diff --git a/Solutions/Infoblox/Package/3.0.1.zip b/Solutions/Infoblox/Package/3.0.1.zip
new file mode 100644
index 00000000000..7b774da6e92
Binary files /dev/null and b/Solutions/Infoblox/Package/3.0.1.zip differ
diff --git a/Solutions/Infoblox/Package/mainTemplate.json b/Solutions/Infoblox/Package/mainTemplate.json
index 8e30123920f..efdba304cc8 100644
--- a/Solutions/Infoblox/Package/mainTemplate.json
+++ b/Solutions/Infoblox/Package/mainTemplate.json
@@ -47,7 +47,7 @@
   },
   "variables": {
     "_solutionName": "Infoblox",
-    "_solutionVersion": "3.0.0",
+    "_solutionVersion": "3.0.1",
     "solutionId": "infoblox.infoblox-app-for-microsoft-sentinel",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "InfobloxDataConnector",
@@ -316,7 +316,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1307,7 +1307,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion2')]",
@@ -1734,7 +1734,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion3')]",
@@ -2099,7 +2099,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion4')]",
@@ -2542,7 +2542,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion5')]",
@@ -2949,7 +2949,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox_Lookup_Workbook Workbook with template version 3.0.0",
+        "description": "Infoblox_Lookup_Workbook Workbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -3107,7 +3107,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox_Workbook Workbook with template version 3.0.0",
+        "description": "Infoblox_Workbook Workbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -3125,7 +3125,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"370d206d-18b1-43d4-a170-71a4a12ba9b2\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"SOC Insights Overview\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"63a011d0-c970-408d-b027-a8579848a6fd\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Config Insights Overview\",\"subTarget\":\"8\",\"style\":\"link\"},{\"id\":\"f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Blocked Traffic Overview\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"d3af8e0b-806c-4f1f-b006-845c842bc2fc\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS Overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"dbd0c004-e0b4-446c-91cd-5a5af3f6e16e\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DHCP Overview\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"41df2b27-5f91-4a8b-adcb-e7997f86d6d6\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Audit Log Overview\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"4f1a6ec7-3d56-4f50-8045-34adbb8d92d0\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Service Log Overview\",\"subTarget\":\"5\",\"style\":\"link\"},{\"id\":\"ffabdc7f-2cb7-40fc-a883-d82609bba051\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence Overview\",\"subTarget\":\"7\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e1e015ea-e688-48be-ac2b-846fe98be48e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4bf79012-0d96-4024-8cb6-0b9c0d9407ef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"66255f50-472e-4295-8d64-6b9fa2e3c887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\", SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain \\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f0a80c9f-a800-4958-b51c-4b38bfaf6624\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResponseCode\",\"label\":\"Response Code\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode)\\r\\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSRCode\\r\\n| sort by InfobloxDNSRCode asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RecordType\",\"label\":\"Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSQType\\r\\n| sort by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\\r\\n| project ['Destination Dns Domain'], Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Requested FQDNs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Destination Dns Domain\",\"exportParameterName\":\"DestinationDnsDomain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Most Requested FQDNs\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"0\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'\"},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 18\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 20\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopDevices\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DeviceName)\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(DeviceName)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"102ee8fc-7658-4bca-82f3-54ed66d2ba9d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopMAC\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(SourceMACAddress)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c59d86e-9130-41a4-ba95-4e7974e4de06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstDevice\",\"type\":1,\"query\":\"print (todynamic('{TopDevices}')[0])\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f1d8907-d375-4db8-a5c9-f9d7390d8f7f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bd2a1987-e9ba-42ac-9856-a8c781ebb332\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"04910ee0-5aa4-4897-82d6-15167ad50e01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5619aab8-f9b6-4218-9315-c6741facf4eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a2455e4-36ec-46c9-bb3f-395ff1186abb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[7]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"72b22373-007c-4d10-bbdd-bdac49ea666c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb44f209-d53b-488f-8275-05294b57b1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bb6a7aa4-0cf3-49d4-9649-179f6d60af71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[0]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"571e7afc-50fc-4f35-a7cf-c1d23a00effe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"00dca50c-6034-4a97-b1b0-da773ed535e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05752a54-7398-4373-9d67-bc5ce96c32a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"42233555-d975-4e88-b62e-2a53e728ae38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3a0eea52-845c-4347-b01b-6f4531de2d5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"29854b31-e4cd-4157-94d4-c0c3fef6f9a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"959fdc81-126b-44f9-8a82-753bc8d5bebd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[7]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"78b51494-7bb5-4a7d-ab01-67483568319d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b66ac0ed-09b2-49e1-bead-88c1a1145f70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Hide\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Devices for Domain : {DestinationDnsDomain}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FirstDevice}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FirstDevice} , MAC : {FirstMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FirstDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SecondDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SecondDevice} , MAC : {SecondMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SecondDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{ThirdDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {ThirdDevice} , MAC : {ThirdMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ThirdDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FourthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FourthDevice} , MAC : {FourthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FourthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FifthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FifthDevice} , MAC : {FifthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FifthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SixthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SixthDevice} , MAC : {SixthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SixthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SeventhDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SeventhDevice} , MAC : {SeventhMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SeventhDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{EightDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {EightDevice} , MAC : {EightMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"EightDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{NinethDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {NinethDevice} , MAC : {NinethMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NinethDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{TenthDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {TenthDevice} , MAC : {TenthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"TenthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 19\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceUserName)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD})) \\r\\n| project-rename User = SourceUserName\\r\\n| summarize Count = count() by User\\r\\n| project User, Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"User\",\"exportParameterName\":\"SourceUserName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Top Users\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 19\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \\r\\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \\r\\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall DNS Requests made by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Requested Domains by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"DestinationDnsDomain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Response Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Response_Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n  InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n   InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"{Response_Type} DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 16\",\"styleSettings\":{\"padding\":\"17px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 20 by Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 20 Devices for {Response_Type} DNS Request\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":20,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSQType\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode\",\"size\":0,\"title\":\"Overall Queries Per Hour\",\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"x\",\"exportParameterName\":\"QPS_Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"}}},\"customWidth\":\"100\",\"name\":\"query - 11\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"18px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'\"},\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 20\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Queries Per Minute\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 13\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Overall Query by Devices per hour\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n  InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n   InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxAnCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreenBlue\"}},{\"columnMatch\":\"InfobloxNsCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeBrown\"}},{\"columnMatch\":\"InfobloxArCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"SourceUserName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"representation\":\"brown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 15\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Main Group\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4abe4038-7e69-4b2c-9ec2-e1f9311e96be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"379d941d-6191-494d-b518-caf9e0d8ce55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPServer\",\"label\":\"DHCP Server\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(InfobloxHostID) \\r\\n| distinct InfobloxHostID\\r\\n| sort