diff --git a/Solutions/ContinuousDiagnostics&Mitigation/Data/Solution_ContinuousDiagnostics&Mitigation.json b/Solutions/ContinuousDiagnostics&Mitigation/Data/Solution_ContinuousDiagnostics&Mitigation.json
index 021a93517d3..b7f9fc353bb 100644
--- a/Solutions/ContinuousDiagnostics&Mitigation/Data/Solution_ContinuousDiagnostics&Mitigation.json
+++ b/Solutions/ContinuousDiagnostics&Mitigation/Data/Solution_ContinuousDiagnostics&Mitigation.json
@@ -13,7 +13,7 @@
     "Solutions/ContinuousDiagnostics&Mitigation/Workbooks/ContinuousDiagnostics&Mitigation.json"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel",
-  "Version": "3.0.1",
+  "Version": "3.0.2",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true
 }
\ No newline at end of file
diff --git a/Solutions/ContinuousDiagnostics&Mitigation/Package/3.0.2.zip b/Solutions/ContinuousDiagnostics&Mitigation/Package/3.0.2.zip
new file mode 100644
index 00000000000..8e9398eb796
Binary files /dev/null and b/Solutions/ContinuousDiagnostics&Mitigation/Package/3.0.2.zip differ
diff --git a/Solutions/ContinuousDiagnostics&Mitigation/Package/createUiDefinition.json b/Solutions/ContinuousDiagnostics&Mitigation/Package/createUiDefinition.json
index d752bf2af8d..fc4f00217fd 100644
--- a/Solutions/ContinuousDiagnostics&Mitigation/Package/createUiDefinition.json
+++ b/Solutions/ContinuousDiagnostics&Mitigation/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ContinuousDiagnostics&Mitigation/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/reporting, (1) Analytics rule for monitoring and (1) Hunting query for assessment. \n\n The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries.For more information, see [Continuous Diagnostics and Mitigation (CDM)](https://www.cisa.gov/cdm).\n\n**Workbooks:** 1, **Analytic Rules:** 1, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ContinuousDiagnostics%26Mitigation/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/reporting, (1) Analytics rule for monitoring and (1) Hunting query for assessment. \n\n The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries.For more information, see [Continuous Diagnostics and Mitigation (CDM)](https://www.cisa.gov/cdm).\n\n**Workbooks:** 1, **Analytic Rules:** 1, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -144,7 +144,7 @@
             "name": "huntingqueries-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
+              "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
             }
           },
           {
diff --git a/Solutions/ContinuousDiagnostics&Mitigation/Package/mainTemplate.json b/Solutions/ContinuousDiagnostics&Mitigation/Package/mainTemplate.json
index 443134cb392..9102cacb015 100644
--- a/Solutions/ContinuousDiagnostics&Mitigation/Package/mainTemplate.json
+++ b/Solutions/ContinuousDiagnostics&Mitigation/Package/mainTemplate.json
@@ -41,7 +41,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "ContinuousDiagnostics&Mitigation",
-    "_solutionVersion": "3.0.1",
+    "_solutionVersion": "3.0.2",
     "solutionId": "azuresentinel.azure-sentinel-solution-continuousdiagnostics",
     "_solutionId": "[variables('solutionId')]",
     "analyticRuleObject1": {
@@ -56,7 +56,7 @@
       "_huntingQuerycontentId1": "e15944a8-4172-4208-a928-631e01920d9c",
       "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e15944a8-4172-4208-a928-631e01920d9c')))]"
     },
-    "workbookVersion1": "1.0.0",
+    "workbookVersion1": "1.0.1",
     "workbookContentId1": "ContinuousDiagnostics&Mitigation",
     "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
     "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
@@ -75,7 +75,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ContinuousDiagnostics&MitigationPostureChanged_AnalyticalRules Analytics Rule with template version 3.0.1",
+        "description": "ContinuousDiagnostics&MitigationPostureChanged_AnalyticalRules Analytics Rule with template version 3.0.2",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -85,7 +85,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -172,7 +172,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ContinuousDiagnostics&MitigationPosture_HuntingQueries Hunting Query with template version 3.0.1",
+        "description": "ContinuousDiagnostics&MitigationPosture_HuntingQueries Hunting Query with template version 3.0.2",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -257,7 +257,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ContinuousDiagnostics&Mitigation Workbook with template version 3.0.1",
+        "description": "ContinuousDiagnostics&Mitigation Workbook with template version 3.0.2",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -275,7 +275,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Getting Started\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis Solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All CDM requirements, validations, and controls are governed by the 💡[Cybersecurity & Infrastructure Security Agency](https://www.cisa.gov/cdm). This solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer.<br>\\r\\n\\r\\n### [Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions) / [Microsoft Defender for Endpoint Roles](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/user-roles)\\r\\n| <strong> Roles </strong> | <strong> Rights </strong> | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Security Admin| Onboard & Configure Endpoints |\\r\\n|Owner| Assign Regulatory Compliance Initiatives|\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\\r\\n2️⃣ [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n3️⃣ [Onboard Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-configure)<br>\\r\\n4️⃣ [Enable Microsoft Defender for Endpoint: Threat & Vulnerability Management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-prerequisites)<br>\\r\\n5️⃣ [Connect Microsoft Defender for Cloud to Microsoft Sentinel via Continuous Export](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n6️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\\r\\n7️⃣ [Connect Microsoft Defender for Endpoint to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n8️⃣ [Automated Data Export to CISA](https://github.com/Azure/trusted-internet-connection)<br>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/dAHTwp5qTy)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Continuous Diagnostics and Mitigation (CDM)](https://www.cisa.gov/cdm)\\n---\\n\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (1) Analytics rule for monitoring and (1) Hunting query for assessment. \\\"The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their \\nnetworks and defending against cyber adversaries.\\\" For more information, see 💡[Continuous Diagnostics and Mitigation (CDM)](https://www.cisa.gov/cdm). \\n\\n### Disclaimer\\nThe Microsoft Sentinel CDM Solution is not endorsed, nor required by the CDM PMO or CISA. The offering is also not a replacement for the CDM program's requirement for agency dashboard integration. While the offering does have similar visibility metrics, the agency and service integrator are still responsible for ensuring relevant cloud and asset data are integrated into the agency dashboard in accordance with CDM Program requirements. Similar, while Microsoft Sentinel CDM may make data aggregation and availability more rapid and efficient, the offering should not be viewed as a replacement for any specific CDM capability, until independently validated by appropriate CISA CDM contractor or federal teams. \\n\\n\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Crosswalk\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Asset Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Asset Management\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Identity & Access Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Identity\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Network Security Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Network\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 107\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cec6c07e-2856-4c77-8b48-98935f2c1218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"eab3e5a8-66c3-4304-8c2b-43264e858ba8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCrosswalkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Crosswalk\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"ec480379-6561-4a30-b005-7533da78ed14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssetVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Asset\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"2919b971-fb14-440c-ab42-50304df3ceab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIdentityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Identity\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"38d5c68b-fce9-479b-b8dd-acb7a97d85e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Network\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Data Protection Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Asset/Indicator Search\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"TI\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Azure Lighthouse for Multi-Tenant\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AL\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Data Connectors\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Content\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"GC\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 107 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"351dcb3f-0554-4677-8229-45bfd2aa3659\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isALVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AL\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4b0442c3-2175-4c05-a6dd-8f6a38ae9568\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d6d4eecf-14c7-47d3-a13e-f800180e62a1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isGCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"GC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5b008366-4fb9-41b2-b6e5-66785b614818\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTIVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"TI\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2e6a0fcc-7d2d-4009-9b31-43ff10b7bf0e\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis section provides a mechanism to implement CDM recommendations. A selector provides capability to filter by all, specific, or groups of capability areas. Upon selection, subordinate panels will summarize recommendations by capability area, status over time, recommendations, and resources identified. These panels are helpful for identifying the areas of interest, status over time, and which resources are most impacted by these gaps. \"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MaturityLevel\",\"label\":\"Capability Area\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Hardware Asset Management (HWAM)\\\", \\\"label\\\": \\\"Hardware Asset Management (HWAM)\\\"},\\r\\n    {\\\"value\\\": \\\"Software Asset Management (SWAM)\\\", \\\"label\\\": \\\"Software Asset Management (SWAM)\\\"},\\r\\n    {\\\"value\\\": \\\"User Trust (TRUST)\\\", \\\"label\\\": \\\"User Trust (TRUST)\\\"},\\r\\n    {\\\"value\\\": \\\"Credentials & Authenticators (CRED)\\\", \\\"label\\\": \\\"Credentials & Authenticators (CRED)\\\"},\\r\\n    {\\\"value\\\": \\\"Privileges (PRIV)\\\", \\\"label\\\": \\\"Privileges (PRIV)\\\"},\\r\\n    {\\\"value\\\": \\\"Boundary Protection (BOUND)\\\", \\\"label\\\": \\\"Boundary Protection (BOUND)\\\"},\\r\\n    {\\\"value\\\": \\\"Manage Events (MNGEVT)\\\", \\\"label\\\": \\\"Manage Events (MNGEVT)\\\"},\\r\\n    {\\\"value\\\": \\\"Endpoint Detection & Response (EDR)\\\", \\\"label\\\": \\\"Endpoint Detection & Response (EDR)\\\"},\\r\\n    {\\\"value\\\": \\\"Design & Build in Security (DBS)\\\", \\\"label\\\": \\\"Design & Build in Security (DBS)\\\"},\\r\\n    {\\\"value\\\": \\\"Data Protection Management (DPM)\\\", \\\"label\\\": \\\"Data Protection Management (DPM)\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by MaturityLevel\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\\r\\n| sort by Total, Passed desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Capability Area\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"MaturityLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by AssessedResourceId\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| project AssessedResourceId, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"red\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| make-series count() default=0 on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step 1d by MaturityLevel\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| extend RemediationLink = strcat(\\\"https://\\\",RecommendationLink)\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| project ResourceID=AssessedResourceId, RecommendationName=RecommendationDisplayName, MaturityLevel, Severity=RecommendationSeverity, RecommendationState, RemediationLink, DiscoveredDate=StatusChangeDate\\r\\n| parse RemediationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendation Details\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"MaturityLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"RemediationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Rank\",\"formatter\":5},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"ControlID\",\"formatter\":1}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Assessment\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Controls Crosswalk\\r\\n---\\r\\nControls crosswalk provides a mapping of CDM controls across respective overlays. This provides free-text search capabilities to facilitate navigation of the workbook. There is mapping by capability, capability area, recommended logs, and recommended products including export to excel for reporting. \"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Capability\\\"]: string, [\\\"Capability Area\\\"]: string, [\\\"Recommended Logs\\\"]: string, [\\\"Recommended Products\\\"]: string) [\\r\\n\\\"Hardware Asset Management (HWAM)\\\",\\\"Asset Management\\\",\\\"SecurityRegulatoryCompliance, Resources, ConfigurationData\\\",\\\"Microsoft Defender for Cloud, Azure Resource Graph, Azure Monitor, Microsoft 365 Defender\\\",\\r\\n\\\"Software Asset Management (SWAM)\\\",\\\"Asset Management\\\",\\\"SecurityRegulatoryCompliance, SecurityEvent, ConfigurationData, SigninLogs\\\",\\\"Microsoft Defender for Cloud, Microsoft Defender for Endpoint, Azure Monitor, Azure Active Directory\\\",\\r\\n\\\"User Trust (TRUST)\\\",\\\"Identity & Access Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline, SigninLogs, IdentityInfo\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud, Azure Active Directory\\\",\\r\\n\\\"Credentials & Authenticators (CRED)\\\",\\\"Identity & Access Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline, SigninLogs, IdentityInfo\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud, Azure Active Directory, Key Vault\\\",\\r\\n\\\"Privileges (PRIV)\\\",\\\"Identity & Access Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline, SigninLogs, IdentityInfo\\\",\\\"Microsoft Sentinel, Azure Active Directory, Privileged Identity Management, Microsoft Defender for Cloud\\\",\\r\\n\\\"Boundary Protection (BOUND)\\\",\\\"Network Security Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline\\\",\\\"Azure Firewall, Microsoft Defender for Cloud, Network Security Groups, Web Application Firewalls, Network Watcher, Virtual Network Gateways, Bastions\\\",\\r\\n\\\"Manage Events (MNGEVT)\\\",\\\"Network Security Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline\\\",\\\"Azure Monitor, Microsoft Defender for Endpoint\\\",\\r\\n\\\"Endpoint Detection & Response (EDR)\\\",\\\"Network Security Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityAlert, DeviceEvents, DeviceNetworkEvents, DeviceLogonEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceProcessEvents\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Endpoint, Microsoft 365 Defender\\\",\\r\\n\\\"Operate, Monitor, & Improve (OMI)\\\",\\\"Network Security