diff --git a/Solutions/SOC Handbook/Data/Solution_SOC Handbook.json b/Solutions/SOC Handbook/Data/Solution_SOC Handbook.json index a256a11a819..76d3ecf480f 100644 --- a/Solutions/SOC Handbook/Data/Solution_SOC Handbook.json +++ b/Solutions/SOC Handbook/Data/Solution_SOC Handbook.json @@ -20,7 +20,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\SOC Handbook", - "Version": "3.0.2", + "Version": "3.0.5", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/SOC Handbook/Package/3.0.5.zip b/Solutions/SOC Handbook/Package/3.0.5.zip new file mode 100644 index 00000000000..d2e135e1cea Binary files /dev/null and b/Solutions/SOC Handbook/Package/3.0.5.zip differ diff --git a/Solutions/SOC Handbook/Package/mainTemplate.json b/Solutions/SOC Handbook/Package/mainTemplate.json index 79446f0322b..861dddad2a9 100644 --- a/Solutions/SOC Handbook/Package/mainTemplate.json +++ b/Solutions/SOC Handbook/Package/mainTemplate.json @@ -135,7 +135,7 @@ }, "variables": { "_solutionName": "SOC Handbook", - "_solutionVersion": "3.0.4", + "_solutionVersion": "3.0.5", "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-sochandbook", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.2.0", @@ -199,7 +199,7 @@ "workbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId10'))))]", "_workbookContentId10": "[variables('workbookContentId10')]", "_workbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId10'),'-', variables('workbookVersion10'))))]", - "workbookVersion11": "1.5.1", + "workbookVersion11": "1.5.2", "workbookContentId11": "SecurityOperationsEfficiency", "workbookId11": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId11'))]", "workbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId11'))))]", @@ -229,7 +229,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnalyticsEfficiency Workbook with template version 3.0.4", + "description": "AnalyticsEfficiency Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -315,7 +315,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomaliesVisualization Workbook with template version 3.0.4", + "description": "AnomaliesVisualization Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -397,7 +397,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalyData Workbook with template version 3.0.4", + "description": "AnomalyData Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -479,7 +479,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AttackSurfaceReduction Workbook with template version 3.0.4", + "description": "AttackSurfaceReduction Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -565,7 +565,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureSentinelCost Workbook with template version 3.0.4", + "description": "AzureSentinelCost Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion5')]", @@ -647,7 +647,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureSentinelSecurityAlerts Workbook with template version 3.0.4", + "description": "AzureSentinelSecurityAlerts Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion6')]", @@ -729,7 +729,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IncidentOverview Workbook with template version 3.0.4", + "description": "IncidentOverview Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion7')]", @@ -815,7 +815,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IntsightsIOCWorkbook Workbook with template version 3.0.4", + "description": "IntsightsIOCWorkbook Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion8')]", @@ -905,7 +905,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InvestigationInsights Workbook with template version 3.0.4", + "description": "InvestigationInsights Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion9')]", @@ -1039,7 +1039,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MITREAttack Workbook with template version 3.0.4", + "description": "MITREAttack Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion10')]", @@ -1121,7 +1121,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SecurityOperationsEfficiency Workbook with template version 3.0.4", + "description": "SecurityOperationsEfficiency Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion11')]", @@ -1139,7 +1139,7 @@ }, "properties": { "displayName": "[parameters('workbook11-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Security Operations Efficiency\"},\"customWidth\":\"35\",\"name\":\"Main headline\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"688dc7cb-bea3-41ae-ae94-32d22e09568c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultWorkspace\",\"type\":5,\"isRequired\":true,\"value\":\"value::1\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[\"value::1\"]}},{\"id\":\"c11b5651-cf86-4865-b23d-9ecc4f16b712\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ContextFree\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"\\\\\\\"{DefaultWorkspace}\\\\\\\"\\\"}\\r\\n\",\"isHiddenWhenLocked\":true,\"queryType\":8},{\"id\":\"bbbc300a-6f91-4b2b-b4b5-842b4bf8577a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Selection\",\"type\":1,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| extend match = strcat(\\\"'\\\", id, \\\"'\\\") =~ \\\"{DefaultWorkspace:value}\\\"\\r\\n| order by match desc, name asc\\r\\n| take 1\\r\\n| project value = tostring(pack('sub', subscriptionId, 'rg', resourceGroup, 'ws', id))\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"1db5ee15-fe52-458b-91d1-7ee39d8c2cd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscriptions\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat('/subscriptions/', subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ todynamic('{Selection}').sub, true, false)\",\"crossComponentResources\":[\"value::selected\"],\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"9732eff8-fb57-4cbd-8ade-5ae746f33760\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspaces\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| summarize by id, name\\r\\n| project id, selected = iff(id =~ todynamic('{Selection}').ws, true, false)\",\"crossComponentResources\":[\"{Subscriptions}\"],\"value\":\"/subscriptions//resourcegroups//providers/microsoft.operationalinsights/workspaces/\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true}},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7d597ad7-4a2a-45ed-a4fe-7ee32de0fc22\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Incident Creation Time\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true}},{\"id\":\"3a87d4f7-42cc-4c62-b543-6b5d9ab8cf27\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| summarize Count = count(IncidentNumber) by Severity\\r\\n| project Value = Severity, Label = strcat(Severity, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"81085d3a-5aca-488e-b7c6-ecf1167e59f7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Tactics\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = todynamic(AdditionalData.tactics)\\r\\n| mvexpand Tactics to typeof(string)\\r\\n| summarize Count=count(IncidentNumber) by Tactics\\r\\n| project Value = Tactics, Label = strcat(Tactics, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f9efb0d-ac34-41d0-8a19-165840eb2a71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend owner = tostring(Owner.assignedTo) \\r\\n| summarize Count=count(IncidentNumber) by Owner= case(owner==\\\"\\\", \\\"Unassigned\\\",owner)\\r\\n| project Value = Owner, Label = strcat(Owner, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf86113b-59ad-4fc9-aeb7-9b44e230641e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Product\",\"label\":\"Product Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend Product = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0]) \\r\\n| summarize Count=count(IncidentNumber) by Product\\r\\n| project Value = Product, Label = strcat(Product, \\\": \\\", Count)\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"baa92cd2-7ade-41c3-a07c-a11f5ce3e0e6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"customWidth\":\"100\",\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"## Incidents created over time\"},\"customWidth\":\"67\",\"name\":\"Incidents over time - headline\"},{\"type\":1,\"content\":{\"json\":\"## Incidents by closing classification\"},\"customWidth\":\"32\",\"name\":\"Incidents by classification - headline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by bin(CreatedTime, 1h)\\n\\n\\n\\n\",\"size\":1,\"timeBrushParameterName\":\"TimeBrush\",\"exportFieldName\":\"CreatedTime\",\"exportParameterName\":\"TimePicker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"unstackedbar\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"CreatedTime\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"CreatedTime\",\"sortOrder\":2}],\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Incidents\"}]}},\"customWidth\":\"67\",\"name\":\"Incidents over time \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where Status == 'Closed'\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| extend feedback =strcat(Classification,\\\" \\\",ClassificationReason)\\n| summarize dcount(IncidentNumber) by feedback\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Incidents by classification - headline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated,Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize dcount(IncidentNumber) by Severity\",\"size\":1,\"title\":\"Incidents created by severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Informational\",\"color\":\"gray\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"22\",\"name\":\"By severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n\\n\",\"size\":1,\"title\":\"Incidents created by owner\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"22\",\"name\":\"By owner\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by Status\\n\",\"size\":1,\"title\":\"Incidents created by status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"22\",\"name\":\"By status\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Time to triage, is the time between the incident creation and its first update.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help1\"},{\"type\":1,\"content\":{\"json\":\"Time to closure, is the time between the incident creation and its last closure.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\\n| summarize AvgTTT=avg(TimeToTriage) \\n\",\"size\":1,\"title\":\"Mean time to triage\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AvgTTT\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"MTTT\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\\n| summarize AvgTTC=avg(TimeToClosure)\",\"size\":1,\"title\":\"Mean time to closure \",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AvgTTC\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"MTTM\"}]},\"customWidth\":\"34\",\"name\":\"Mean times\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by severity over time \"},\"name\":\"text - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by Severity, bin(CreatedTime, 1d)\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy - Copy\"}]},\"name\":\"Incidents severity over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by owner over time \"},\"name\":\"text - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner)), bin(CreatedTime, 1d)\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy - Copy - Copy\"}]},\"name\":\"Incident owner over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by status over time\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by Status, bin(CreatedTime, 1d)\",\"size\":1,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by product over time\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by tostring(Product), bin(CreatedTime, 1d)\",\"size\":1,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by tactics over time \"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| mvexpand Tactics to typeof(string)\\n| summarize Incidents=dcount(IncidentNumber) by Tactics, bin(CreatedTime, 1d)\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"unstackedbar\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by tags over time \"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| extend Tags = extract_all('labelName\\\":\\\"(.