by InfobloxHostID asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"68911f86-d896-407d-9a0b-07934f997037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c5628a47-4153-4808-a618-9a06d560428b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MAC\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceMACAddress\\r\\n| sort by SourceMACAddress asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"053f6da7-3bb9-4f9f-9bc5-ec09a9723f52\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Space\",\"label\":\"IP Space\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n    and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases \",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Leases over Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| extend InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where isnotempty(InfobloxLeaseOp)\\r\\n| summarize count() by InfobloxLeaseOp\",\"size\":3,\"showAnalytics\":true,\"title\":\"DHCP Activity Summary\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Lease\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"51px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'\"},\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 MAC Address\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_MAC\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"53px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\\r\\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\\r\\nInfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand InfobloxLeaseOp == ('{Lease}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\\\"\\\\s\\\", InfobloxLeaseOp))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease for Activity : {Lease}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand SourceMACAddress == ('{Pie_MAC}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for MAC : {Pie_MAC}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceIP)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count=count() by SourceIP\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 IP Addresses\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 IP Addresses' grid to see 'Host for IP'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand SourceIP == ('{SourceIP}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceHostName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Host for IP : {SourceIP}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\nand DeviceProduct == \\\"Data Connector\\\" \\r\\nand DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 5\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82320096-33a6-4d48-b64f-2c90aa564ed4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"00756d7d-b074-42e5-996e-4ffa6487606f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserName\",\"label\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3d2f3549-f5c5-4496-a013-f9b306321c75\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| distinct DeviceAction\\r\\n| sort by DeviceAction asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\nand (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename Action = DeviceAction\\r\\n| summarize Count = count() by Action\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"bar_Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 4\"}],\"exportParameters\":true},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(SourceUserName)\\r\\nand DeviceAction == ('{bar_Action}')\\r\\nand (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename User = SourceUserName, Action = DeviceAction\\r\\n| summarize Count = count() by User\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_user\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"70px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n    and DeviceAction == ('{bar_Action}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n    and DeviceAction == ('{bar_Action}')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Source IP for User : {Pie_user}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\n  and (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"daee0513-3b57-4c4d-9052-7a92094a4036\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by SourceUserName\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf61f3a4-fe90-4244-b94b-4aedc1210af9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Location\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(Location) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct Location\\r\\n| sort by Location asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNSRecordType\",\"label\":\"DNS Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxDNSQType\\r\\n| order by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f67927b9-00eb-4a45-b9d0-4bde9ac74d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxB1PolicyName\\r\\n| sort by InfobloxB1PolicyName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n    InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(SourceUserName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by User = SourceUserName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Blocked Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by InfobloxRPZ\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Feeds, Filters\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DeviceName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by Asset = DeviceName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Asset\",\"exportParameterName\":\"DeviceName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"100\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'\"},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n  InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand DeviceName == ('{DeviceName}')\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Asset : {DeviceName} Details \",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n  InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| order by TimeGenerated\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Blocked DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic apps first and keep enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19baf045-4606-49d8-8cb7-ef3ee9fed69a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"af60a861-3c2f-42a5-9045-295348fa5ac6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ServiceName\",\"label\":\"Service Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"796c7544-d2ff-42c6-a5c4-816298e72782\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\\r\\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\\r\\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend HostName = trim(@\\\"\\\\s\\\", display_name_s), name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \\\"*\\\" or name_s in~ ({ServiceName}))\\r\\n| distinct HostName\\r\\n| order by HostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\\r\\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\\r\\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(InfobloxLogName, '/')\\r\\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\\r\\n         LogSeverityProcess = tostring(InfobloxLogName[1]),\\r\\n         Message = split(iif(isempty(Message), msg , Message), '\\\"')[1]\\r\\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend ['Service Name'] = trim(@\\\"\\\\s\\\", name_s), ['Host Name'] = trim(@\\\"\\\\s\\\", display_name_s), ['Process Name'] = trim(@\\\"\\\\s\\\",Process)\\r\\n| where ('{ServiceName:escapejson}' == \\\"*\\\" or ['Service Name'] in~ ({ServiceName}))\\r\\nand ('{HostName:escapejson}' == \\\"*\\\" or ['Host Name'] in~ ({HostName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Log Data\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox SOC Insights Workbook\\r\\n\\r\\n##### Get a closer look at your Infoblox SOC Insights. \\r\\n\\r\\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| extend isConfigIssue = iff((ThreatClass has_cs (\\\"CONFIGURATIONISSUE\\\")), \\\"Configuration\\\", \\\"Threats\\\")\\r\\n| summarize count() by isConfigIssue\",\"size\":3,\"title\":\"Insight Types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Insight Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| summarize dcount(InfobloxInsightID) by Priority\",\"size\":3,\"title\":\"Priority\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"purple\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Priority\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatProperty\",\"size\":3,\"title\":\"Threat Families\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatType\",\"size\":3,\"title\":\"Threat Classes\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Threat Classes\"}]},\"name\":\"Overall\"},{\"type\":1,\"content\":{\"json\":\"## Using this Workbook\\r\\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\\r\\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\\r\\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\\r\\n\\r\\nYou can use one or both at the same time, but beware of duplicate data!\\r\\n\\r\\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\\r\\n\\r\\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\\r\\n\\r\\n## Run playbooks directly from this workbook!\\r\\n\\r\\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\\r\\n\\r\\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \\r\\n\\r\\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\\r\\n\\r\\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \\r\\n\\r\\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\\r\\n\\r\\n**You can rerun playbooks on Insights** that already contain data to get the most recent. \",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 5px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8613f2c-08c6-49e6-a2c6-e12d185c6bd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource Types\",\"type\":7,\"description\":\"This parameter must be set to Logic app.\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"includeAll\":true,\"showDefault\":false},\"value\":[\"microsoft.logic/workflows\"]},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Incidents Resource Group\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"isGlobal\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a92b010-8b48-4601-872f-83e13561b088\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"63c75027-cc56-4958-9296-e0c986ab11e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookResourceGroup\",\"label\":\"Playbook Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"},{\"id\":\"e1ea6f58-cd1b-4807-a7de-7da91b787bd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookName\",\"label\":\"Playbook\",\"type\":5,\"description\":\"Set the playbook to run when clicking on the \\\"Run Playbook\\\" in the SOC Insight Incidents table below.\",\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroup =~ \\\"{PlaybookResourceGroup}\\\"// or '*' in~({PlaybookResourceGroup})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project label = tostring(name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"Infoblox-SOC-Get-Insight-Details\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"15px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"103f5c4e-6007-46c3-88ed-74fdb7843acc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}]},\"value\":{\"durationMs\":2592000000}},{\"id\":\"7c4c6733-a2d8-40b1-abf5-7f2d777e814c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectPriority\",\"label\":\"Priority\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"INFO\\\"},\\r\\n    { \\\"value\\\":\\\"LOW\\\"},\\r\\n    { \\\"value\\\":\\\"MEDIUM\\\"},\\r\\n    { \\\"value\\\":\\\"HIGH\\\"},\\r\\n     { \\\"value\\\":\\\"CRITICAL\\\"}\\r\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"3e3ee805-c983-480e-9c10-49a47be4ddc6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 19 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let x =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Labels = tostring(Labels)\\r\\n| extend InfobloxInsightID = extract(\\\"InfobloxInsightID: (.*?)\\\\\\\"\\\", 1, Labels)\\r\\n| join \\r\\n    (InfobloxInsight\\r\\n    | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\\r\\n    ) on InfobloxInsightID\\r\\n//sometimes duplicate TimeGenerated so grab LastSeen next\\r\\n| summarize arg_max(LastSeen, *) by IncidentNumber\\r\\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\\r\\n; \\r\\nlet incidents =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n//----------------\\r\\n;\\r\\nlet alerts =\\r\\n    SecurityAlert\\r\\n    | extend AlertEntities = parse_json(Entities)\\r\\n    //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\\r\\n;\\r\\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\\r\\n//----------------------\\r\\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title,  Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\\r\\n// -------------\\r\\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\\r\\n| join kind=fullouter x on IncidentNumber\\r\\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\\r\\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' ==  \\\"All\\\"\\r\\n| where Status in ({Status}) or '{Status:label}' ==  \\\"All\\\"\\r\\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\\r\\n//| project-away IncidentID\\r\\n| order by toint(IncidentNumber) desc\\r\\n\",\"size\":0,\"title\":\"SOC Insight Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"InfobloxInsightID\",\"parameterName\":\"InfobloxInsightID\",\"parameterType\":1},{\"fieldName\":\"IncidentID\",\"parameterName\":\"IncidentID\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"Title\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"Sev4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Priority\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"INFO\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MEDIUM\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"CRITICAL\",\"representation\":\"purple\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"New\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Active\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Owner\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"RunPlaybook\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n \\\"LogicAppsResourceId\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\\\",\\r\\n \\\"tenantId\\\":\\\"{TenantID}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}},\"tooltipFormat\":{\"tooltip\":\"Run {PlaybookName} on this insight.\"}},{\"columnMatch\":\"EventsCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"NotBlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"BlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"InsightDataReady\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data for this insight, run the  Infoblox-SOC-API-Get-Insight-Details playbook.\"}},{\"columnMatch\":\"isPopulated\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook.\"}},{\"columnMatch\":\"Alerts\",\"formatter\":5},{\"columnMatch\":\"AlertCount\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Entities\",\"formatter\":1},{\"columnMatch\":\"alertCount\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},{\"columnMatch\":\"count_AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"rowLimit\":500,\"filter\":true}},\"name\":\"IncidentDetailsView\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Summary\",\"subTarget\":\"Summary\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"Assets\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators\",\"subTarget\":\"Indicators\",\"style\":\"link\"},{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events\",\"subTarget\":\"Events\",\"style\":\"link\"},{\"id\":\"03782b90-e744-4654-95c3-a1056cfe78f9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Comments\",\"subTarget\":\"Comments\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"},\"name\":\"links - 16\",\"styleSettings\":{\"padding\":\"20px 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** above to view more information.\",\"style\":\"upsell\"},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 14\",\"styleSettings\":{\"padding\":\"10px 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Title}\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"5c15d5ff-4108-4538-930b-201f4f8da870\",\"cellValue\":\"https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary\",\"linkTarget\":\"Url\",\"linkLabel\":\"Redirect To Summary on CSP\",\"preText\":\"\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend FirstSeen = strcat(tostring(FirstSeen), \\\" UTC\\\")\\r\\n| project FirstSeen\",\"size\":3,\"title\":\"First Seen\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"FirstSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"First Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend LastSeen = strcat(tostring(LastSeen), \\\" UTC\\\")\\r\\n| project LastSeen\",\"size\":3,\"title\":\"Last Seen \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"LastSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Last Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(SpreadingDate)\\r\\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \\\" UTC\\\")\\r\\n| project SpreadingDate\",\"size\":3,\"title\":\"Spreading Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"SpreadingDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Spreading Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(PersistentDate)\\r\\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend PersistentDate = strcat(tostring(PersistentDate), \\\" UTC\\\")\\r\\n| project PersistentDate\",\"size\":3,\"title\":\"Persistent Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"PersistentDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Persistent Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(BlockedCount)\\r\\n| project BlockedCount\",\"size\":3,\"title\":\"Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"BlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(NotBlockedCount)\\r\\n| project NotBlockedCount\",\"size\":3,\"title\":\"Not Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NotBlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Not Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(EventsCount)\\r\\n| project EventsCount\\r\\n\",\"size\":3,\"title\":\"Total Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventsCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"gray\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\\r\\n\",\"size\":0,\"title\":\"Top 20 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top Impacted IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count() by ThreatIndicator\\r\\n| top 20 by count_ \\r\\n| project ThreatIndicator);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\\r\\n\",\"size\":0,\"title\":\"Top 20 Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top 20 Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() );\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"Events\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Summary\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Summary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Assets\\r\\n---\\r\\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**\"},\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Asset** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"15px 0 15px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n    InfobloxInsightAssets\\r\\n    | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"IndicatorDistinctCount\",\"label\":\"Associated Indicators\"}]}},\"name\":\"Assets\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 60px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| summarize Count = count() by ThreatIndicator\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\" Indicators for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Level Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"blue\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"All Events for {SourceIP}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"All Events for {SourceIP}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Assets\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Assets\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Indicators\\r\\n---\\r\\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Blocked\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count_distinct(ThreatIndicator) by ThreatLevel\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"blue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Indicator** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"padding\":\"15px 0 15px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InfobloxB1PolicyActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct InfobloxB1PolicyAction\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AssetCount = (InfobloxInsightIndicators\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| join kind=inner\\r\\n(\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"66b112e0-3187-4faa-9357-d229e98002ca\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\\r\\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\\r\\n| where ThreatIndicator1 has_cs ThreatIndicator\\r\\n| summarize by SourceIP, ThreatIndicator\\r\\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\\r\\n\\r\\n\\r\\nInfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| join\\r\\n    (\\r\\n        AssetCount\\r\\n    ) on ThreatIndicator\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| extend URL = strcat(\\\"https://csp.infoblox.com/#/security_research/search/auto/\\\", ThreatIndicator, \\\"/summary\\\")\\r\\n| extend sort_order = case(\\r\\n    ThreatLevel == \\\"High\\\", 5,\\r\\n    ThreatLevel == \\\"Medium\\\", 4,\\r\\n    ThreatLevel == \\\"Low\\\", 3,\\r\\n    ThreatLevel == \\\"N/A\\\", 2,\\r\\n    1 // default case if ThreatLevel doesn't match any of the above\\r\\n)\\r\\n| order by sort_order, EventCount desc\\r\\n| project-away sort_order\\r\\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\\r\\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"ThreatIndicator\",\"exportParameterName\":\"ThreatIndicator\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Blocked\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Investigate in Dossier\"}},{\"columnMatch\":\"SourceIPDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"bluePurple\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"URL\",\"label\":\"Investigate in Dossier\"}]}},\"name\":\"Indicators\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n    InfobloxInsightAssets\\r\\n    | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets for {ThreatIndicator}\",\"noDataMessage\":\"Select an Indicator in the above chart to see details.\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Assets for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 500 by count_ \\r\\n);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for {ThreatIndicator}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":15}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Source IPs for {ThreatIndicator}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where Detected >= ago(30d)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {ThreatIndicator}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events\\r\\n---\\r\\nDNS security events associated with this insight.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatLevel)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatLevel\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Level\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatClass)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatClass\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Classes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatProperty)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatProperty\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Families\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceUserName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DeviceName)\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Names\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Names\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(SourceIP)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Source IPs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Source IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1Network)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1Network\",\"size\":4,\"title\":\"Sources\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Sources\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyName)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyName\",\"size\":4,\"title\":\"Policies\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Policies\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyAction\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Actions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"name\":\"Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DNSResponse)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DNSResponse\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"DNS Responses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"DNS Responses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceRegion)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceRegion\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Regions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Regions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceCountry)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceCountry\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Countries\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Device Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightComments\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct  CommentChanger, Comment, DateChanged, Status\\r\\n| order by DateChanged desc\\r\\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\\r\\n| project ['Date Time'], Status, User, Comment\",\"size\":0,\"title\":\"Comments\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Comments\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Comments\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Comments\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 17\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"# Infoblox Config Insights\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Steps to view Config Insights Details using this workbook\\r\\n- This workbook is intended to view the available config insights and view their details.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select TimeRange.\\r\\n- From the **Config Insights** panel, select any config Insight.\\r\\n- You will be able to see the config details of the selected Insight.\\r\\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\\r\\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\\r\\n- You can check the status of the playbook to identify the Config Insight Details status.\\r\\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\\r\\n</br>\\r\\n</br>\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup1\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"f70e5d0e-2eff-4bca-9489-90ab64378887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}],\"allowCustom\":false},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insights_CL\\r\\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\\r\\n| extend ConfigInsightDetails = \\\"GET CONFIG INSIGHT DETAILS\\\"\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'],\\r\\n['Policy Analytics ID'] = policyAnalyticsId_g,\\r\\n['Insight Type'] = column_ifexists(\\\"insightType_s\\\",\\\"\\\"),\\r\\n[\\\"Config Insight Details\\\"] = column_ifexists(\\\"ConfigInsightDetails\\\",\\\"\\\")\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Policy Analytics ID\",\"exportParameterName\":\"ConfigInsightId\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Config Insight Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n  \\\"config_insight_id\\\": \\\"{ConfigInsightId}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insight_Details_CL\\r\\n| where analyticInsightId_g == \\\"{ConfigInsightId}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\\r\\n| extend ParsedJson = parse_json(feeds_s)\\r\\n| mv-expand ParsedJson\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], \\r\\n['Insight Type'] = insightType_s,\\r\\n['Rule Type'] = ParsedJson.ruleType, \\r\\n['Rule Name'] = ParsedJson.ruleName, \\r\\n['Feed Name'] = ParsedJson.feedName, \\r\\n['Current Action'] = ParsedJson.currentAction, \\r\\n['Recommended Action'] = ParsedJson.recommendedAction, \\r\\n['Status'] = ParsedJson.status\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights Detail for Config ID: {ConfigInsightId}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"ConfigInsightId\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 16\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"customWidth\":\"79\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))==1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))!=1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n    ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n    | where ExpirationDateTime > now() and Active == true\\r\\n    | summarize count() by SourceSystem\\r\\n    | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n    | where TimeGenerated < now()\\r\\n    | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n    | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n    | mvexpand(Entities)\\r\\n    | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n                      iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n                      iif(isnotempty(Entities.Url), Entities.Url,\\r\\n                      iif(isnotempty(Entities.Value), Entities.Value,\\r\\n                      iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n    | where isnotempty(entity) \\r\\n    | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n    | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n    | mv-expand AlertIds\\r\\n    | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n    | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n    | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated < now()\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Indicator\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"370d206d-18b1-43d4-a170-71a4a12ba9b2\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"SOC Insights Overview\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"63a011d0-c970-408d-b027-a8579848a6fd\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Config Insights Overview\",\"subTarget\":\"8\",\"style\":\"link\"},{\"id\":\"f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Blocked Traffic Overview\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"d3af8e0b-806c-4f1f-b006-845c842bc2fc\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS Overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"dbd0c004-e0b4-446c-91cd-5a5af3f6e16e\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DHCP Overview\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"41df2b27-5f91-4a8b-adcb-e7997f86d6d6\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Audit Log Overview\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"4f1a6ec7-3d56-4f50-8045-34adbb8d92d0\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Service Log Overview\",\"subTarget\":\"5\",\"style\":\"link\"},{\"id\":\"ffabdc7f-2cb7-40fc-a883-d82609bba051\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence Overview\",\"subTarget\":\"7\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e1e015ea-e688-48be-ac2b-846fe98be48e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4bf79012-0d96-4024-8cb6-0b9c0d9407ef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"66255f50-472e-4295-8d64-6b9fa2e3c887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\", SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain \\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f0a80c9f-a800-4958-b51c-4b38bfaf6624\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResponseCode\",\"label\":\"Response Code\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode)\\r\\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSRCode\\r\\n| sort by InfobloxDNSRCode asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RecordType\",\"label\":\"Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSQType\\r\\n| sort by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\\r\\n| project ['Destination Dns Domain'], Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Requested FQDNs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Destination Dns Domain\",\"exportParameterName\":\"DestinationDnsDomain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Most Requested FQDNs\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"0\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'\"},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 18\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 20\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopDevices\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DeviceName)\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(DeviceName)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"102ee8fc-7658-4bca-82f3-54ed66d2ba9d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopMAC\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(SourceMACAddress)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c59d86e-9130-41a4-ba95-4e7974e4de06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstDevice\",\"type\":1,\"query\":\"print (todynamic('{TopDevices}')[0])\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f1d8907-d375-4db8-a5c9-f9d7390d8f7f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bd2a1987-e9ba-42ac-9856-a8c781ebb332\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"04910ee0-5aa4-4897-82d6-15167ad50e01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5619aab8-f9b6-4218-9315-c6741facf4eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a2455e4-36ec-46c9-bb3f-395ff1186abb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[7]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"72b22373-007c-4d10-bbdd-bdac49ea666c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb44f209-d53b-488f-8275-05294b57b1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bb6a7aa4-0cf3-49d4-9649-179f6d60af71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[0]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"571e7afc-50fc-4f35-a7cf-c1d23a00effe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"00dca50c-6034-4a97-b1b0-da773ed535e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05752a54-7398-4373-9d67-bc5ce96c32a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"42233555-d975-4e88-b62e-2a53e728ae38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3a0eea52-845c-4347-b01b-6f4531de2d5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"29854b31-e4cd-4157-94d4-c0c3fef6f9a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"959fdc81-126b-44f9-8a82-753bc8d5bebd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[7]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"78b51494-7bb5-4a7d-ab01-67483568319d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b66ac0ed-09b2-49e1-bead-88c1a1145f70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Hide\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Devices for Domain : {DestinationDnsDomain}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FirstDevice}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FirstDevice} , MAC : {FirstMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FirstDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SecondDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SecondDevice} , MAC : {SecondMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SecondDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{ThirdDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {ThirdDevice} , MAC : {ThirdMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ThirdDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FourthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FourthDevice} , MAC : {FourthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FourthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FifthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FifthDevice} , MAC : {FifthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FifthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SixthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SixthDevice} , MAC : {SixthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SixthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SeventhDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SeventhDevice} , MAC : {SeventhMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SeventhDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{EightDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {EightDevice} , MAC : {EightMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"EightDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{NinethDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {NinethDevice} , MAC : {NinethMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NinethDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{TenthDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {TenthDevice} , MAC : {TenthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"TenthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 19\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceUserName)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD})) \\r\\n| project-rename User = SourceUserName\\r\\n| summarize Count = count() by User\\r\\n| project User, Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"User\",\"exportParameterName\":\"SourceUserName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Top Users\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 19\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \\r\\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \\r\\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall DNS Requests made by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Requested Domains by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"DestinationDnsDomain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Response Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Response_Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n  InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n   InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"{Response_Type} DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 16\",\"styleSettings\":{\"padding\":\"17px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 20 by Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 20 Devices for {Response_Type} DNS Request\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":20,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSQType\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode\",\"size\":0,\"title\":\"Overall Queries Per Hour\",\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"x\",\"exportParameterName\":\"QPS_Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"}}},\"customWidth\":\"100\",\"name\":\"query - 11\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"18px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'\"},\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 20\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Queries Per Minute\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 13\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Overall Query by Devices per hour\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n  InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n   InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxAnCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreenBlue\"}},{\"columnMatch\":\"InfobloxNsCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeBrown\"}},{\"columnMatch\":\"InfobloxArCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"SourceUserName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"representation\":\"brown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 15\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Main Group\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4abe4038-7e69-4b2c-9ec2-e1f9311e96be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"379d941d-6191-494d-b518-caf9e0d8ce55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPServer\",\"label\":\"DHCP Server\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(InfobloxHostID) \\r\\n| distinct InfobloxHostID\\r\\n| sort by InfobloxHostID asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"68911f86-d896-407d-9a0b-07934f997037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c5628a47-4153-4808-a618-9a06d560428b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MAC\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceMACAddress\\r\\n| sort by SourceMACAddress asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"053f6da7-3bb9-4f9f-9bc5-ec09a9723f52\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Space\",\"label\":\"IP Space\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n    and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases \",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Leases over Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| extend InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where isnotempty(InfobloxLeaseOp)\\r\\n| summarize count() by InfobloxLeaseOp\",\"size\":3,\"showAnalytics\":true,\"title\":\"DHCP Activity Summary\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Lease\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"51px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'\"},\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 MAC Address\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_MAC\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"53px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\\r\\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\\r\\nInfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand InfobloxLeaseOp == ('{Lease}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\\\"\\\\s\\\", InfobloxLeaseOp))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease for Activity : {Lease}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand SourceMACAddress == ('{Pie_MAC}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for MAC : {Pie_MAC}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceIP)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count=count() by SourceIP\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 IP Addresses\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 IP Addresses' grid to see 'Host for IP'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand SourceIP == ('{SourceIP}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceHostName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Host for IP : {SourceIP}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\nand DeviceProduct == \\\"Data Connector\\\" \\r\\nand DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 5\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82320096-33a6-4d48-b64f-2c90aa564ed4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"00756d7d-b074-42e5-996e-4ffa6487606f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserName\",\"label\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3d2f3549-f5c5-4496-a013-f9b306321c75\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| distinct DeviceAction\\r\\n| sort by DeviceAction asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\nand (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename Action = DeviceAction\\r\\n| summarize Count = count() by Action\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"bar_Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 4\"}],\"exportParameters\":true},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(SourceUserName)\\r\\nand DeviceAction == ('{bar_Action}')\\r\\nand (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename User = SourceUserName, Action = DeviceAction\\r\\n| summarize Count = count() by User\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_user\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"70px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n    and DeviceAction == ('{bar_Action}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n    and DeviceAction == ('{bar_Action}')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Source IP for User : {Pie_user}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\n  and (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"daee0513-3b57-4c4d-9052-7a92094a4036\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by SourceUserName\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf61f3a4-fe90-4244-b94b-4aedc1210af9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Location\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(Location) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct Location\\r\\n| sort by Location asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNSRecordType\",\"label\":\"DNS Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxDNSQType\\r\\n| order by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f67927b9-00eb-4a45-b9d0-4bde9ac74d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxB1PolicyName\\r\\n| sort by InfobloxB1PolicyName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n    InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(SourceUserName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by User = SourceUserName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Blocked Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by InfobloxRPZ\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Feeds, Filters\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DeviceName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by Asset = DeviceName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Asset\",\"exportParameterName\":\"DeviceName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"100\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'\"},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n  InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand DeviceName == ('{DeviceName}')\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Asset : {DeviceName} Details \",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n  InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| order by TimeGenerated\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Blocked DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic apps first and keep enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19baf045-4606-49d8-8cb7-ef3ee9fed69a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"af60a861-3c2f-42a5-9045-295348fa5ac6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ServiceName\",\"label\":\"Service Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"796c7544-d2ff-42c6-a5c4-816298e72782\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\\r\\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\\r\\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend HostName = trim(@\\\"\\\\s\\\", display_name_s), name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \\\"*\\\" or name_s in~ ({ServiceName}))\\r\\n| distinct HostName\\r\\n| order by HostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\\r\\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\\r\\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(InfobloxLogName, '/')\\r\\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\\r\\n         LogSeverityProcess = tostring(InfobloxLogName[1]),\\r\\n         Message = split(iif(isempty(Message), msg , Message), '\\\"')[1]\\r\\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend ['Service Name'] = trim(@\\\"\\\\s\\\", name_s), ['Host Name'] = trim(@\\\"\\\\s\\\", display_name_s), ['Process Name'] = trim(@\\\"\\\\s\\\",Process)\\r\\n| where ('{ServiceName:escapejson}' == \\\"*\\\" or ['Service Name'] in~ ({ServiceName}))\\r\\nand ('{HostName:escapejson}' == \\\"*\\\" or ['Host Name'] in~ ({HostName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Log Data\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox SOC Insights Workbook\\r\\n\\r\\n##### Get a closer look at your Infoblox SOC Insights. \\r\\n\\r\\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| extend isConfigIssue = iff((ThreatClass has_cs (\\\"CONFIGURATIONISSUE\\\")), \\\"Configuration\\\", \\\"Threats\\\")\\r\\n| summarize count() by isConfigIssue\",\"size\":3,\"title\":\"Insight Types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Insight Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| summarize dcount(InfobloxInsightID) by Priority\",\"size\":3,\"title\":\"Priority\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"purple\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Priority\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatProperty\",\"size\":3,\"title\":\"Threat Families\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatType\",\"size\":3,\"title\":\"Threat Classes\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Threat Classes\"}]},\"name\":\"Overall\"},{\"type\":1,\"content\":{\"json\":\"## Using this Workbook\\r\\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\\r\\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\\r\\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\\r\\n\\r\\nYou can use one or both at the same time, but beware of duplicate data!