diff --git a/Solutions/DataLatencyWorkbook/Latency_Workbook.json b/Solutions/DataLatencyWorkbook/Latency_Workbook.json new file mode 100644 index 00000000000..1b6dccc541c --- /dev/null +++ b/Solutions/DataLatencyWorkbook/Latency_Workbook.json @@ -0,0 +1,1073 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "a8d98716-5abc-414f-8fd1-de08f527b28e", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let unwanted_devices = dynamic (['{device1}','{device2}','{device3}','{device4}']);\r\nCommonSecurityLog\r\n| where DeviceVendor contains \"Fortinet\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| where Computer !in~ (unwanted_devices)\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc \r\n", + "size": 0, + "title": "Fortinet Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 5", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"Sonicwall\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "Sonicwall Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 1", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor contains \"Trend Micro\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_hours\r\n| sort by TimeDifference_hours desc ", + "size": 0, + "title": "TrendMicro Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"Forcepoint\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference", + "size": 0, + "title": "Forcepoint Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let unwanted_devices = dynamic (['{device1}','{device2}','{device3}','{device4}']);\r\nCommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"Imperva Inc.\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| where Computer !in~ (unwanted_devices)\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "Imperva Inc Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "sourceColumn": "LastReceivedTime", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "redBright", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 4", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let unwanted_devices = dynamic (['{device1}','{device2}','{device3}','{device4}']);\r\nCommonSecurityLog\r\n| where DeviceVendor contains \"Cyber-Ark\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| where Computer in~ (unwanted_devices)\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "Cyberark Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"JSonar\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "Jsonar Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6 - Copy", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"F5\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "F5 Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "F5Telemetry_LTM_CL\r\n| where TimeGenerated > ago(30d)\r\n| summarize LastReceivedTime = max(TimeGenerated) by hostname_s\r\n| where hostname_s != ''\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project hostname_s, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "F5 LTM Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "hostname_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy - Copy", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "F5Telemetry_ASM_CL\r\n| where TimeGenerated > ago(30d)\r\n| summarize LastReceivedTime = max(TimeGenerated) by hostname_s\r\n| where hostname_s != ''\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project hostname_s, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "F5 ASM Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "hostname_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy - Copy - Copy", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "OfficeActivity\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n| union (\r\nAWSCloudTrail\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nNetskope_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union ( \r\nAWSCloudWatch\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union ( \r\nAzureActivity\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nTrendMicro_XDR_Health_Check_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nTrendMicro_XDR_OAT_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nTrendMicro_XDR_OAT_Health_Check_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nTrendMicro_XDR_WORKBENCH_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| sort by TimeDifference desc ", + "size": 0, + "title": "Data Sources Latency", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Type", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "name": "Data Sources Latency" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let heartbeatCount = (\r\n Heartbeat\r\n | where (TimeGenerated > ago(1d))\r\n | where ResourceProvider == 'Microsoft.HybridCompute' and ResourceType == 'machines'\r\n | where Category == \"Azure Monitor Agent\"\r\n | summarize arg_max(TimeGenerated, *) by Computer\r\n | summarize LastHeartbeat = max(TimeGenerated) by Computer\r\n | extend State = iff(LastHeartbeat < ago(30m), 'Unhealthy', 'Healthy')\r\n | summarize Count = dcount(Computer) by State);\r\ndatatable(State: string, Rank: int)[\"Unhealthy\", 0, \"Healthy\", 1]\r\n| join kind = leftouter heartbeatCount on State\r\n| extend Count = iff(isempty(State1), 0, Count)\r\n| project-away State1\r\n| extend Rank = iff(State == 'Unhealthy' and Count == 0, 2, Rank)\r\n| order by Rank asc\r\n| project-reorder State, Count", + "size": 0, + "title": "Agents Health Snapshot", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Healthy", + "color": "green" + }, + { + "seriesName": "Unhealthy", + "color": "redBright" + } + ] + } + }, + "customWidth": "30", + "name": "query - 11", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " Heartbeat\r\n | where (TimeGenerated > ago(1d))\r\n | where ResourceProvider == 'Microsoft.HybridCompute' and ResourceType == 'machines'\r\n | where Category == \"Azure Monitor Agent\"\r\n | summarize arg_max(TimeGenerated, *) by Computer\r\n | summarize LastHeartbeat = max(TimeGenerated) by Computer, OSType\r\n | extend Server_State = iff(LastHeartbeat < ago(30m), 'Unhealthy', 'Healthy') // and iff(x == 1,'Unhealthy', 'Healthy')\r\n | join ARCLatency on $left.Computer == $right. Computer \r\n | project-away Computer1, LastReceivedTime\r\n | project Computer, OSType, Server_State, LastHeartbeat, TimeDifference\r\n | extend Time_Diff_in_Mins = toint(TimeDifference)\r\n | project-away TimeDifference\r\n | sort by Time_Diff_in_Mins desc", + "size": 0, + "title": "Azure ARC enabled server details", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Server_State", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Healthy", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Unhealthy", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Time_Diff_in_Mins", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "60", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "20", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "5", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "70", + "name": "query - 10", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "70", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Heartbeat\r\n | where (TimeGenerated > ago(7d))\r\n | where ResourceProvider == 'Microsoft.HybridCompute' and ResourceType == 'machines'\r\n | where Category == \"Azure Monitor Agent\"\r\n | summarize by Computer, OSType, OSName\r\n | join kind=innerunique SecurityEvent on $left.Computer == $right. Computer\r\n | where TimeGenerated >= ago(30d)\r\n | extend Day = bin(TimeGenerated,1d)\r\n | extend Quantity = _BilledSize\r\n | project Quantity,TimeGenerated,Computer,Day\r\n | sort by TimeGenerated asc\r\n | summarize EventCount = sum(Quantity) by Computer, Day\r\n | extend GB = EventCount/1073741824\r\n | extend MB = GB * 1024\r\n | project Day, Computer, EventCount, MB\r\n | sort by Day desc\r\n | union (Heartbeat\r\n | where (TimeGenerated > ago(7d))\r\n | where ResourceProvider == 'Microsoft.HybridCompute' and ResourceType == 'machines'\r\n | where Category == \"Azure Monitor Agent\"\r\n | summarize by Computer, OSType, OSName\r\n | where OSType contains \"linux\"\r\n | join kind=innerunique Syslog on $left.Computer==$right.Computer\r\n | where TimeGenerated >= ago(30d)\r\n | extend Day = bin(TimeGenerated,1d)\r\n | extend Quantity = _BilledSize\r\n | project Quantity,TimeGenerated,Computer,Day\r\n | sort by TimeGenerated asc\r\n | summarize EventCount = sum(Quantity) by Computer, Day\r\n | extend GB = EventCount/1073741824\r\n | extend MB = GB * 1024\r\n | project Day, Computer, EventCount, MB\r\n | sort by Day desc\r\n )\r\n | sort by Day, Computer desc \r\n | project-away EventCount", + "size": 0, + "title": "Azure ARC servers ingestion trend over 7 days", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "unstackedbar" + }, + "name": "query - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let windows=(_GetWatchlist('{Watchlist_Name}')| project Hostname); \r\nSecurityEvent \r\n| summarize Last_Received_time = max(TimeGenerated) by Computer\r\n| union ( Windowslogs\r\n| summarize Last_Received_time = max(TimeGenerated) by Computer\r\n)\r\n| distinct Computer, Last_Received_time\r\n| where Computer !contains \"PINENOIL\"\r\n| where Computer in (windows)\r\n| extend Reporting_Computer = Computer\r\n| extend TimeDifference = ( now() - Last_Received_time) / 1hour\r\n| project-away Computer\r\n| sort by TimeDifference desc\r\n| project Reporting_Computer, Last_Received_time, TimeDifference", + "size": 0, + "title": "Windows Devices", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "60", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "30", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "10", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "name": "query - 13" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Linux=(_GetWatchlist('{Watchlist_Name}')| project Hostname); \r\nSyslog\r\n| summarize Last_Received_time = max(TimeGenerated) by Computer\r\n| distinct Computer, Last_Received_time\r\n| where Computer !contains \"PINENOIL\"\r\n| where Computer in (Linux)\r\n| extend Reporting_Computer = Computer\r\n| extend TimeDifference = ( now() - Last_Received_time) / 1hour\r\n| project-away Computer\r\n| sort by TimeDifference desc\r\n| project Reporting_Computer, Last_Received_time, TimeDifference", + "size": 0, + "title": "Linux Devices", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "60", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "30", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "10", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "name": "query - 13 - Copy" + } + ], + "fallbackResourceIds": [ + "/subscriptions/{subscriptionID}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspacename}" + ], + "fromTemplateId": "", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" + }