable == True\r\n| summarize rgtotalGBytes =sumif(_BilledSize, isnotempty(ResourceGroup)), notRGtotalGBytes =sumif(_BilledSize, isempty(ResourceGroup)) by ResourceGroup\r\n| order by rgtotalGBytes desc\r\n\r\n", "size": 0, "aggregation": 3, "title": "ResourceGroup from: {TimeRange:label}", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "rgtotalGBytes", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "notRGtotalGBytes", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "TimeGenerated", "formatter": 0, "numberFormat": { "unit": 27, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "changeInGB", "formatter": 8, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "pctChange", "formatter": 0, "numberFormat": { "unit": 1, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_rgtotalGBytes_1", "sortOrder": 2 } ], "labelSettings": [ { "columnId": "ResourceGroup" }, { "columnId": "rgtotalGBytes", "label": "BilledSize by Resource Group " }, { "columnId": "notRGtotalGBytes", "label": "BilledSize not in a Resource Group" } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_rgtotalGBytes_1", "sortOrder": 2 } ], "chartSettings": { "showMetrics": false, "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ] } }, "customWidth": "50", "name": "query - RG" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Resources\r\n| summarize by sName = strcat(\"/subscriptions/\", subscriptionId), sId = subscriptionId\r\n\r\n", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "value::selected" ] }, "conditionalVisibility": { "parameterName": "hide", "comparison": "isEqualTo", "value": "hide" }, "name": "query - mergeIn_1" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource = TableName1 *\r\n| where _IsBillable == True\r\n| where isnotempty(SubscriptionId)\r\n| summarize sum(_BilledSize) by SubscriptionId\r\n| project SubscriptionId, sum__BilledSize, ['Estimated Price'] = (sum__BilledSize/(1024*1024*1024)) * {Price}\r\n| order by ['Estimated Price'] desc\r\n", "size": 0, "aggregation": 3, "title": "Subscription from: {TimeRange:label}", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "sum__BilledSize", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Estimated Price", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "rgtotalGBytes", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "notRGtotalGBytes", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "TimeGenerated", "formatter": 0, "numberFormat": { "unit": 27, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "changeInGB", "formatter": 8, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "pctChange", "formatter": 0, "numberFormat": { "unit": 1, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true, "labelSettings": [ { "columnId": "SubscriptionId" }, { "columnId": "sum__BilledSize", "label": "BilledSize" } ] }, "sortBy": [], "chartSettings": { "showMetrics": false, "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ] } }, "customWidth": "50", "conditionalVisibility": { "parameterName": "hide", "comparison": "isEqualTo", "value": "hide" }, "name": "query - by Subscription_1" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"e551a41f-8bef-4fbb-a170-04837d9161be\",\"mergeType\":\"rightouter\",\"leftTable\":\"query - mergeIn_1\",\"rightTable\":\"query - by Subscription_1\",\"leftColumn\":\"sId\",\"rightColumn\":\"SubscriptionId\"}],\"projectRename\":[{\"originalName\":\"sName\",\"mergedName\":\"sName\",\"fromId\":\"unknown\"},{\"originalName\":\"sId\",\"mergedName\":\"sId\",\"fromId\":\"unknown\"},{\"originalName\":\"[query - mergeIn_1].sName\",\"mergedName\":\"sName1\",\"fromId\":\"e551a41f-8bef-4fbb-a170-04837d9161be\"},{\"originalName\":\"[query - mergeIn_1].sId\",\"mergedName\":\"sId1\",\"fromId\":\"e551a41f-8bef-4fbb-a170-04837d9161be\"},{\"originalName\":\"[query - by Subscription_1].SubscriptionId\",\"mergedName\":\"SubscriptionId\",\"fromId\":\"e551a41f-8bef-4fbb-a170-04837d9161be\"},{\"originalName\":\"[query - by Subscription_1].sum__BilledSize\",\"mergedName\":\"BilledSize\",\"fromId\":\"e551a41f-8bef-4fbb-a170-04837d9161be\"},{\"originalName\":\"[query - by Subscription_1].Estimated Price\",\"mergedName\":\"Estimated Price\",\"fromId\":\"e551a41f-8bef-4fbb-a170-04837d9161be\"}]}", "size": 0, "title": "Subscription from: Last 30 days", "showRefreshButton": true, "showExportToExcel": true, "queryType": 7, "gridSettings": { "formatters": [ { "columnMatch": "sId", "formatter": 5 }, { "columnMatch": "BilledSize", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Estimated Price", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumFractionDigits": 2 } } } ], "filter": true, "labelSettings": [ { "columnId": "sName1", "label": "Subscription Name", "comment": "if known?" }, { "columnId": "sId1" }, { "columnId": "SubscriptionId" }, { "columnId": "BilledSize" }, { "columnId": "Estimated Price" } ] } }, "customWidth": "50", "showPin": false, "name": "query - 13" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource = TableName1 *\r\n| where _IsBillable == True\r\n| where isnotempty(SubscriptionId)\r\n| summarize sum(_BilledSize) by SubscriptionId, ResourceGroup\r\n| project SubscriptionId, sum__BilledSize, ['Estimated Price'] = (sum__BilledSize/(1024*1024*1024)) * {Price}, ResourceGroup\r\n| order by ['Estimated Price'] desc\r\n", "size": 0, "aggregation": 3, "title": "Subscription and RG from: {TimeRange:label}", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "SubscriptionId", "formatter": 5 }, { "columnMatch": "sum__BilledSize", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Estimated Price", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "ResourceGroup", "formatter": 5 }, { "columnMatch": "rgtotalGBytes", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "notRGtotalGBytes", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal" } } }, { "columnMatch": "TimeGenerated", "formatter": 0, "numberFormat": { "unit": 27, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "changeInGB", "formatter": 8, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "pctChange", "formatter": 0, "numberFormat": { "unit": 1, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true, "hierarchySettings": { "treeType": 1, "groupBy": [ "SubscriptionId", "ResourceGroup" ], "expandTopLevel": false }, "sortBy": [ { "itemKey": "$gen_number_Estimated Price_3", "sortOrder": 2 } ], "labelSettings": [ { "columnId": "SubscriptionId" }, { "columnId": "sum__BilledSize", "label": "BilledSize" } ] }, "sortBy": [ { "itemKey": "$gen_number_Estimated Price_3", "sortOrder": 2 } ], "chartSettings": { "showMetrics": false, "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ] } }, "customWidth": "50", "name": "query - by Subscription - Copy" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Costs by Tag: select a Tag or Value", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Subscription}" ], "parameters": [ { "id": "49b1416f-7ab9-4082-a8f2-c89c54bcaa80", "version": "KqlParameterItem/1.0", "name": "tagKey", "type": 2, "isRequired": true, "query": "ResourceContainers \r\n| where isnotempty(tags)\r\n| project tags\r\n| mv-expand tags\r\n| extend tagKey = tostring(bag_keys(tags)[0])\r\n| extend tagValue = tostring(tags[tagKey])\r\n| union (\r\n resources\r\n | where isnotempty(tags)\r\n | project tags\r\n | mv-expand tags\r\n | extend tagKey = tostring(bag_keys(tags)[0])\r\n | extend tagValue = tostring(tags[tagKey])\r\n)\r\n| distinct tagKey, tagValue\r\n| where tagKey !startswith \"hidden-\"\r\n| summarize count() by tagKey\r\n| order by tagKey asc\r\n| project tagKey\r\n//| project tagKey = strcat(tagKey,\"(\",count_,\")\")", "crossComponentResources": [ "{Subscription}" ], "value": "owner", "typeSettings": { "additionalResourceOptions": [ "value::1" ], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "f3039831-1614-41a9-ac7f-8eb5c6f6b8a0", "version": "KqlParameterItem/1.0", "name": "tagValue", "type": 2, "isRequired": true, "query": "ResourceContainers \r\n| where isnotempty(tags)\r\n| project tags\r\n| mv-expand tags\r\n| extend tagKey = tostring(bag_keys(tags)[0])\r\n| extend tagValue = tostring(tags[tagKey])\r\n| union (\r\n resources\r\n | where isnotempty(tags)\r\n | project tags\r\n | mv-expand tags\r\n | extend tagKey = tostring(bag_keys(tags)[0])\r\n | extend tagValue = tostring(tags[tagKey])\r\n)\r\n| distinct tagKey, tagValue\r\n| where tagKey !startswith \"hidden-\"\r\n| where tagKey == '{tagKey}'\r\n| project tagValue\r\n", "crossComponentResources": [ "{Subscription}" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "defaultValue": "value::all", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" } ], "style": "above", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "name": "parameters - 8" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity\r\n| search \"tags\"\r\n| extend field_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).tags)))\r\n| where field_ contains '{tagValue}'\r\n| summarize count(), sum(_BilledSize) by ResourceGroup, ResourceId\r\n| project ResourceGroup, ResourceId,count_, sum__BilledSize, ['Estimated Price'] = (sum__BilledSize/(1024*1024*1024)) * {Price}\r\n| order by ['Estimated Price'] desc\r\n\r\n", "size": 1, "title": "looking for: {tagValue} ", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "sum__BilledSize", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Estimated Price", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true } }, "customWidth": "50", "name": "query - 9" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity\r\n| search \"tags\"\r\n| extend field_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).tags)))\r\n| where field_ !contains '{tagValue}'\r\n| summarize count(), sum(_BilledSize) by ResourceGroup, ResourceId\r\n| project ResourceGroup, ResourceId,count_, sum__BilledSize, ['Estimated Price'] = (sum__BilledSize/(1024*1024*1024)) * {Price}\r\n| order by ['Estimated Price'] desc\r\n", "size": 1, "title": "UnTagged resources", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "sum__BilledSize", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Estimated Price", "formatter": 0, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "sumif__BilledSize", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_number_Estimated Price_4", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_number_Estimated Price_4", "sortOrder": 2 } ] }, "customWidth": "50", "name": "query - unTagged" } ] }, "name": "group - test by Tags" } ] }, "conditionalVisibility": { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "overview" }, "name": "group - Cost Overview" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Table Analysis", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize Entries = count(), Size = sum(_BilledSize), estimate = sumif(_BilledSize, _IsBillable==true) by TableName1, _IsBillable\r\n| project ['Table Name'] = TableName1, ['Table Size'] = Size,\r\n ['IsBillable'] = _IsBillable\r\n | top 10 by ['Table Size'] desc\r\n\r\n", "size": 0, "aggregation": 3, "title": "Top 10 Costs by Table, from: {TimeRange:label} data", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Table Size", "formatter": 3, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true }, "sortBy": [], "chartSettings": { "showMetrics": false, "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ] } }, "customWidth": "50", "name": "query - 20 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "//union withsource=TableName1 Event, SecurityEvent, CommonSecurityLog\r\n//| summarize ['Table Size'] = sum(_BilledSize) by TableName1, _ResourceId\r\n//| top 10 by ['Table Size'] desc\r\nunion\r\n(SecurityEvent\r\n| make-series GiBperDay=sum(_BilledSize)/(1024*1024*1024) on bin(TimeGenerated,1d) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by _ResourceId, Type\r\n| join (SecurityEvent | summarize ['Table Size']=sum(_BilledSize) by _ResourceId) on _ResourceId\r\n| project-away _ResourceId1, TimeGenerated\r\n),\r\n(\r\nCommonSecurityLog\r\n| make-series GiBperDay=sum(_BilledSize)/(1024*1024*1024) on bin(TimeGenerated,1d) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by _ResourceId, Type\r\n| join (CommonSecurityLog | summarize ['Table Size']=sum(_BilledSize) by _ResourceId) on _ResourceId\r\n| project-away _ResourceId1, TimeGenerated\r\n),\r\n(\r\nEvent\r\n| make-series GiBperDay=sum(_BilledSize)/(1024*1024*1024) on bin(TimeGenerated,1d) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by _ResourceId, Type\r\n| join (Event | summarize ['Table Size']=sum(_BilledSize) by _ResourceId) on _ResourceId\r\n| project-away _ResourceId1, TimeGenerated\r\n)\r\n| top 10 by ['Table Size'] desc", "size": 0, "aggregation": 3, "title": "Top 10 Costs by Resource, from: {TimeRange:label} data", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "GiBperDay", "formatter": 10, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "maximumSignificantDigits": 3 } } }, { "columnMatch": "Table Size", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "sum__BilledSize", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "GBytesToday", "formatter": 10, "formatOptions": { "palette": "blue" } }, { "columnMatch": "bill", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true }, "sortBy": [], "chartSettings": { "showMetrics": false, "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ] } }, "customWidth": "50", "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Cost" }, "name": "query - 20 - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 Event, SecurityEvent, Syslog\r\n| where _IsBillable == true\r\n| summarize ['Table Size'] = sum(_BilledSize) by TableName=TableName1 , EventID, Activity, RenderedDescription, SyslogMessage\r\n| extend EventDescription = iif(isempty(Activity),RenderedDescription,Activity)\r\n| extend EventDescription = iif(isempty(EventDescription),SyslogMessage,EventDescription)\r\n| project-away RenderedDescription, SyslogMessage, Activity\r\n| top 10 by ['Table Size'] desc", "size": 0, "aggregation": 3, "title": "Top 10 Costs by EventId, from: {TimeRange:label} data", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Table Size", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "bill", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true }, "sortBy": [], "chartSettings": { "showMetrics": false, "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ] } }, "customWidth": "50", "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Cost" }, "name": "query - 20 - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 Event, SecurityEvent, Syslog\r\n| where _IsBillable == true\r\n| summarize ['Table Size'] = sum(_BilledSize) by TableName = TableName1 , EventID, Computer\r\n| top 