\\r\\n\\r\\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\\r\\n\\r\\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\\r\\n\\r\\n## Run playbooks directly from this workbook!\\r\\n\\r\\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\\r\\n\\r\\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \\r\\n\\r\\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\\r\\n\\r\\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \\r\\n\\r\\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\\r\\n\\r\\n**You can rerun playbooks on Insights** that already contain data to get the most recent. \",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 5px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8613f2c-08c6-49e6-a2c6-e12d185c6bd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource Types\",\"type\":7,\"description\":\"This parameter must be set to Logic app.\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"includeAll\":true,\"showDefault\":false},\"value\":[\"microsoft.logic/workflows\"]},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Incidents Resource Group\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"isGlobal\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a92b010-8b48-4601-872f-83e13561b088\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"63c75027-cc56-4958-9296-e0c986ab11e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookResourceGroup\",\"label\":\"Playbook Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"},{\"id\":\"e1ea6f58-cd1b-4807-a7de-7da91b787bd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookName\",\"label\":\"Playbook\",\"type\":5,\"description\":\"Set the playbook to run when clicking on the \\\"Run Playbook\\\" in the SOC Insight Incidents table below.\",\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroup =~ \\\"{PlaybookResourceGroup}\\\"// or '*' in~({PlaybookResourceGroup})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project label = tostring(name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"Infoblox-SOC-Get-Insight-Details\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"15px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"103f5c4e-6007-46c3-88ed-74fdb7843acc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}]},\"value\":{\"durationMs\":2592000000}},{\"id\":\"7c4c6733-a2d8-40b1-abf5-7f2d777e814c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectPriority\",\"label\":\"Priority\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"INFO\\\"},\\r\\n    { \\\"value\\\":\\\"LOW\\\"},\\r\\n    { \\\"value\\\":\\\"MEDIUM\\\"},\\r\\n    { \\\"value\\\":\\\"HIGH\\\"},\\r\\n     { \\\"value\\\":\\\"CRITICAL\\\"}\\r\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"3e3ee805-c983-480e-9c10-49a47be4ddc6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 19 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let x =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Labels = tostring(Labels)\\r\\n| extend InfobloxInsightID = extract(\\\"InfobloxInsightID: (.*?)\\\\\\\"\\\", 1, Labels)\\r\\n| join \\r\\n    (InfobloxInsight\\r\\n    | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\\r\\n    ) on InfobloxInsightID\\r\\n//sometimes duplicate TimeGenerated so grab LastSeen next\\r\\n| summarize arg_max(LastSeen, *) by IncidentNumber\\r\\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\\r\\n; \\r\\nlet incidents =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n//----------------\\r\\n;\\r\\nlet alerts =\\r\\n    SecurityAlert\\r\\n    | extend AlertEntities = parse_json(Entities)\\r\\n    //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\\r\\n;\\r\\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\\r\\n//----------------------\\r\\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title,  Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\\r\\n// -------------\\r\\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\\r\\n| join kind=fullouter x on IncidentNumber\\r\\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\\r\\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' ==  \\\"All\\\"\\r\\n| where Status in ({Status}) or '{Status:label}' ==  \\\"All\\\"\\r\\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\\r\\n//| project-away IncidentID\\r\\n| order by toint(IncidentNumber) desc\\r\\n\",\"size\":0,\"title\":\"SOC Insight Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"InfobloxInsightID\",\"parameterName\":\"InfobloxInsightID\",\"parameterType\":1},{\"fieldName\":\"IncidentID\",\"parameterName\":\"IncidentID\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"Title\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"Sev4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Priority\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"INFO\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MEDIUM\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"CRITICAL\",\"representation\":\"purple\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"New\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Active\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Owner\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"RunPlaybook\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n \\\"LogicAppsResourceId\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\\\",\\r\\n \\\"tenantId\\\":\\\"{TenantID}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}},\"tooltipFormat\":{\"tooltip\":\"Run {PlaybookName} on this insight.\"}},{\"columnMatch\":\"EventsCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"NotBlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"BlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"InsightDataReady\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data for this insight, run the  Infoblox-SOC-API-Get-Insight-Details playbook.\"}},{\"columnMatch\":\"isPopulated\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook.\"}},{\"columnMatch\":\"Alerts\",\"formatter\":5},{\"columnMatch\":\"AlertCount\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Entities\",\"formatter\":1},{\"columnMatch\":\"alertCount\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},{\"columnMatch\":\"count_AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"rowLimit\":500,\"filter\":true}},\"name\":\"IncidentDetailsView\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Summary\",\"subTarget\":\"Summary\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"Assets\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators\",\"subTarget\":\"Indicators\",\"style\":\"link\"},{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events\",\"subTarget\":\"Events\",\"style\":\"link\"},{\"id\":\"03782b90-e744-4654-95c3-a1056cfe78f9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Comments\",\"subTarget\":\"Comments\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"},\"name\":\"links - 16\",\"styleSettings\":{\"padding\":\"20px 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** above to view more information.\",\"style\":\"upsell\"},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 14\",\"styleSettings\":{\"padding\":\"10px 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Title}\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"5c15d5ff-4108-4538-930b-201f4f8da870\",\"cellValue\":\"https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary\",\"linkTarget\":\"Url\",\"linkLabel\":\"Redirect To Summary on CSP\",\"preText\":\"\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend FirstSeen = strcat(tostring(FirstSeen), \\\" UTC\\\")\\r\\n| project FirstSeen\",\"size\":3,\"title\":\"First Seen\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"FirstSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"First Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend LastSeen = strcat(tostring(LastSeen), \\\" UTC\\\")\\r\\n| project LastSeen\",\"size\":3,\"title\":\"Last Seen \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"LastSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Last Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(SpreadingDate)\\r\\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \\\" UTC\\\")\\r\\n| project SpreadingDate\",\"size\":3,\"title\":\"Spreading Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"SpreadingDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Spreading Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(PersistentDate)\\r\\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend PersistentDate = strcat(tostring(PersistentDate), \\\" UTC\\\")\\r\\n| project PersistentDate\",\"size\":3,\"title\":\"Persistent Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"PersistentDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Persistent Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(BlockedCount)\\r\\n| project BlockedCount\",\"size\":3,\"title\":\"Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"BlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(NotBlockedCount)\\r\\n| project NotBlockedCount\",\"size\":3,\"title\":\"Not Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NotBlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Not Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(EventsCount)\\r\\n| project EventsCount\\r\\n\",\"size\":3,\"title\":\"Total Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventsCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"gray\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\\r\\n\",\"size\":0,\"title\":\"Top 20 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top Impacted IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count() by ThreatIndicator\\r\\n| top 20 by count_ \\r\\n| project ThreatIndicator);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\\r\\n\",\"size\":0,\"title\":\"Top 20 Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top 20 Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() );\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"Events\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Summary\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Summary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Assets\\r\\n---\\r\\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**\"},\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Asset** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"15px 0 15px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n    InfobloxInsightAssets\\r\\n    | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"IndicatorDistinctCount\",\"label\":\"Associated Indicators\"}]}},\"name\":\"Assets\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 60px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| summarize Count = count() by ThreatIndicator\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\" Indicators for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Level Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"blue\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"All Events for {SourceIP}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"All Events for {SourceIP}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Assets\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Assets\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Indicators\\r\\n---\\r\\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Blocked\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count_distinct(ThreatIndicator) by ThreatLevel\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"blue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Indicator** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"padding\":\"15px 0 15px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InfobloxB1PolicyActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct InfobloxB1PolicyAction\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AssetCount = (InfobloxInsightIndicators\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| join kind=inner\\r\\n(\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\\r\\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\\r\\n| where ThreatIndicator1 has_cs ThreatIndicator\\r\\n| summarize by SourceIP, ThreatIndicator\\r\\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\\r\\n\\r\\n\\r\\nInfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| join\\r\\n    (\\r\\n        AssetCount\\r\\n    ) on ThreatIndicator\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| extend URL = strcat(\\\"https://csp.infoblox.com/#/security_research/search/auto/\\\", ThreatIndicator, \\\"/summary\\\")\\r\\n| extend sort_order = case(\\r\\n    ThreatLevel == \\\"High\\\", 5,\\r\\n    ThreatLevel == \\\"Medium\\\", 4,\\r\\n    ThreatLevel == \\\"Low\\\", 3,\\r\\n    ThreatLevel == \\\"N/A\\\", 2,\\r\\n    1 // default case if ThreatLevel doesn't match any of the above\\r\\n)\\r\\n| order by sort_order, EventCount desc\\r\\n| project-away sort_order\\r\\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\\r\\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"ThreatIndicator\",\"exportParameterName\":\"ThreatIndicator\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Blocked\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Investigate in Dossier\"}},{\"columnMatch\":\"SourceIPDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"bluePurple\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"URL\",\"label\":\"Investigate in Dossier\"}]}},\"name\":\"Indicators\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n    InfobloxInsightAssets\\r\\n    | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets for {ThreatIndicator}\",\"noDataMessage\":\"Select an Indicator in the above chart to see details.\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Assets for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 500 by count_ \\r\\n);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for {ThreatIndicator}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":15}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Source IPs for {ThreatIndicator}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where Detected >= ago(30d)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {ThreatIndicator}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events\\r\\n---\\r\\nDNS security events associated with this insight.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatLevel)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatLevel\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Level\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatClass)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatClass\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Classes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatProperty)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatProperty\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Families\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceUserName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DeviceName)\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Names\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Names\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(SourceIP)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Source IPs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Source IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1Network)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1Network\",\"size\":4,\"title\":\"Sources\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Sources\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyName)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyName\",\"size\":4,\"title\":\"Policies\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Policies\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyAction\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Actions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"name\":\"Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DNSResponse)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DNSResponse\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"DNS Responses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"DNS Responses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceRegion)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceRegion\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Regions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Regions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceCountry)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceCountry\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Countries\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Device Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightComments\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct  CommentChanger, Comment, DateChanged, Status\\r\\n| order by DateChanged desc\\r\\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\\r\\n| project ['Date Time'], Status, User, Comment\",\"size\":0,\"title\":\"Comments\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Comments\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Comments\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Comments\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 17\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"# Infoblox Config Insights\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Steps to view Config Insights Details using this workbook\\r\\n- This workbook is intended to view the available config insights and view their details.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select TimeRange.\\r\\n- From the **Config Insights** panel, select any config Insight.\\r\\n- You will be able to see the config details of the selected Insight.\\r\\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\\r\\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\\r\\n- You can check the status of the playbook to identify the Config Insight Details status.\\r\\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\\r\\n</br>\\r\\n</br>\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup1\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"f70e5d0e-2eff-4bca-9489-90ab64378887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}],\"allowCustom\":false},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insights_CL\\r\\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\\r\\n| extend ConfigInsightDetails = \\\"GET CONFIG INSIGHT DETAILS\\\"\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'],\\r\\n['Policy Analytics ID'] = policyAnalyticsId_g,\\r\\n['Insight Type'] = column_ifexists(\\\"insightType_s\\\",\\\"\\\"),\\r\\n[\\\"Config Insight Details\\\"] = column_ifexists(\\\"ConfigInsightDetails\\\",\\\"\\\")\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Policy Analytics ID\",\"exportParameterName\":\"ConfigInsightId\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Config Insight Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n  \\\"config_insight_id\\\": \\\"{ConfigInsightId}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insight_Details_CL\\r\\n| where analyticInsightId_g == \\\"{ConfigInsightId}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\\r\\n| extend ParsedJson = parse_json(feeds_s)\\r\\n| mv-expand ParsedJson\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], \\r\\n['Insight Type'] = insightType_s,\\r\\n['Rule Type'] = ParsedJson.ruleType, \\r\\n['Rule Name'] = ParsedJson.ruleName, \\r\\n['Feed Name'] = ParsedJson.feedName, \\r\\n['Current Action'] = ParsedJson.currentAction, \\r\\n['Recommended Action'] = ParsedJson.recommendedAction, \\r\\n['Status'] = ParsedJson.status\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights Detail for Config ID: {ConfigInsightId}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"ConfigInsightId\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 16\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"customWidth\":\"79\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))==1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))!=1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n    ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n    | where ExpirationDateTime > now() and Active == true\\r\\n    | summarize count() by SourceSystem\\r\\n    | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n    | where TimeGenerated < now()\\r\\n    | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n    | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n    | mvexpand(Entities)\\r\\n    | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n                      iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n                      iif(isnotempty(Entities.Url), Entities.Url,\\r\\n                      iif(isnotempty(Entities.Value), Entities.Value,\\r\\n                      iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n    | where isnotempty(entity) \\r\\n    | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n    | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n    | mv-expand AlertIds\\r\\n    | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n    | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n    | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated < now()\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Indicator\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -3257,7 +3257,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOCInsight-Detected-APISource_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "Infoblox-SOCInsight-Detected-APISource_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -3285,10 +3285,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "InfobloxSOCInsightsDataConnector_API",
                     "dataTypes": [
                       "InfobloxInsight"
-                    ],
-                    "connectorId": "InfobloxSOCInsightsDataConnector_API"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -3300,15 +3300,16 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "SecurityGroup",
                     "fieldMappings": [
                       {
                         "columnName": "InfobloxInsightID",
                         "identifier": "ObjectGuid"
                       }
-                    ],
-                    "entityType": "SecurityGroup"
+                    ]
                   },
                   {
+                    "entityType": "Malware",
                     "fieldMappings": [
                       {
                         "columnName": "ThreatClass",
@@ -3318,30 +3319,29 @@
                         "columnName": "ThreatProperty",
                         "identifier": "Category"
                       }
-                    ],
-                    "entityType": "Malware"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
                   "aggregationKind": "AlertPerResult"
                 },
                 "customDetails": {
-                  "Status": "Status",
-                  "Severity": "Priority",
-                  "PersistentDate": "PersistentDate",
+                  "UnblockedHits": "NotBlockedCount",
                   "BlockedHits": "BlockedCount",
+                  "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]",
+                  "Severity": "Priority",
                   "FirstSeen": "FirstSeen",
+                  "TotalHits": "EventsCount",
                   "SpreadingDate": "SpreadingDate",
                   "LastSeen": "LastSeen",
                   "FeedSource": "FeedSource",
-                  "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]",
-                  "TotalHits": "EventsCount",
-                  "UnblockedHits": "NotBlockedCount"
+                  "PersistentDate": "PersistentDate",
+                  "Status": "Status"
                 },
                 "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}",
                   "alertSeverityColumnName": "IncidentSeverity",
-                  "alertDescriptionFormat": "Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}"
+                  "alertDescriptionFormat": "Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}",
+                  "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}"
                 },
                 "incidentConfiguration": {
                   "createIncident": true
@@ -3397,7 +3397,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOCInsight-Detected-CDCSource_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "Infoblox-SOCInsight-Detected-CDCSource_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -3425,16 +3425,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "InfobloxSOCInsightsDataConnector_Legacy",
                     "dataTypes": [
                       "CommonSecurityLog (InfobloxCDC_SOCInsights)"
-                    ],
-                    "connectorId": "InfobloxSOCInsightsDataConnector_Legacy"
+                    ]
                   },
                   {
+                    "connectorId": "InfobloxSOCInsightsDataConnector_AMA",
                     "dataTypes": [
                       "CommonSecurityLog (InfobloxCDC_SOCInsights)"
-                    ],
-                    "connectorId": "InfobloxSOCInsightsDataConnector_AMA"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -3446,15 +3446,16 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "SecurityGroup",
                     "fieldMappings": [
                       {
                         "columnName": "InfobloxInsightID",
                         "identifier": "ObjectGuid"
                       }
-                    ],
-                    "entityType": "SecurityGroup"
+                    ]
                   },
                   {
+                    "entityType": "Malware",
                     "fieldMappings": [
                       {
                         "columnName": "ThreatClass",
@@ -3464,25 +3465,24 @@
                         "columnName": "ThreatProperty",
                         "identifier": "Category"
                       }
-                    ],
-                    "entityType": "Malware"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
                   "aggregationKind": "AlertPerResult"
                 },
                 "customDetails": {
-                  "Status": "Status",
-                  "UnblockedHits": "NotBlockedCount",
                   "BlockedHits": "BlockedCount",
+                  "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]",
+                  "Status": "Status",
                   "TotalHits": "EventsCount",
                   "FeedSource": "FeedSource",
-                  "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]"
+                  "UnblockedHits": "NotBlockedCount"
                 },
                 "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}",
                   "alertSeverityColumnName": "IncidentSeverity",
-                  "alertDescriptionFormat": "Observed via CDC. {{ThreatFamily}}. {{Message}}"
+                  "alertDescriptionFormat": "Observed via CDC. {{ThreatFamily}}. {{Message}}",
+                  "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}"
                 },
                 "incidentConfiguration": {
                   "createIncident": true
@@ -3538,7 +3538,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxCDC_SOCInsights Data Parser with template version 3.0.0",
+        "description": "InfobloxCDC_SOCInsights Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -3666,7 +3666,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsight Data Parser with template version 3.0.0",
+        "description": "InfobloxInsight Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -3794,7 +3794,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsightAssets Data Parser with template version 3.0.0",
+        "description": "InfobloxInsightAssets Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -3922,7 +3922,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsightComments Data Parser with template version 3.0.0",
+        "description": "InfobloxInsightComments Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject4').parserVersion4]",
@@ -4050,7 +4050,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsightEvents Data Parser with template version 3.0.0",
+        "description": "InfobloxInsightEvents Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject5').parserVersion5]",
@@ -4178,7 +4178,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsightIndicators Data Parser with template version 3.0.0",
+        "description": "InfobloxInsightIndicators Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject6').parserVersion6]",
@@ -4306,7 +4306,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Block-Allow-IP-Domain Playbook with template version 3.0.0",
+        "description": "Infoblox-Block-Allow-IP-Domain Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -5010,7 +5010,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Block-Allow-IP-Domain-Incident-Based Playbook with template version 3.0.0",
+        "description": "Infoblox-Block-Allow-IP-Domain-Incident-Based Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -6055,7 +6055,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Config-Insight-Details Playbook with template version 3.0.0",
+        "description": "Infoblox-Config-Insight-Details Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -6413,7 +6413,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Config-Insights Playbook with template version 3.0.0",
+        "description": "Infoblox-Config-Insights Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion4')]",
@@ -6873,7 +6873,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Data-Connector-Trigger-Sync Playbook with template version 3.0.0",
+        "description": "Infoblox-Data-Connector-Trigger-Sync Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion5')]",
@@ -7584,7 +7584,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-DHCP-Lookup Playbook with template version 3.0.0",
+        "description": "Infoblox-DHCP-Lookup Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion6')]",
@@ -8417,7 +8417,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Get-IP-Space-Data Playbook with template version 3.0.0",
+        "description": "Infoblox-Get-IP-Space-Data Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion7')]",
@@ -9313,7 +9313,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Get-Service-Name Playbook with template version 3.0.0",
+        "description": "Infoblox-Get-Service-Name Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion8')]",
@@ -9852,7 +9852,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-IPAM-Lookup Playbook with template version 3.0.0",
+        "description": "Infoblox-IPAM-Lookup Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion9')]",
@@ -11888,7 +11888,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOC-Get-Insight-Details Playbook with template version 3.0.0",
+        "description": "Infoblox-SOC-Get-Insight-Details Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion10')]",
@@ -12832,7 +12832,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOC-Get-Open-Insights-API Playbook with template version 3.0.0",
+        "description": "Infoblox-SOC-Get-Open-Insights-API Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion11')]",
@@ -13130,7 +13130,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOC-Import-Indicators-TI Playbook with template version 3.0.0",
+        "description": "Infoblox-SOC-Import-Indicators-TI Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion12')]",
@@ -13755,7 +13755,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-TIDE-Lookup Playbook with template version 3.0.0",
+        "description": "Infoblox-TIDE-Lookup Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion13')]",
@@ -14524,7 +14524,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-TIDE-Lookup-Via-Incident Playbook with template version 3.0.0",
+        "description": "Infoblox-TIDE-Lookup-Via-Incident Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion14')]",
@@ -15264,7 +15264,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-TIDE-Lookup-Comment-Enrichment Playbook with template version 3.0.0",
+        "description": "Infoblox-TIDE-Lookup-Comment-Enrichment Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion15')]",
@@ -16837,7 +16837,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-TimeRangeBased-DHCP-Lookup Playbook with template version 3.0.0",
+        "description": "Infoblox-TimeRangeBased-DHCP-Lookup Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion16')]",
@@ -17891,7 +17891,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Get-Host-Name Playbook with template version 3.0.0",
+        "description": "Infoblox-Get-Host-Name Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion17')]",
@@ -18431,7 +18431,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.0",
+        "version": "3.0.1",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Infoblox",
diff --git a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json
index 477109ffdd8..0bb70edba80 100644
--- a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json
+++ b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json
@@ -5540,7 +5540,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"66b112e0-3187-4faa-9357-d229e98002ca\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \"All\"\r\n| join\r\n    (\r\n        AssetCount\r\n    ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n    ThreatLevel == \"High\", 5,\r\n    ThreatLevel == \"Medium\", 4,\r\n    ThreatLevel == \"Low\", 3,\r\n    ThreatLevel == \"N/A\", 2,\r\n    1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n",
+                    "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \"All\"\r\n| join\r\n    (\r\n        AssetCount\r\n    ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n    ThreatLevel == \"High\", 5,\r\n    ThreatLevel == \"Medium\", 4,\r\n    ThreatLevel == \"Low\", 3,\r\n    ThreatLevel == \"N/A\", 2,\r\n    1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n",
                     "size": 0,
                     "showAnalytics": true,
                     "timeContextFromParameter": "TimeRange",