Management\\\",\\\"SecurityIncident, SecurityRegulatoryCompliance\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Design & Build in Security (DBS)\\\",\\\"Network Security Management\\\",\\\"SecurityRecommendation, SecurityNestedRecommendation, GitHubAuditLogPolling_CL, AzureDevOpsAuditing\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud, GitHub, Azure DevOps\\\",\\r\\n\\\"Data Protection Management\\\",\\\"Data Protection Management\\\",\\\"SecurityIncident, SecurityRecommendation, InformationProtectionLogs_CL, Resources\\\",\\\"Microsoft Sentinel, InformationProtectionLogs_CL, SecurityRecommendation, Resources\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Capability\\\"],[\\\"Capability Area\\\"],[\\\"Recommended Logs\\\"],[\\\"Recommended Products\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Capability\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Recommended Logs\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Recommended Products\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCrosswalkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Asset Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\n---\\r\\nAsset Management Capability Area addresses “What is on the Network?’ and focuses on identifying and \\r\\nmonitoring Agency devices, ensuring that they are properly configured, and vulnerabilities have been identified and remediated. The Asset Management Capability Area consists of the HWAM, SWAM, CSM, VUL, and EMM capabilities.These functions are briefly summarized below, and the requirements are separately specified later in the HWAM, SWAM, CSM, VUL, and EMM sections.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"Common Requirements Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Hardware Asset Management (HWAM)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"HWAM\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Software Asset Management (SWAM)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SWAM\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control\",\"formatter\":1},{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isHWAMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"HWAM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSWAMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SWAM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"3981964c-5100-4acc-a9a2-336237a414a5\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Hardware Asset Management (HWAM)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nThe HWAM capability discovers IP-addressable hardware on a network.\\r\\nHWAM establishes and maintains an authorized hardware inventory baseline, unique identifiers (UIDs) for hardware, and other properties, such as the manager of the hardware.\\r\\nHWAM also establishes and maintains the actual inventory of hardware in accordance with data currency requirements, along with information needed to assess the risk to and locate the hardware.\\r\\nThe capability to maintain and update the inventory needs to allow for decentralized administration and only for assets for which they are accountable. Data in the authorized hardware inventory baseline must be validated continuously through automated hardware discovery. Manual processes, such as assigning hardware to the baseline, are expected to integrate with and be supported by automated processes.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br>\\r\\n🔷 [ConfigurationData](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationdata) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Introduction to Hardware Inventory](https://docs.microsoft.com/mem/configmgr/core/clients/manage/inventory/introduction-to-hardware-inventory) <br>\\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\\r\\n💡 [Device Management Overview](https://docs.microsoft.com/mem/intune/fundamentals/what-is-device-management) <br>\\r\\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \\r\\n💡 [Configure data collection for the Azure Monitor agent](https://docs.microsoft.com/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent)<br> \\r\\n\\t\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products\"},\"name\":\"text - 2\"}]},\"name\":\"group - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"94af2358-8b87-44b2-ad87-c84568ab2efd\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"19aa07ff-e996-47a7-99f1-b4a6e6ebe5ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft 365 Defender\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}},{\"id\":\"974e5615-0367-4fca-bdb8-dc2b1b3d38c8\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Resource Graph\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ArgQueryBlade\",\"extensionName\":\"HubsExtension\"}}]},\"name\":\"links - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName \\r\\n| extend Remediate=RecommendationLink\\r\\n| where RecommendationName contains \\\"log \\\" or RecommendationName contains \\\"endpoint\\\" or RecommendationName contains \\\"defender\\\" or RecommendationName contains \\\"asset\\\" or RecommendationName contains \\\"arc\\\"\\r\\n| parse Remediate with * '#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| distinct RecommendationName, Total, Remediate, PassedControls, Passed, Failed, NotApplicable, Applicable, assessmentKey\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations (HWAM-1) \",\"noDataMessage\":\"No Recommendations Observed Within These Thresholds. Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for Azure Security Benchmark is Enabled\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"Remediate\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"filter\":true},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failed\",\"color\":\"redBright\"},{\"seriesName\":\"Passed\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| sort by id desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Inventory (HWAM-2 / HWAM-7) \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines (HWAM-3 / HWAM-4)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Total\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device Count by Type (HWAM-5) \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device Count by Location (HWAM-6-1) \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true},\"mapSettings\":{\"locInfo\":\"AzureLoc\",\"locInfoColumn\":\"location\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"labelSettings\":\"location\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ConfigurationData\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configuration Data (HWAM-6-2)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Computer\"],\"expandTopLevel\":true,\"finalBy\":\"ConfigDataType\"}}},\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isHWAMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Hardware Asset Management (HWAM) Capability\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Software Asset Management (SWAM)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nThe SWAM capability discovers software installed on devices operating on an Agency’s network that are categorized as endpoints.6 A complete, accurate, and timely software inventory is essential to support awareness and effective control of software vulnerabilities and security configuration settings.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityEvent](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender)<br>\\r\\n🔷 [ConfigurationData](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationdata) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)<br>\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br\\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\\r\\n💡 [Device Management Overview](https://docs.microsoft.com/mem/intune/fundamentals/what-is-device-management) <br>\\r\\n💡 [Microsoft 365 Defender integration with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration)<br> \\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br> \\r\\n\\t\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products\"},\"name\":\"text - 2\"}]},\"name\":\"group - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"94af2358-8b87-44b2-ad87-c84568ab2efd\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"19aa07ff-e996-47a7-99f1-b4a6e6ebe5ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ActiveDirectoryMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"974e5615-0367-4fca-bdb8-dc2b1b3d38c8\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Monitor\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AzureMonitoringBrowseBlade\",\"extensionName\":\"Microsoft_Azure_Monitoring\"}}]},\"name\":\"links - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName \\r\\n| extend Remediate=RecommendationLink\\r\\n| where RecommendationName contains \\\"allowlist\\\" or RecommendationName contains \\\"application control\\\" or RecommendationName contains \\\"software\\\"\\r\\n| parse Remediate with * '#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| distinct RecommendationName, Total, Remediate, PassedControls, Passed, Failed, NotApplicable, Applicable, assessmentKey\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations (SWAM-1) \",\"noDataMessage\":\"No Recommendations Observed Within These Thresholds. Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for Azure Security Benchmark is Enabled\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"Remediate\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"filter\":true},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failed\",\"color\":\"redBright\"},{\"seriesName\":\"Passed\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Trend = SigninLogs\\r\\n| make-series Trend = dcount(UserPrincipalName) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by ResourceDisplayName;\\r\\nSigninLogs\\r\\n| summarize arg_max(TimeGenerated, *) by ResourceDisplayName, UserPrincipalName\\r\\n| summarize count() by ResourceDisplayName\\r\\n| where ResourceDisplayName <> \\\"\\\"\\r\\n| join (Trend) on ResourceDisplayName\\r\\n| project Application=ResourceDisplayName, UsersAccessing=count_, AccessTrending=Trend\\r\\n| sort by UsersAccessing desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Application Inventory (SWAM-1)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Application\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Capture\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UsersAccessing\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"AccessTrending\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Trend = SecurityEvent\\r\\n| make-series Trend = dcount(Computer) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Process;\\r\\nSecurityEvent\\r\\n| where Process <> \\\"\\\"\\r\\n| where Process <> \\\"-\\\"\\r\\n| summarize arg_max(TimeGenerated, EventID) by Process, