diff --git a/Solutions/UserAnalyticsWorkbook/Workbook/UserAnalyticsWorkbook.json b/Solutions/UserAnalyticsWorkbook/Workbook/UserAnalyticsWorkbook.json new file mode 100644 index 00000000000..5c1e78d528e --- /dev/null +++ b/Solutions/UserAnalyticsWorkbook/Workbook/UserAnalyticsWorkbook.json @@ -0,0 +1,556 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## User Analytics and Discovery" + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IdentityInfo \n| extend UserPrincipalName = AccountUPN\n| extend UserDisplayName = AccountDisplayName\n| summarize by UserDisplayName,UserPrincipalName\n| sort by UserDisplayName asc", + "size": 0, + "title": "Select User", + "timeContext": { + "durationMs": 2592000000 + }, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "UserPrincipalName", + "parameterName": "UserPrincipalName", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Identity", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + }, + "tooltipFormat": {} + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo\r\n| where TimeGenerated >= ago(90d)\r\n| extend UserPrincipalName = AccountUPN\r\n| extend UserDisplayName = AccountDisplayName\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| project-away Department,EmployeeId,JobTitle,MailAddress,Manager,CompanyName,Phone,IsAccountEnabled,SourceSystem,TenantId,\t\r\nAccountName,BlastRadius,RiskState,RiskLevelDetails,AccountDomain,AccountSID,TimeGenerated,AccountUPN,AccountObjectId,AccountTenantId,GivenName,Surname,OnPremisesAccountObjectId,OnPremisesExtensionAttributes,Tags,AccountCreationTime,InvestigationPriority,OnPremisesDistinguishedName,InvestigationPriorityPercentile,RiskLevel,AdditionalMailAddresses,AssignedRoles,StreetAddress,City,Country,State,IsServiceAccount,DeletedDateTime,RelatedAccounts,LastSeenDate,UACFlags,UserState,AccountDisplayName,UserAccountControl,EntityRiskScore,ServicePrincipals,Applications,UserStateChangedOn,UserType,ExtensionProperty,IsMFARegistered,AccountCloudSID,Type,UserPrincipalName,ChangeSource\r\n| project GroupMembership,UserDisplayName\r\n| take 1\r\n", + "size": 0, + "title": "User Group Membership", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "sortBy": [], + "tileSettings": { + "showBorder": false + } + }, + "customWidth": "50", + "name": "query - 14", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo\r\n| where TimeGenerated >= ago(90d)\r\n| extend UserPrincipalName = AccountUPN\r\n| extend UserDisplayName = AccountDisplayName\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| project UserDisplayName,Department,EmployeeId,JobTitle,MailAddress,Manager,CompanyName,Phone,IsAccountEnabled,SourceSystem,TimeGenerated\r\n| summarize by TimeGenerated,UserDisplayName,Department,EmployeeId,JobTitle,MailAddress,Manager,CompanyName,Phone,IsAccountEnabled,SourceSystem\r\n| take 1", + "size": 4, + "title": "User Details", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "30", + "name": "query - 13", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSigninLogs\r\n| where TimeGenerated >= ago(90d)\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| extend DeviceBrowser = tostring(DeviceDetail.browser)\r\n| extend DeviceId = tostring(DeviceDetail.deviceId)\r\n| extend DeviceDisplayName = tostring(DeviceDetail.displayName)\r\n| extend DeviceOperatingSystem = tostring(DeviceDetail.operatingSystem)\r\n| extend DeviceTrustType = tostring(DeviceDetail.trustType)\r\n| extend DeviceIsManaged = tostring(DeviceDetail.isManaged)\r\n| extend City = tostring(LocationDetails.city)\r\n| extend CountryOrRegion = tostring(LocationDetails.countryOrRegion)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend StatusAdditionalDetails = tostring(Status.additionalDetails)\r\n| extend StatusFailureReason = tostring(Status.failureReason)\r\n| project TimeGenerated,OperationName,UserDisplayName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location, RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType\r\n| summarize by UserDisplayName,RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn\r\n//| project-away TimeGenerated,OperationName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType", + "size": 4, + "title": "User Risky Details", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "30", + "name": "query - 10", + "styleSettings": { + "margin": "50", + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSigninLogs\r\n| where TimeGenerated >= ago(1d)\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| extend DeviceBrowser = tostring(DeviceDetail.browser)\r\n| extend DeviceId = tostring(DeviceDetail.deviceId)\r\n| extend DeviceDisplayName = tostring(DeviceDetail.displayName)\r\n| extend DeviceOperatingSystem = tostring(DeviceDetail.operatingSystem)\r\n| extend DeviceTrustType = tostring(DeviceDetail.trustType)\r\n| extend DeviceIsManaged = tostring(DeviceDetail.isManaged)\r\n| extend City = tostring(LocationDetails.city)\r\n| extend CountryOrRegion = tostring(LocationDetails.countryOrRegion)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend StatusAdditionalDetails = tostring(Status.additionalDetails)\r\n| extend StatusFailureReason = tostring(Status.failureReason)\r\n| project