*?)\\\"',tostring(Labels))\\n| mvexpand Tags to typeof(string)\\n| summarize Incidents=dcount(IncidentNumber) by Tags, bin(CreatedTime, 1d)\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"unstackedbar\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by name\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber, Title\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by bin(CreatedTime, 1h), Title\\n| order by count_ desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Over time left panel\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Time to triage (percentiles)\"},\"name\":\"text - 2 - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Time to triage, is the time between the incident creation and its first update.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\\n| summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50), 90th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99) by bin(FirstModifiedTime, 1d)\\n\",\"size\":1,\"aggregation\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":3}}}}},\"name\":\"query - 2 - Copy - Copy\"}]},\"name\":\"Incidents severity over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Time to closure (percentiles)\\r\\n\"},\"name\":\"text - 2 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Time to closure, is the time between the incident creation and its last closure.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\\n| summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50), 90th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99) by bin(ClosedTime, 1d)\\n\",\"size\":1,\"aggregation\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"percentile_MinToTriage_5\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"percentile_MinToTriage_5\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false},\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":3}},\"min\":0}}},\"name\":\"query - 2 - Copy - Copy - Copy\"}]},\"name\":\"Incident owner over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Mean time to closure per owner\\r\\n\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The mean time between the incident creation and last closure by owner\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n|where Status == 'Closed' \\n| extend Ownerr = case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n| summarize arg_min(LastModifiedTime,*) by IncidentNumber, Owner = Ownerr\\n| extend TimeToTriage = LastModifiedTime - CreatedTime, Owner\\n| summarize avg(TimeToTriage/1h) by Owner\\n\",\"size\":4,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Owner\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"avg_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Mean time to triage per owner\\r\\n\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The mean time between the incident creation and first modification by owner\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(FirstModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = FirstModifiedTime - CreatedTime\\n| extend MinToTriage = TimeToTriage/1h\\n| summarize avg(TimeToTriage/1h) by owner=case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n\\n\",\"size\":4,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"owner\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"avg_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status triage\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Actions per user\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The number of actions taken on incidents per incident modifier\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where ModifiedBy !in(\\\"Alert Grouping\\\",\\\"Fusion\\\",\\\"Incident created from alert\\\")\\n| where ModifiedBy !contains(\\\"Automation rule\\\")\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by ModifiedBy\\n\",\"size\":4,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ModifiedBy\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false,\"sortCriteriaField\":\"count_\",\"sortOrderField\":2}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recent activities\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Most recent activities taken on incidents\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| order by LastModifiedTime \\n| project LastModifiedTime,IncidentNumber, Title, Product, IncidentUrl, ModifiedBy,Status, Severity, Owner\\n| take 250\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to incident >\"}}],\"labelSettings\":[{\"columnId\":\"LastModifiedTime\",\"label\":\"Last Modified Time\"},{\"columnId\":\"IncidentNumber\",\"label\":\"Incident Number\"},{\"columnId\":\"Title\"},{\"columnId\":\"Product\"},{\"columnId\":\"IncidentUrl\",\"label\":\"Link to incident\"},{\"columnId\":\"ModifiedBy\",\"label\":\"Modified By\"},{\"columnId\":\"Status\"},{\"columnId\":\"Severity\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recent incident closing classification\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Recent closing classifications and comments of incidents\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| where Status == 'Closed'\\n| order by LastModifiedTime \\n| project LastModifiedTime,IncidentNumber, Title, Classification, ClassificationReason,ClassificationComment, Product, IncidentUrl, ModifiedBy,Status, Severity,Owner\\n| take 250\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to incident >\"}}],\"labelSettings\":[{\"columnId\":\"LastModifiedTime\",\"label\":\"Last Modified Time\"},{\"columnId\":\"IncidentNumber\",\"label\":\"Incident Number\"},{\"columnId\":\"Title\"},{\"columnId\":\"Classification\"},{\"columnId\":\"ClassificationReason\",\"label\":\"Classification Reason\"},{\"columnId\":\"ClassificationComment\",\"label\":\"Classification Comment\"},{\"columnId\":\"Product\"},{\"columnId\":\"IncidentUrl\",\"label\":\"Link to incident\"},{\"columnId\":\"ModifiedBy\",\"label\":\"Modified By\"},{\"columnId\":\"Status\"},{\"columnId\":\"Severity\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Over time right panel\"}],\"fromTemplateId\":\"sentinel-SecurityOperationsEfficiency\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Security Operations Efficiency\"},\"customWidth\":\"35\",\"name\":\"Main headline\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"688dc7cb-bea3-41ae-ae94-32d22e09568c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultWorkspace\",\"type\":5,\"isRequired\":true,\"value\":\"value::1\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[\"value::1\"]}},{\"id\":\"c11b5651-cf86-4865-b23d-9ecc4f16b712\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ContextFree\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"\\\\\\\"{DefaultWorkspace}\\\\\\\"\\\"}\\r\\n\",\"isHiddenWhenLocked\":true,\"queryType\":8},{\"id\":\"bbbc300a-6f91-4b2b-b4b5-842b4bf8577a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Selection\",\"type\":1,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| extend match = strcat(\\\"'\\\", id, \\\"'\\\") =~ \\\"{DefaultWorkspace:value}\\\"\\r\\n| order by match desc, name asc\\r\\n| take 1\\r\\n| project value = tostring(pack('sub', subscriptionId, 'rg', resourceGroup, 'ws', id))\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"1db5ee15-fe52-458b-91d1-7ee39d8c2cd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscriptions\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat('/subscriptions/', subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ todynamic('{Selection}').sub, true, false)\",\"crossComponentResources\":[\"value::selected\"],\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"9732eff8-fb57-4cbd-8ade-5ae746f33760\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspaces\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| summarize by id, name\\r\\n| project id, selected = iff(id =~ todynamic('{Selection}').ws, true, false)\",\"crossComponentResources\":[\"{Subscriptions}\"],\"value\":\"/subscriptions//resourcegroups//providers/microsoft.operationalinsights/workspaces/\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true}},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7d597ad7-4a2a-45ed-a4fe-7ee32de0fc22\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Incident Creation Time\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true}},{\"id\":\"3a87d4f7-42cc-4c62-b543-6b5d9ab8cf27\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| summarize Count = count(IncidentNumber) by Severity\\r\\n| project Value = Severity, Label = strcat(Severity, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"81085d3a-5aca-488e-b7c6-ecf1167e59f7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Tactics\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = todynamic(AdditionalData.tactics)\\r\\n| mvexpand Tactics to typeof(string)\\r\\n| summarize Count=count(IncidentNumber) by Tactics\\r\\n| project Value = Tactics, Label = strcat(Tactics, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f9efb0d-ac34-41d0-8a19-165840eb2a71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend owner = tostring(Owner.assignedTo) \\r\\n| summarize Count=count(IncidentNumber) by Owner= case(owner==\\\"\\\", \\\"Unassigned\\\",owner)\\r\\n| project Value = Owner, Label = strcat(Owner, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf86113b-59ad-4fc9-aeb7-9b44e230641e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Product\",\"label\":\"Product Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend Product = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0]) \\r\\n| summarize Count=count(IncidentNumber) by Product\\r\\n| project Value = Product, Label = strcat(Product, \\\": \\\", Count)\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"baa92cd2-7ade-41c3-a07c-a11f5ce3e0e6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"customWidth\":\"100\",\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"## Incidents created over time\"},\"customWidth\":\"67\",\"name\":\"Incidents over time - headline\"},{\"type\":1,\"content\":{\"json\":\"## Incidents by closing classification\"},\"customWidth\":\"32\",\"name\":\"Incidents by classification - headline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by bin(CreatedTime, 1h)\\n\\n\\n\\n\",\"size\":1,\"timeBrushParameterName\":\"TimeBrush\",\"exportFieldName\":\"CreatedTime\",\"exportParameterName\":\"TimePicker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"unstackedbar\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"CreatedTime\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"CreatedTime\",\"sortOrder\":2}],\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Incidents\"}]}},\"customWidth\":\"67\",\"name\":\"Incidents over time \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where Status == 'Closed'\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| extend feedback =strcat(Classification,\\\" \\\",ClassificationReason)\\n| summarize dcount(IncidentNumber) by feedback\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Incidents by classification - headline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated,Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize dcount(IncidentNumber) by Severity\",\"size\":1,\"title\":\"Incidents created by severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Informational\",\"color\":\"gray\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"22\",\"name\":\"By severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n\\n\",\"size\":1,\"title\":\"Incidents created by owner\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"22\",\"name\":\"By owner\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by Status\\n\",\"size\":1,\"title\":\"Incidents created by status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"22\",\"name\":\"By status\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Time to triage, is the time between the incident creation and its first update.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help1\"},{\"type\":1,\"content\":{\"json\":\"Time to closure, is the time between the incident creation and its last closure.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\\n| summarize AvgTTT=avg(TimeToTriage) \\n\",\"size\":1,\"title\":\"Mean time to triage\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AvgTTT\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"MTTT\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\\n| summarize AvgTTC=avg(TimeToClosure)\",\"size\":1,\"title\":\"Mean time to closure \",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AvgTTC\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"MTTM\"}]},\"customWidth\":\"34\",\"name\":\"Mean times\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by severity over time \"},\"name\":\"text - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by Severity, bin(CreatedTime, 1d)\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy - Copy\"}]},\"name\":\"Incidents severity over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by owner over time \"},\"name\":\"text - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner)), bin(CreatedTime, 1d)\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy - Copy - Copy\"}]},\"name\":\"Incident owner over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by status over time\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by Status, bin(CreatedTime, 1d)\",\"size\":1,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by product over time\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by tostring(Product), bin(CreatedTime, 1d)\",\"size\":1,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by tactics over time \"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| mvexpand Tactics to typeof(string)\\n| summarize Incidents=dcount(IncidentNumber) by Tactics, bin(CreatedTime, 1d)\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"unstackedbar\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by tags over time \"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| extend Tags = extract_all('labelName\\\":\\\"(.*?)\\\"',tostring(Labels))\\n| mvexpand Tags to typeof(string)\\n| summarize Incidents=dcount(IncidentNumber) by Tags, bin(CreatedTime, 1d)\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"unstackedbar\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by name\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber, Title\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by bin(CreatedTime, 1h), Title\\n| order by count_ desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Over time left panel\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Time to triage (percentiles)\"},\"name\":\"text - 2 - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Time to triage, is the time between the incident creation and its first update.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\\n| summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50), 90th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99) by bin(FirstModifiedTime, 1d)\\n\",\"size\":1,\"aggregation\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":3}}}}},\"name\":\"query - 2 - Copy - Copy\"}]},\"name\":\"Incidents severity over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Time to closure (percentiles)\\r\\n\"},\"name\":\"text - 2 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Time to closure, is the time between the incident creation and its last closure.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\\n| summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50), 90th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99) by bin(ClosedTime, 1d)\\n\",\"size\":1,\"aggregation\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"percentile_MinToTriage_5\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"percentile_MinToTriage_5\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false},\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":3}},\"min\":0}}},\"name\":\"query - 2 - Copy - Copy - Copy\"}]},\"name\":\"Incident owner over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Mean time to closure per owner\\r\\n\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The mean time between the incident creation and last closure by owner\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n|where Status == 'Closed' \\n| extend Ownerr = case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n| summarize arg_min(LastModifiedTime,*) by IncidentNumber, Owner = Ownerr\\n| extend TimeToTriage = LastModifiedTime - CreatedTime, Owner\\n| summarize avg(TimeToTriage/1h) by Owner\\n\",\"size\":4,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Owner\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"avg_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Mean time to triage per owner\\r\\n\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The mean time between the incident creation and first modification by owner\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(FirstModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = FirstModifiedTime - CreatedTime\\n| extend MinToTriage = TimeToTriage/1h\\n| summarize avg(TimeToTriage/1h) by owner=case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n\\n\",\"size\":4,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"owner\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"avg_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status triage\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Actions per user\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The number of actions taken on incidents per incident modifier\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where ModifiedBy !in(\\\"Alert Grouping\\\",\\\"Fusion\\\",\\\"Incident created from alert\\\")\\n| where ModifiedBy !contains(\\\"Automation rule\\\")\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by ModifiedBy\\n\",\"size\":4,\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ModifiedBy\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false,\"sortCriteriaField\":\"count_\",\"sortOrderField\":2}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recent activities\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Most recent activities taken on incidents\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| order by LastModifiedTime \\n| project LastModifiedTime,IncidentNumber, Title, Product, IncidentUrl, ModifiedBy,Status, Severity, Owner\\n| take 250\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to incident >\"}}],\"labelSettings\":[{\"columnId\":\"LastModifiedTime\",\"label\":\"Last Modified Time\"},{\"columnId\":\"IncidentNumber\",\"label\":\"Incident Number\"},{\"columnId\":\"Title\"},{\"columnId\":\"Product\"},{\"columnId\":\"IncidentUrl\",\"label\":\"Link to incident\"},{\"columnId\":\"ModifiedBy\",\"label\":\"Modified By\"},{\"columnId\":\"Status\"},{\"columnId\":\"Severity\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recent incident closing classification\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Recent closing classifications and comments of incidents\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| where Status == 'Closed'\\n| order by LastModifiedTime \\n| project LastModifiedTime,IncidentNumber, Title, Classification, ClassificationReason,ClassificationComment, Product, IncidentUrl, ModifiedBy,Status, Severity,Owner\\n| take 250\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to incident >\"}}],\"labelSettings\":[{\"columnId\":\"LastModifiedTime\",\"label\":\"Last Modified Time\"},{\"columnId\":\"IncidentNumber\",\"label\":\"Incident Number\"},{\"columnId\":\"Title\"},{\"columnId\":\"Classification\"},{\"columnId\":\"ClassificationReason\",\"label\":\"Classification Reason\"},{\"columnId\":\"ClassificationComment\",\"label\":\"Classification Comment\"},{\"columnId\":\"Product\"},{\"columnId\":\"IncidentUrl\",\"label\":\"Link to incident\"},{\"columnId\":\"ModifiedBy\",\"label\":\"Modified By\"},{\"columnId\":\"Status\"},{\"columnId\":\"Severity\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Over time right panel\"}],\"fromTemplateId\":\"sentinel-SecurityOperationsEfficiency\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1150,7 +1150,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId11'),'/'))))]", "properties": { - "description": "@{workbookKey=SecurityOperationsEfficiency; logoFileName=Azure_Sentinel.svg; description=Security operations center managers can view overall efficiency metrics and measures regarding the performance of their team. They can find operations by multiple indicators over time including severity, MITRE tactics, mean time to triage, mean time to resolve and more. The SOC manager can develop a picture of the performance in both general and specific areas over time and use it to improve efficiency.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.5.1; title=Security Operations Efficiency; templateRelativePath=SecurityOperationsEfficiency.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=SecurityOperationsEfficiency; logoFileName=Azure_Sentinel.svg; description=Security operations center managers can view overall efficiency metrics and measures regarding the performance of their team. They can find operations by multiple indicators over time including severity, MITRE tactics, mean time to triage, mean time to resolve and more. The SOC manager can develop a picture of the performance in both general and specific areas over time and use it to improve efficiency.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.5.2; title=Security Operations Efficiency; templateRelativePath=SecurityOperationsEfficiency.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId11')]", "contentId": "[variables('_workbookContentId11')]", "kind": "Workbook", @@ -1207,7 +1207,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SecurityStatus Workbook with template version 3.0.4", + "description": "SecurityStatus Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion12')]", @@ -1297,7 +1297,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelCentral Workbook with template version 3.0.4", + "description": "SentinelCentral Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion13')]", @@ -1375,7 +1375,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.4", + "version": "3.0.5", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "SOC Handbook", diff --git a/Solutions/SOC Handbook/ReleaseNotes.md b/Solutions/SOC Handbook/ReleaseNotes.md index 900cf1cb4dc..3c248e4f997 100644 --- a/Solutions/SOC Handbook/ReleaseNotes.md +++ b/Solutions/SOC Handbook/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------------------------------| +| 3.0.5 | 24-09-2025 | Updated *SecurityOperationsEfficiency* to fix Mean time to triage | | 3.0.4 | 22-04-2025 | Updated *Azure to Sentinel Cost* - **Workbook**. | | 3.0.3 | 28-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID. | | 3.0.2 | 21-11-2023 | Updated SecurityOperationsEfficiency **Workbook** to run the query on "set in query".| diff --git a/Solutions/SOC Handbook/Workbooks/SecurityOperationsEfficiency.json b/Solutions/SOC Handbook/Workbooks/SecurityOperationsEfficiency.json index ee3b697fa60..f43491551b7 100644 --- a/Solutions/SOC Handbook/Workbooks/SecurityOperationsEfficiency.json +++ b/Solutions/SOC Handbook/Workbooks/SecurityOperationsEfficiency.json @@ -504,7 +504,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize AvgTTT=avg(TimeToTriage) \n", + "query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize AvgTTT=avg(TimeToTriage) \n", "size": 1, "title": "Mean time to triage", "queryType": 0, diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index b9a5812c851..a6a08068e06 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -2366,7 +2366,7 @@ "SecurityEfficiencyBlack1.png", "SecurityEfficiencyBlack2.png" ], - "version": "1.5.1", + "version": "1.5.2", "title": "Security Operations Efficiency", "templateRelativePath": "SecurityOperationsEfficiency.json", "subtitle": "",