20 by ['Table Size'] desc\r\n", "size": 0, "aggregation": 3, "title": "Top 20 Costs by Event, from: {TimeRange:label} data by Computer", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Table Size", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "bill", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true }, "sortBy": [], "chartSettings": { "showMetrics": false, "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ] } }, "customWidth": "50", "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Cost" }, "name": "query - 20 - Copy - Copy - Copy - Copy" }, { "type": 1, "content": { "json": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "style": "info" }, "name": "text - 24" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| where _isBillable=true\r\n| where isnotempty(Computer) \r\n| summarize billedData = sumif(_BilledSize, _IsBillable=~true),\r\n freeData = sumif(_BilledSize, _IsBillable=~false) by Computer, _ResourceId\r\n| order by billedData desc\r\n\r\n", "size": 1, "aggregation": 3, "title": "GiB used by Computers", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Computer", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "15%" } }, { "columnMatch": "billedData", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "freeData", "formatter": 4, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } }, { "columnMatch": "sum__BilledSize", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "MBytes", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Table Size", "formatter": 8, "formatOptions": { "palette": "greenRed" }, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } }, { "columnMatch": "bill", "formatter": 0, "numberFormat": { "unit": 2, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 2 } } } ], "filter": true, "sortBy": [ { "itemKey": "$gen_bar_billedData_2", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_bar_billedData_2", "sortOrder": 2 } ], "chartSettings": { "seriesLabelSettings": [ { "seriesName": "BillingVolumeNow", "color": "green" }, { "seriesName": "BillingForecast", "color": "redBright" } ], "xSettings": {}, "ySettings": { "numberFormatSettings": { "unit": 2, "options": { "style": "decimal", "useGrouping": true } } } } }, "customWidth": "50", "name": "query - 20 - GB per Computer" } ] }, "conditionalVisibility": { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "table" }, "name": "group - Table" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Cost" }, "name": "group - cost", "styleSettings": { "showBorder": true } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Group: Regular Checks", "items": [ { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "fc113fd5-ae1b-41d9-b34e-5bfe93d8f666", "cellValue": "selectedTab1", "linkTarget": "parameter", "linkLabel": "Daily", "subTarget": "Daily", "style": "link" }, { "id": "9fe38fa7-0453-4d11-8ed5-c54b017d9b70", "cellValue": "selectedTab1", "linkTarget": "parameter", "linkLabel": "Weekly", "subTarget": "Weekly", "style": "link" }, { "id": "04b5d677-9b0e-4d82-8735-00f1da101f35", "cellValue": "selectedTab1", "linkTarget": "parameter", "linkLabel": "Monthly", "subTarget": "Monthly", "style": "link" } ] }, "customWidth": "30", "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" }, "name": "links - 39" }, { "type": 1, "content": { "json": "This Tab is used to recommend tasks to perform on a Daily, Weekly or Monthly basis. These tasks have been taken from work in the community.", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 16" }, { "type": 1, "content": { "json": " Daily Operational Tasks\t\r\n1. Data Connectors \r\nLook through active Data Connector and verify the Last Log Received date/time is current to ensure data is flowing.\r\n2. Investigate Incidents \r\nInvestigate Incidents to determine if any Analytics Alerts rules were triggered. Set status and begin investigation. Resolve or reassign.\t\r\n3. Hunting Queries and Bookmarks (links provided)\t\r\nExplore the built-in query results. Update existing hunting queries and bookmarks. Manually generate new or update old Incidents if applicable. Apply automation (Playbooks) where required.\t\r\n4. Analytics Rules (links provided)\t\r\nIdentify any newly released (or newly available due to recently connected Data Connectors) Analytics Rules and enable those that are applicable. Apply automation (Playbooks) where essential.\t\r\n\r\n\t", "style": "success" }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Daily" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "text - 46" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize Entries = count(), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by TableName1, _IsBillable\r\n| project ['Table Name'] = TableName1, ['Last Record Received'] = last_log \r\n| order by ['Last Record Received'] desc\r\n\r\n\r\n", "size": 0, "title": "1. Data Connector", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ] } }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Daily" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "query - 39" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityIncident\r\n| summarize IncidentCount=count(), arg_max(LastActivityTime,LastActivityTime, CreatedTime, Title) by IncidentNumber, Title, IncidentUrl\r\n| top 200 by IncidentNumber desc\r\n| project-away Title1, LastActivityTime1\r\n\r\n\r\n\r\n", "size": 0, "title": "2. Daily Incident check (Top 200)", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "IncidentUrl", "formatter": 7, "formatOptions": { "linkTarget": "Url", "linkLabel": "Open Incident" } }, { "columnMatch": "TenantId", "formatter": 15, "formatOptions": { "linkTarget": null }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ], "labelSettings": [ { "columnId": "IncidentNumber" }, { "columnId": "Title" }, { "columnId": "IncidentUrl" }, { "columnId": "IncidentCount", "label": "Alert Count" }, { "columnId": "LastActivityTime" }, { "columnId": "CreatedTime" } ] } }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Daily" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "query - 39 - Copy" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "list", "links": [ { "id": "3cc494b9-3cde-4ac4-831d-e01ee44ce787", "cellValue": "https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries", "linkTarget": "Url", "linkLabel": "https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries", "preText": "3. Hunting Queries", "postText": "", "style": "link" }, { "id": "2df3d076-e803-4654-a803-df5ccfdaf581", "cellValue": "https://github.com/Azure/Azure-Sentinel/tree/master/Detections", "linkTarget": "Url", "linkLabel": "https://github.com/Azure/Azure-Sentinel/tree/master/Detections", "preText": "4. Analytic Rules", "style": "link" } ] }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Daily" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "links - 47" }, { "type": 1, "content": { "json": " Weekly Operational Tasks\t\r\n1. Log Analytics Agent\r\nVerify the servers (or workstations) are showing a connected status in the workspace. Troubleshoot and remediate failed connections.\r\n2. Workbooks Updates \r\nVerify in the Azure Sentinel Dashboard blade if an installed Workbook has an update that needs installed.\r\n3. GitHub Alert Rules, Workbooks, Hunting queries, and Playbooks\t\r\nVisit and review the Azure Sentinel GitHub repository and explore if there are new or updated Detection Rules, Workbooks, Hunting queries, or Playbooks of value that can be added to the environment.\t\r\n\t", "style": "success" }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "text - 46 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| summarize count_ = dcount(Computer) by bin(TimeGenerated, 7d)\r\n| order by TimeGenerated asc\r\n| serialize \r\n| extend changeInCount = count_ - prev(count_,1)\r\n| extend changeInPct = (changeInCount * 100) / prev(count_,1)\r\n\r\n", "size": 1, "title": "1. Weekly: Log Analytics Agent count change summary (7 days)", "timeContext": { "durationMs": 604800000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "changeInCount", "formatter": 8, "formatOptions": { "palette": "coldHot" } }, { "columnMatch": "changeInPct", "formatter": 0, "formatOptions": {}, "numberFormat": { "unit": 1, "options": { "style": "decimal" } } }, { "columnMatch": "changePct", "formatter": 0, "formatOptions": {}, "numberFormat": { "unit": 1, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "_ComputerName_", "formatter": 5, "formatOptions": {} }, { "columnMatch": "State", "formatter": 18, "formatOptions": { "linkColumn": "Details", "linkTarget": "CellDetails", "linkIsContextBlade": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}" } ] }, "tooltipFormat": { "tooltip": "Click to see details of the last event sent by this computer." } }, { "columnMatch": "Environment", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Azure", "representation": "blue", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "magenta", "text": "{0}{1}" } ] } }, { "columnMatch": "Heartbeat Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" }, "tooltipFormat": { "tooltip": "Each bar represents the bucket of time based on the Unhealthy Criteria. Showing last 30 buckets max." } }, { "columnMatch": "Details", "formatter": 5, "formatOptions": {} }, { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ], "labelSettings": [ { "columnId": "TimeGenerated" }, { "columnId": "count_", "label": "Computer Count" }, { "columnId": "changeInCount", "label": "Change count " }, { "columnId": "changeInPct", "label": "Change (%)" } ] }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "State", "formatter": 1, "formatOptions": {} }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": {}, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "rightContent": { "columnMatch": "State", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, "showBorder": false, "rowLimit": 100 } }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "query - 39 - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| summarize count_ = dcount(Computer) by bin(TimeGenerated, 7d)\r\n| order by TimeGenerated asc\r\n\r\n", "size": 1, "title": "1. Weekly: Log Analytics Agent count change summary", "timeContext": { "durationMs": 604800000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "timechart", "gridSettings": { "formatters": [ { "columnMatch": "changeInCount", "formatter": 8, "formatOptions": { "palette": "coldHot" } }, { "columnMatch": "changePct", "formatter": 0, "formatOptions": {}, "numberFormat": { "unit": 1, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "_ComputerName_", "formatter": 5, "formatOptions": {} }, { "columnMatch": "State", "formatter": 18, "formatOptions": { "linkColumn": "Details", "linkTarget": "CellDetails", "linkIsContextBlade": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}" } ] }, "tooltipFormat": { "tooltip": "Click to see details of the last event sent by this computer." } }, { "columnMatch": "Environment", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Azure", "representation": "blue", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "magenta", "text": "{0}{1}" } ] } }, { "columnMatch": "Heartbeat Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" }, "tooltipFormat": { "tooltip": "Each bar represents the bucket of time based on the Unhealthy Criteria. Showing last 30 buckets max." } }, { "columnMatch": "Details", "formatter": 5, "formatOptions": {} }, { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ] }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "State", "formatter": 1, "formatOptions": {} }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": {}, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "rightContent": { "columnMatch": "State", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, "showBorder": false, "rowLimit": 100 } }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "query - 39 - Copy - Copy - Copy" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "281e8743-964f-4e81-9683-7ad7af4504e7", "version": "KqlParameterItem/1.0", "name": "UnhealthyCriteria", "type": 2, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\r\n { \"value\":\"1m\", \"label\":\"1 minute without heartbeat\", \"selected\":false },\r\n { \"value\":\"5m\", \"label\":\"5 minutes without heartbeat\", \"selected\":false },\r\n { \"value\":\"30m\", \"label\":\"30 minutes without heartbeat\", \"selected\":false },\r\n { \"value\":\"1h\", \"label\":\"1 hour without heartbeat\", \"selected\":true },\r\n { \"value\":\"2h\", \"label\":\"2 hours without heartbeat\", \"selected\":false },\r\n { \"value\":\"8h\", \"label\":\"8 hours without heartbeat\", \"selected\":false },\r\n { \"value\":\"1d\", \"label\":\"1 day without heartbeat\", \"selected\":false },\r\n { \"value\":\"2d\", \"label\":\"2 days without heartbeat\", \"selected\":false },\r\n { \"value\":\"7d\", \"label\":\"7 days without heartbeat\", \"selected\":false }\r\n]", "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "EPStimerange", "value": "8h" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" }, { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" } ], "name": "parameters - 42" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize LastHeartbeat = max(TimeGenerated) by Computer\r\n| extend State = iff(LastHeartbeat < ago({UnhealthyCriteria}), 'Unhealthy', 'Healthy')\r\n| extend TimeFromNow = now() - LastHeartbeat\r\n| extend [\"TimeAgo\"] = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n| join (\r\nHeartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| extend Packed = pack_all()\r\n) on Computer\r\n| where TimeGenerated == LastHeartbeat\r\n| join (\r\nHeartbeat\r\n| where TimeGenerated {TimeRange:query}\r\n| make-series InternalTrend=iff(count() > 0, 1, 0) default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {UnhealthyCriteria} by Computer\r\n| extend Trend=array_slice(InternalTrend, array_length(InternalTrend) - 30, array_length(InternalTrend)-1)\r\n| extend (s_min, s_minId, s_max, s_maxId, s_avg, s_var, s_stdev) = series_stats(Trend)\r\n| project Computer, Trend, s_avg\r\n) on Computer\r\n| order by State, s_avg asc, TimeAgo\r\n| project [\"_ComputerName_\"] = Computer, [\"Computer\"]=strcat('🖥️ ', Computer), State, [\"Environment\"] = iff(ComputerEnvironment == \"Azure\", ComputerEnvironment, Category), [\"OS\"]=iff(isempty(OSName), OSType, OSName), [\"Azure Resource\"]=ResourceId, [\"Time\"]=strcat('🕒 ', TimeAgo), [\"Heartbeat Trend\"]=Trend, [\"Details\"]=Packed\r\n\r\n", "size": 2, "title": "1. Weekly: Log Analytics Agent check", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "_ComputerName_", "formatter": 5, "formatOptions": {} }, { "columnMatch": "State", "formatter": 18, "formatOptions": { "linkColumn": "Details", "linkTarget": "CellDetails", "linkIsContextBlade": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}" } ] }, "tooltipFormat": { "tooltip": "Click to see details of the last event sent by this computer." } }, { "columnMatch": "Environment", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Azure", "representation": "blue", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "magenta", "text": "{0}{1}" } ] } }, { "columnMatch": "Heartbeat Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" }, "tooltipFormat": { "tooltip": "Each bar represents the bucket of time based on the Unhealthy Criteria. Showing last 30 buckets max." } }, { "columnMatch": "Details", "formatter": 5, "formatOptions": {} }, { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ], "sortBy": [ { "itemKey": "Computer", "sortOrder": 2 } ], "labelSettings": [ { "columnId": "_ComputerName_" }, { "columnId": "Computer" }, { "columnId": "State" }, { "columnId": "Environment" }, { "columnId": "OS" }, { "columnId": "Azure Resource" }, { "columnId": "Time", "label": "Last Heartbeat" }, { "columnId": "Heartbeat Trend" }, { "columnId": "Details" } ] }, "sortBy": [ { "itemKey": "Computer", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "State", "formatter": 1, "formatOptions": {} }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": {}, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "rightContent": { "columnMatch": "State", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, "showBorder": false, "rowLimit": 100 } }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "query - 39 - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/providers/microsoft.insights/myworkbooks\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-02-12\"},{\"key\":\"$sortby\",\"value\":\"timeModified desc\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"properties.timeModified\",\"columnid\":\"timeModified\"},{\"path\":\"location\",\"columnid\":\"location\"},{\"path\":\"id\",\"columnid\":\"resourcegroup\"},{\"path\":\"properties.sourceId\",\"columnid\":\"sourceId\"},{\"path\":\"properties.version\",\"columnid\":\"version\"},{\"path\":\"id\",\"columnid\":\"id\"}]}}]}", "size": 0, "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "resourcegroup", "formatter": 14, "formatOptions": { "linkTarget": null } }, { "columnMatch": "id", "formatter": 5 } ], "sortBy": [ { "itemKey": "timeModified", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "timeModified", "sortOrder": 2 } ] }, "conditionalVisibility": { "parameterName": "hide", "comparison": "isEqualTo", "value": "hide" }, "name": "query - get Workbookinfo" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n | where type == \"microsoft.insights/workbooks\"\r\n | project properties.displayName, properties.timeModified, location, kind,\r\n resourceGroup, properties.category, properties.serializedData, properties.version, properties.userId, properties.sourceId, properties.tags[0] , properties.tags[1] \r\n| order by tostring(properties_timeModified) asc", "size": 1, "title": "2. Workbook Check - Shared Workbooks - with keyword search 🔍", "showExportToExcel": true, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "gridSettings": { "formatters": [ { "columnMatch": "properties_displayName", "formatter": 1 }, { "columnMatch": "properties_timeModified", "formatter": 6 } ], "filter": true, "sortBy": [ { "itemKey": "properties_timeModified", "sortOrder": 2 } ], "labelSettings": [ { "columnId": "properties_displayName", "label": "DsiplayName" }, { "columnId": "properties_timeModified", "label": "TimeLastModified" }, { "columnId": "location" }, { "columnId": "kind" }, { "columnId": "resourceGroup" }, { "columnId": "properties_category" }, { "columnId": "properties_serializedData" }, { "columnId": "properties_version" }, { "columnId": "properties_userId" }, { "columnId": "properties_sourceId" }, { "columnId": "properties_tags_0" }, { "columnId": "properties_tags_1" } ] }, "sortBy": [ { "itemKey": "properties_timeModified", "sortOrder": 2 } ] }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "query - workbook - Private" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"3e598a03-ffc3-4b4d-a229-03fa9d97637e\",\"mergeType\":\"leftanti\",\"leftTable\":\"query - get Workbookinfo\",\"rightTable\":\"query - workbook - Private\",\"leftColumn\":\"displayName\",\"rightColumn\":\"properties_displayName\"}],\"projectRename\":[{\"originalName\":\"[query - get Workbookinfo].displayName\",\"mergedName\":\"displayName\",\"fromId\":\"3e598a03-ffc3-4b4d-a229-03fa9d97637e\"},{\"originalName\":\"[query - get Workbookinfo].timeModified\",\"mergedName\":\"timeModified\",\"fromId\":\"3e598a03-ffc3-4b4d-a229-03fa9d97637e\"},{\"originalName\":\"[query - get Workbookinfo].location\",\"mergedName\":\"location\",\"fromId\":\"3e598a03-ffc3-4b4d-a229-03fa9d97637e\"},{\"originalName\":\"[query - get Workbookinfo].resourcegroup\",\"mergedName\":\"resourcegroup\",\"fromId\":\"3e598a03-ffc3-4b4d-a229-03fa9d97637e\"},{\"originalName\":\"[query - get Workbookinfo].sourceId\",\"mergedName\":\"sourceId\",\"fromId\":\"3e598a03-ffc3-4b4d-a229-03fa9d97637e\"},{\"originalName\":\"[query - get Workbookinfo].version\",\"mergedName\":\"version\",\"fromId\":\"3e598a03-ffc3-4b4d-a229-03fa9d97637e\"},{\"originalName\":\"[query - get Workbookinfo].id\",\"mergedName\":\"id\",\"fromId\":\"3e598a03-ffc3-4b4d-a229-03fa9d97637e\"}]}", "size": 1, "title": "2. Workbook check - Private Workbooks - no keyword search ⚠️", "queryType": 7, "gridSettings": { "formatters": [ { "columnMatch": "resourcegroup", "formatter": 14, "formatOptions": { "linkTarget": null } }, { "columnMatch": "id", "formatter": 5 } ], "filter": true, "sortBy": [ { "itemKey": "timeModified", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "timeModified", "sortOrder": 2 } ] }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "showPin": false, "name": "query - 21" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "fe3a12f8-7dcf-4cd3-93b8-e2cc504839eb", "version": "KqlParameterItem/1.0", "name": "countRuleTemplates", "type": 1, "description": "used in a Tile later - hidden", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"name\",\"columnid\":\"name\"}]}}]}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 12 }, { "version": "KqlParameterItem/1.0", "name": "countActiveRules", "type": 1, "description": "used in a Tile later - hidden", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"name\",\"columnid\":\"name\"}]}}]}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 12, "id": "6905ed27-7271-4d75-9402-adf21383f002" }, { "id": "6036245c-70ea-448d-9643-8d1c99b97742", "version": "KqlParameterItem/1.0", "name": "huntingQueries", "type": 1, "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}/SavedSearches\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-08-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value..properties[?(@ == \\\"Hunting Queries\\\")]\",\"columns\":[]}}]}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 5184000000 }, "timeContextFromParameter": "TimeRange", "queryType": 12 }, { "version": "KqlParameterItem/1.0", "name": "activeRulesUpdatedDate", "type": 1, "description": "used in a Tile later - hidden", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.lastModifiedUtc\",\"columnid\":\"lastMod\"}]}}]}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 12, "id": "3e824f1e-1817-448e-aacd-4abd357a2fad" } ], "style": "above", "queryType": 12 }, "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" }, { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" } ], "name": "parameters - 27" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "e437111e-7cb9-4295-bd47-522e5b924f6c", "version": "KqlParameterItem/1.0", "name": "RuleByDate", "type": 1, "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup:name}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.createdDateUTC\",\"columnid\":\"createdDateUTC\"}]}}]}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 12 } ], "style": "pills", "queryType": 12 }, "name": "parameters - 28" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "// Use Operation as a common Table that always exists - its data isnt required. \r\nunion isfuzzy=true \r\n(\r\n Operation\r\n | project a = '{countRuleTemplates:value}'\r\n | limit 1\r\n | extend a = split(a,\",\"), name_= \"Available Rule Templates\"\r\n | mv-expand a\r\n | summarize count(), rt=count() by name_\r\n),\r\n(\r\n Operation\r\n | project c = '{countActiveRules:value}', utw = '{activeRulesUpdatedDate:value}'\r\n | limit 1\r\n | extend c = split(c,\",\"), name_= \"Active Rules\", utw = split(utw,\",\")\r\n | mv-expand c, utw\r\n | summarize count(), updateThisWeek = countif(todatetime(utw) between (ago(7d) .. now())), ar=count() by name_\r\n),\r\n(\r\n Operation\r\n | project d = '{huntingQueries:value}'\r\n | limit 1\r\n | extend d = split(trim(@\"[^\\w]+\",d),\",\"), name_= \"Hunting Queries\"\r\n | mv-expand d to typeof(string)\r\n | summarize count() by name_\r\n)\r\n| order by name_ asc\r\n\r\n\r\n\r\n", "size": 4, "title": "3. Rule Statistics", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "tiles", "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "count_", "formatter": 12, "formatOptions": { "palette": "auto" } }, "subtitleContent": { "columnMatch": "name_" }, "leftContent": { "columnMatch": "updateThisWeek", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": ">", "thresholdValue": "0", "representation": "up", "text": "{0}{1}" }, { "operator": "Default", "thresholdValue": null, "representation": "Blank", "text": "{0}{1}" } ] }, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false } }, "tooltipFormat": { "tooltip": "Updates in last 7days" } }, "showBorder": false } }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" }, { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" } ], "name": "query - 28" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "// use a table that exists - Usage was picked but isnt used.\r\nUsage\r\n| project a = split('{RuleByDate}',\",\")\r\n| limit 1\r\n| mvexpand todynamic(a)\r\n| project b= split(trim(@\"[^\\w]+\",tostring(a)),\"T\").[0]\r\n| summarize count() by todatetime(b)\r\n| order by b asc\r\n| top 10 by b ", "size": 1, "title": "Rule templates vs. created by Date", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "categoricalbar" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "query - 29" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"},{\"key\":\"$orderby\",\"value\":\"properties/createdDateUTC desc\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"kind\",\"columnid\":\"kind\"},{\"path\":\"properties.status\",\"columnid\":\"status\"},{\"path\":\"properties.createdDateUTC\",\"columnid\":\"createdDateUTC\"},{\"path\":\"properties.requiredDataConnectors\",\"columnid\":\"requiredDataConnectors\"},{\"path\":\"properties.productFilter\",\"columnid\":\"productFilter\"},{\"path\":\"properties.requiredDataConnectors[:1].connectorId\",\"columnid\":\"connectorName\"},{\"path\":\"properties.requiredDataConnectors[*].dataTypes[0]\",\"columnid\":\"connectorTable\"},{\"path\":\"properties.query\",\"columnid\":\"queryText\"}]}}]}", "size": 1, "title": "3. Rule Templates via Rest API", "showExportToExcel": true, "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "requiredDataConnectors", "formatter": 7, "formatOptions": { "linkTarget": "CellDetails", "linkLabel": "Data Connectors", "linkIsContextBlade": true } }, { "columnMatch": "queryText", "formatter": 7, "formatOptions": { "linkTarget": "CellDetails", "linkIsContextBlade": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "resourcegroup", "formatter": 14, "formatOptions": { "linkTarget": null, "showIcon": true } }, { "columnMatch": "id", "formatter": 5 } ], "filter": true }, "sortBy": [] }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "showPin": false, "name": "query - 21 - Rules" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRules\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-01-01\"},{\"key\":\"$orderby\",\"value\":\"properties/createdDateUTC desc\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"displayName\"},{\"path\":\"kind\",\"columnid\":\"kind\"},{\"path\":\"properties.enabled\",\"columnid\":\"status\"},{\"path\":\"properties.lastModifiedUtc\",\"columnid\":\"lastModifiedUtc\"},{\"path\":\"properties.productFilter\",\"columnid\":\"productFilter\"},{\"path\":\"properties.tactics\",\"columnid\":\"tactics\"},{\"path\":\"properties.query\",\"columnid\":\"queryText\"}]}}]}", "size": 1, "title": "3a. Active Rules via Rest API ", "showExportToExcel": true, "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "tactics", "formatter": 7, "formatOptions": { "linkTarget": "CellDetails", "linkIsContextBlade": true } }, { "columnMatch": "queryText", "formatter": 7, "formatOptions": { "linkTarget": "CellDetails", "linkIsContextBlade": true } }, { "columnMatch": "resourcegroup", "formatter": 14, "formatOptions": { "linkTarget": null, "showIcon": true } }, { "columnMatch": "id", "formatter": 5 } ], "filter": true, "sortBy": [ { "itemKey": "lastModifiedUtc", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "lastModifiedUtc", "sortOrder": 2 } ] }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "showPin": false, "name": "query - 21 - Rules in use " }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.Logic/workflows/\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2019-05-01\"},{\"key\":\"$orderby\",\"value\":\"createdTime desc\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"name\",\"columnid\":\"name\"},{\"path\":\"location\",\"columnid\":\"location\"},{\"path\":\"properties.provisioningState\",\"columnid\":\"state\"},{\"path\":\"properties.createdTime\",\"columnid\":\"createdTimeUTC\"},{\"path\":\"proprties.changedTime\",\"columnid\":\"changedTimeUTC\"}]}}]}", "size": 1, "title": "3b. Playbooks via Rest API", "showExportToExcel": true, "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "resourcegroup", "formatter": 14, "formatOptions": { "linkTarget": null } }, { "columnMatch": "id", "formatter": 5 } ], "filter": true, "sortBy": [ { "itemKey": "createdTimeUTC", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "createdTimeUTC", "sortOrder": 2 } ] }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "showPin": false, "name": "query - 21 - Rules - Copy" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "list", "links": [ { "id": "c1f77487-5aee-4f0d-a16b-4ca6de161272", "cellValue": "https://github.com/Azure/Azure-Sentinel/tree/master/Detections", "linkTarget": "Url", "linkLabel": "https://github.com/Azure/Azure-Sentinel/tree/master/", "preText": "3. GitHub Alert Rules, Workbooks, Hunting queries, and Playbooks", "style": "link" } ] }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "links - 47 - Copy" }, { "type": 1, "content": { "json": "Monthly Operational Tasks\t\r\n1. Log Analytics Agent\r\nEnsure the agent is up-to-date and auto-upgrades are working. For those not auto upgraded, perform a manual update.\r\n2. Log Analytics Workspace\t\r\nReview that your Log Analytics Workspace retention policy still aligns with your current configuration. Run the Data Usage queries to help maintain costs and retention determinations.\r\n3. Ad-hoc: \tAccess review\r\nHas your SOC team changed? Review RBAC and IAM to verify those that need access have proper access – and those accounts no longer needing access are removed.\r\n4. Ad-hoc: \tReview workspace locations\r\nAre your workspaces in the right Regions, or are there any new ones?\t\r\n\t", "style": "success" }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Monthly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "text - 46 - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Subscription:id}/providers/microsoft.insights/myworkbooks\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2020-02-12\"},{\"key\":\"$orderby\",\"value\":\"properties/timeModified desc\"},{\"key\":\"$top\",\"value\":\"10\"},{\"key\":\"\",\"value\":\"\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"properties.displayName\",\"columnid\":\"WorkbookName\"},{\"path\":\"properties.timeModified\",\"columnid\":\"TimeModified\"},{\"path\":\"location\",\"columnid\":\"Location\"},{\"path\":\"id\",\"columnid\":\"resourceGroup\"}]}}]}", "size": 4, "title": "Top 10: Shared and Private Workbooks", "queryType": 12, "gridSettings": { "formatters": [ { "columnMatch": "resourceGroup", "formatter": 14, "formatOptions": { "linkTarget": null } } ], "sortBy": [ { "itemKey": "TimeModified", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "TimeModified", "sortOrder": 2 } ] }, "conditionalVisibilities": [ { "parameterName": "SelectedTab1", "comparison": "isEqualTo", "value": "Weekly" }, { "parameterName": "SelectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "query - 17" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| summarize dcount(Computer) by Version", "size": 1, "title": "1. Monthly: Agent Check by version", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "piechart", "gridSettings": { "formatters": [ { "columnMatch": "id", "formatter": 14, "formatOptions": { "linkTarget": null } }, { "columnMatch": "resourceGroup", "formatter": 14, "formatOptions": { "linkTarget": null } }, { "columnMatch": "Status", "formatter": 1, "formatOptions": { "linkColumn": "Status", "linkTarget": "CellDetails", "linkIsContextBlade": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "_ComputerName_", "formatter": 5 }, { "columnMatch": "State", "formatter": 18, "formatOptions": { "linkColumn": "Details", "linkTarget": "CellDetails", "linkIsContextBlade": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}" } ] }, "tooltipFormat": { "tooltip": "Click to see details of the last event sent by this computer." } }, { "columnMatch": "Heartbeat Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" }, "tooltipFormat": { "tooltip": "Each bar represents the bucket of time based on the Unhealthy Criteria. Showing last 30 buckets max." } }, { "columnMatch": "Details", "formatter": 5 }, { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ], "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "State", "formatter": 1, "formatOptions": {} }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": {}, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "rightContent": { "columnMatch": "State", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, "showBorder": false, "rowLimit": 100 } }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Monthly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "MonthlyAgentCheck" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| summarize make_set(Version) by Computer\r\n| extend a = array_length(set_Version)\r\n| where a > 1\r\n| order by a desc, Computer asc\r\n\r\n", "size": 1, "title": "1. Monthly: Agent Check - version change detected", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "a", "formatter": 5 }, { "columnMatch": "dcount_Version", "formatter": 10, "formatOptions": { "palette": "greenRed" } }, { "columnMatch": "id", "formatter": 14, "formatOptions": { "linkTarget": null } }, { "columnMatch": "resourceGroup", "formatter": 14, "formatOptions": { "linkTarget": null } }, { "columnMatch": "Status", "formatter": 1, "formatOptions": { "linkColumn": "Status", "linkTarget": "CellDetails", "linkIsContextBlade": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "_ComputerName_", "formatter": 5 }, { "columnMatch": "State", "formatter": 18, "formatOptions": { "linkColumn": "Details", "linkTarget": "CellDetails", "linkIsContextBlade": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}" } ] }, "tooltipFormat": { "tooltip": "Click to see details of the last event sent by this computer." } }, { "columnMatch": "Heartbeat Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" }, "tooltipFormat": { "tooltip": "Each bar represents the bucket of time based on the Unhealthy Criteria. Showing last 30 buckets max." } }, { "columnMatch": "Details", "formatter": 5 }, { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ], "filter": true, "sortBy": [ { "itemKey": "set_Version", "sortOrder": 2 } ], "labelSettings": [ { "columnId": "Computer" }, { "columnId": "set_Version", "label": "Agent version" }, { "columnId": "a" } ] }, "sortBy": [ { "itemKey": "set_Version", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "State", "formatter": 1, "formatOptions": {} }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": {}, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "rightContent": { "columnMatch": "State", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, "showBorder": false, "rowLimit": 100 } }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Monthly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "MonthlyAgentCheck - Copy" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "list", "links": [ { "id": "916bd214-247c-4204-9e72-6e456e5c1049", "cellValue": "\"\"", "linkTarget": "GenericDetails", "linkLabel": "{Workspace:label}", "preText": "2. Log Analytics Workspace", "postText": "please check the [Workspace Info] tab in this Workbook", "style": "link", "linkIsContextBlade": true }, { "id": "6ff3da41-03ac-42dc-a534-6f2395409e6b", "cellValue": "\"\"", "linkTarget": "GenericDetails", "linkLabel": "{Workspace:label}", "preText": "3. Ad-hoc: Access review", "postText": "check ", "style": "link" } ] }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Monthly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "links - 47 - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where type == \"microsoft.operationalinsights/workspaces\"\r\n| summarize count() by location", "size": 0, "title": "4. Monthly: Ad-hoc Workspace location check 1 of 2", "exportFieldName": "", "exportParameterName": "exportMap", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Workspace}" ], "visualization": "map", "gridSettings": { "formatters": [ { "columnMatch": "Status", "formatter": 1, "formatOptions": { "linkColumn": "Status", "linkTarget": "CellDetails", "linkIsContextBlade": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "_ComputerName_", "formatter": 5, "formatOptions": {} }, { "columnMatch": "State", "formatter": 18, "formatOptions": { "linkColumn": "Details", "linkTarget": "CellDetails", "linkIsContextBlade": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}" } ] }, "tooltipFormat": { "tooltip": "Click to see details of the last event sent by this computer." } }, { "columnMatch": "Heartbeat Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" }, "tooltipFormat": { "tooltip": "Each bar represents the bucket of time based on the Unhealthy Criteria. Showing last 30 buckets max." } }, { "columnMatch": "Details", "formatter": 5, "formatOptions": {} }, { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ] }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "State", "formatter": 1, "formatOptions": {} }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": {}, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "rightContent": { "columnMatch": "State", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, "showBorder": false, "rowLimit": 100 }, "mapSettings": { "locInfo": "AzureLoc", "locInfoColumn": "location", "sizeSettings": "count_", "sizeAggregation": "Sum", "labelSettings": "location", "legendMetric": "count_", "legendAggregation": "Sum", "itemColorSettings": { "nodeColorField": "count_", "colorAggregation": "Sum", "type": "heatmap", "heatmapPalette": "greenRed" } } }, "customWidth": "66", "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Monthly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "MonthlyAgentCheck - Copy", "styleSettings": { "margin": "66" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "project details = '{exportMap}'\r\n| limit 1\r\n| mv-expand todynamic(details)\r\n", "size": 3, "title": "4. Monthly: Ad-hoc Workspace location check 1 of 2 drill-in details", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Status", "formatter": 1, "formatOptions": { "linkColumn": "Status", "linkTarget": "CellDetails", "linkIsContextBlade": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "_ComputerName_", "formatter": 5 }, { "columnMatch": "State", "formatter": 18, "formatOptions": { "linkColumn": "Details", "linkTarget": "CellDetails", "linkIsContextBlade": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}" } ] }, "tooltipFormat": { "tooltip": "Click to see details of the last event sent by this computer." } }, { "columnMatch": "Heartbeat Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" }, "tooltipFormat": { "tooltip": "Each bar represents the bucket of time based on the Unhealthy Criteria. Showing last 30 buckets max." } }, { "columnMatch": "Details", "formatter": 5 }, { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ] }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "State", "formatter": 1, "formatOptions": {} }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": {}, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "rightContent": { "columnMatch": "State", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, "showBorder": false, "rowLimit": 100 }, "mapSettings": { "locInfo": "AzureLoc", "locInfoColumn": "location", "sizeSettings": "count_", "sizeAggregation": "Sum", "labelSettings": "location", "legendMetric": "count_", "legendAggregation": "Sum", "itemColorSettings": { "nodeColorField": "count_", "colorAggregation": "Sum", "type": "heatmap", "heatmapPalette": "greenRed" } } }, "customWidth": "30", "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Monthly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "MonthlyAgentCheck - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces' \r\n//| where id has \"{Workspace}\"\r\n| extend state = trim(' ', tostring(properties.provisioningState))\r\n\t\t,sku = trim(' ', tostring(properties.sku.name))\r\n ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\r\n\t\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\r\n\t\t,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\r\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\"Not set\")\r\n| extend skuUpdate = iif(strlen(skuUpdate) > 0, skuUpdate,\"Unknown\")\r\n| extend sentinel = iif(toint(retentionDays) < 90,\"If you have Sentinel, you can change your retention to 90days (free)?\",\"\")\r\n| project ['Workspace Name']=id, ['Resource Group']=resourceGroup, location, ['Data Retention(days)']=retentionDays, ['Last known SKU update']=skuUpdate, ['Daily Data Cap']=dailyquotaGB, ['Licence']=sku, ['Notes'] = sentinel, tags, properties\r\n| order by ['Workspace Name'] asc", "size": 3, "title": "4. Monthly: Ad-hoc Workspace check 2 of 2", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Notes", "formatter": 5, "formatOptions": {} }, { "columnMatch": "Status", "formatter": 1, "formatOptions": { "linkColumn": "Status", "linkTarget": "CellDetails", "linkIsContextBlade": true }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": false } } }, { "columnMatch": "_ComputerName_", "formatter": 5, "formatOptions": {} }, { "columnMatch": "State", "formatter": 18, "formatOptions": { "linkColumn": "Details", "linkTarget": "CellDetails", "linkIsContextBlade": true, "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "{0}" } ] }, "tooltipFormat": { "tooltip": "Click to see details of the last event sent by this computer." } }, { "columnMatch": "Heartbeat Trend", "formatter": 10, "formatOptions": { "palette": "redGreen" }, "tooltipFormat": { "tooltip": "Each bar represents the bucket of time based on the Unhealthy Criteria. Showing last 30 buckets max." } }, { "columnMatch": "Details", "formatter": 5, "formatOptions": {} }, { "columnMatch": "Last Record Received", "formatter": 3, "formatOptions": { "palette": "coldHot" }, "numberFormat": { "unit": 24, "options": { "style": "decimal", "useGrouping": false, "maximumSignificantDigits": 3 } } } ], "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "State", "formatter": 1, "formatOptions": {} }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": {}, "numberFormat": { "unit": 17, "options": { "style": "decimal", "useGrouping": false, "maximumFractionDigits": 2, "maximumSignificantDigits": 3 } } }, "rightContent": { "columnMatch": "State", "formatter": 18, "formatOptions": { "thresholdsOptions": "icons", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "Unhealthy", "representation": "4", "text": "" }, { "operator": "Default", "thresholdValue": null, "representation": "success", "text": "" } ] } }, "showBorder": false, "rowLimit": 100 }, "mapSettings": { "locInfo": "AzureLoc", "locInfoColumn": "location", "sizeSettings": "count_", "sizeAggregation": "Sum", "labelSettings": "location", "legendMetric": "count_", "legendAggregation": "Sum", "itemColorSettings": { "nodeColorField": "count_", "colorAggregation": "Sum", "type": "heatmap", "heatmapPalette": "greenRed" } } }, "conditionalVisibilities": [ { "parameterName": "selectedTab1", "comparison": "isEqualTo", "value": "Monthly" }, { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" } ], "name": "MonthlyAgentCheck - Copy - Copy" } ] }, "conditionalVisibility": { "parameterName": "selectedTab", "comparison": "isEqualTo", "value": "Checks" }, "name": "group - checks" } ], "fallbackResourceIds": [ "Azure Monitor" ] } |