TimeGenerated,OperationName,UserDisplayName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location, RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType\r\n| summarize by UserDisplayName,DeviceDisplayName,DeviceId,DeviceTrustType\r\n//| project-away TimeGenerated,OperationName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType,DeviceDisplayName,DeviceOperatingSystem", + "size": 4, + "title": "User Sign In - Device Details", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "40", + "name": "query - 11", + "styleSettings": { + "maxWidth": "40" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nAuditLogs\r\n| where TimeGenerated > ago(30d)\r\n| where ActivityDisplayName == \"Add member to role\"\r\n| where Identity ==\"Microsoft Office 365 Portal\"\r\n| extend Initiator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend TargetResource = tostring(TargetResources[0].userPrincipalName)\r\n| where TargetResource contains tostring(UserPrincipalName_)\r\n| extend RoleAssigned = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))\r\n| extend RoleAssigned1 = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[2].oldValue)))\r\n| project TimeGenerated , OperationName, Identity , TargetResource , Initiator , UserPrincipalName_ , RoleAssigned , RoleAssigned1 \r\n", + "size": 4, + "showAnalytics": true, + "title": "Recent Roles Assigned to User", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "UserPrincipal", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSigninLogs\r\n| where TimeGenerated >= ago(24h)\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| extend DeviceBrowser = tostring(DeviceDetail.browser)\r\n| extend DeviceId = tostring(DeviceDetail.deviceId)\r\n| extend DeviceDisplayName = tostring(DeviceDetail.displayName)\r\n| extend DeviceOperatingSystem = tostring(DeviceDetail.operatingSystem)\r\n| extend DeviceTrustType = tostring(DeviceDetail.trustType)\r\n| extend DeviceIsManaged = tostring(DeviceDetail.isManaged)\r\n| extend City = tostring(LocationDetails.city)\r\n| extend CountryOrRegion = tostring(LocationDetails.countryOrRegion)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend StatusAdditionalDetails = tostring(Status.additionalDetails)\r\n| extend StatusFailureReason = tostring(Status.failureReason)\r\n| project TimeGenerated,OperationName,UserDisplayName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location, RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType\r\n//| summarize by UserDisplayName,UserPrincipalName\r\n| project-away UserPrincipalName,RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,CrossTenantAccessType,AutonomousSystemNumber,AppId,AuthenticationRequirement,UserId", + "size": 1, + "title": "User Sign In Activity", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "StatusFailureReason", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Device Authentication Required ", + "representation": "4", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Strong Authentication is required.", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Access has been blocked due to conditional access policies.", + "representation": "1", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Flow token expired", + "representation": "1", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Unknown", + "text": "{0}{1}" + } + ] + } + } + ], + "sortBy": [ + { + "itemKey": "OperationName", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "OperationName", + "sortOrder": 2 + } + ] + }, + "name": "query - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nBehaviorAnalytics\r\n//search 'UserPrincipalName_'\r\n| where TimeGenerated >= ago(1d)\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| extend AccountDomain_ = tostring(UsersInsights.AccountDomain)\r\n| extend AccountObjectID_ = tostring(UsersInsights.AccountObjectID)\r\n| extend OnPremisesSID_ = tostring(UsersInsights.OnPremisesSID)\r\n| extend App_ = tostring(ActivityInsights.App)\r\n| extend CountryUncommonlyConnectedFromInTenant_ = tostring(ActivityInsights.CountryUncommonlyConnectedFromInTenant)\r\n| extend FirstTimeDeviceObservedInTenant_ = tostring(ActivityInsights.FirstTimeDeviceObservedInTenant)\r\n| extend FirstTimeUserAccessedResource_ = tostring(ActivityInsights.FirstTimeUserAccessedResource)\r\n| extend FirstTimeUserConnectedFromCountry_ = tostring(ActivityInsights.FirstTimeUserConnectedFromCountry)\r\n| extend FirstTimeUserUsedApp_ = tostring(ActivityInsights.FirstTimeUserUsedApp)\r\n| extend Resource_ = tostring(ActivityInsights.Resource)\r\n| project TimeGenerated,ActivityType,ActionType,UserName,SourceIPAddress,SourceIPLocation,SourceDevice,AccountDomain_,AccountObjectID_,OnPremisesSID_ ,App_,Resource_,InvestigationPriority\r\n//AppIdUncommonlyAccessedInTenant_,CountryUncommonlyConnectedFromInTenant_,FirstTimeDeviceObservedInTenant_,FirstTimeUserAccessedResource_ ,FirstTimeUserConnectedFromCountry_,FirstTimeUserUsedApp_,", + "size": 0, + "title": "User Behaviour Analysis", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ActivityType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "FailedLogOn", + "representation": "Sev0", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ActionType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Device