Infoblox Insight ID Bug Fix

Solutions/Infoblox/Workbooks/Infoblox_Workbook.json

@@ -5540,7 +5540,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"66b112e0-3187-4faa-9357-d229e98002ca\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \"All\"\r\n| join\r\n    (\r\n        AssetCount\r\n    ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n    ThreatLevel == \"High\", 5,\r\n    ThreatLevel == \"Medium\", 4,\r\n    ThreatLevel == \"Low\", 3,\r\n    ThreatLevel == \"N/A\", 2,\r\n    1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n",
+                    "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \"All\"\r\n| join\r\n    (\r\n        AssetCount\r\n    ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n    ThreatLevel == \"High\", 5,\r\n    ThreatLevel == \"Medium\", 4,\r\n    ThreatLevel == \"Low\", 3,\r\n    ThreatLevel == \"N/A\", 2,\r\n    1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n",
                     "size": 0,
                     "showAnalytics": true,
                     "timeContextFromParameter": "TimeRange",