Authentication Required", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Flow token expired - Authentication Failed", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Sign-in", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Access has been blocked due to conditional access policies", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "User did not pass the MFA challenge", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "User did not pass the MFA challenge (non interactive)", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": null, + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InvestigationPriority", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + } + ], + "sortBy": [ + { + "itemKey": "$gen_thresholds_ActionType_2", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_thresholds_ActionType_2", + "sortOrder": 1 + } + ] + }, + "name": "query - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSigninLogs\r\n| where TimeGenerated > ago(30d) \r\n| where UserPrincipalName contains tostring(UserPrincipalName_)\r\n| extend City = tostring(LocationDetails.city)\r\n| extend Country = tostring(LocationDetails.countryOrRegion)\r\n| extend State = tostring(LocationDetails.state)\r\n| summarize arg_max(TimeGenerated, SourceSystem ,City,Country,State, AppDisplayName,IPAddress,ConditionalAccessStatus, DeviceDetail,UserType) by Identity\r\n\r\n", + "size": 4, + "title": "User Recent Log In Details", + "noDataMessage": "No data for selected user", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo \r\n| where AccountUPN contains UserPrincipalName_\r\n| extend Role1 = tostring(AssignedRoles[0])\r\n| extend Role2= tostring(AssignedRoles[1])\r\n| extend Role3 = tostring(AssignedRoles[2])\r\n| extend Role4 = tostring(AssignedRoles[3])\r\n| extend Role5= tostring(AssignedRoles[4])\r\n| extend Role6 = tostring(AssignedRoles[5])\r\n| extend Role7 = tostring(AssignedRoles[6])\r\n| summarize arg_max ( AccountUPN , Role1, Role2 , Role3 , Role4 ,Role5 , Role6 , Role7 , AssignedRoles) by AccountName", + "size": 0, + "showAnalytics": true, + "title": "Active Directory Roles Assigned to User", + "noDataMessage": "No Information for User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "AccountUPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "turquoise", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo \r\n| where TimeGenerated> ago(30d)\r\n| where AccountUPN contains UserPrincipalName_\r\n| extend Group1 = tostring(GroupMembership[0])\r\n| extend Group2= tostring(GroupMembership[1])\r\n| extend Group3 = tostring(GroupMembership[2])\r\n| extend Group4 = tostring(GroupMembership[3])\r\n| extend Group5 = tostring(GroupMembership[4])\r\n| extend Group6 = tostring(GroupMembership[5])\r\n| summarize arg_max(AccountUPN, Group1, Group2, Group3, Group4, Group5 , Group6 ) by AccountName", + "size": 0, + "title": "User Group Info", + "noDataMessage": "No data Available for User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "AccountUPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "representation": "turquoise", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "turquoise", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIntuneDevices\r\n| where TimeGenerated> ago(30d)\r\n| where isnotempty(UPN)\r\n| where UPN contains UserPrincipalName_\r\n| summarize arg_max(OperationName , UPN , LastContact , OSVersion ,OS, SerialNumber, CompliantState ,Ownership, ManagedBy ,Model, Manufacturer , DeviceState , IMEI , JoinType, WifiMacAddress) by DeviceName", + "size": 0, + "title": "User Device ", + "noDataMessage": "No results for Selected User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 8640000000, + "endTime": "2023-01-09T10:17:00.000Z" + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "turquoise", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo\r\n| where TimeGenerated> ago(30d)\r\n| where AccountUPN contains UserPrincipalName_\r\n| where isnotempty(RiskLevel)\r\n| where RiskLevel <> \"None\"\r\n| summarize arg_max(RiskState, RiskLevel) by AccountDisplayName ", + "size": 0, + "title": "Risk State of User", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "query - 7", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSecurityIncident\r\n| where TimeGenerated> ago(30d)\r\n| extend SystemAlertId = tostring(AlertIds[0])\r\n| extend AssignedTo_ = tostring(Owner.assignedTo)\r\n| summarize arg_max(TimeGenerated , *) by IncidentNumber\r\n| join SecurityAlert on SystemAlertId\r\n| extend EntityName = tostring(parse_json(Entities)[1].DisplayName)\r\n| where EntityName contains UserPrincipalName_\r\n| project TimeGenerated ,IncidentNumber,Severity, Title , Description ,AssignedTo_, EntityName, IncidentUrl", + "size": 0, + "showAnalytics": true, + "title": "Recent Incident Related to User", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "gray", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + } + ], + "filter": true + } + }, + "name": "query - 3" + } + ], + "fallbackResourceIds": [ + "/subscriptions/{subscriptionID}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspaceName}" + ], + "fromTemplateId": "", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +}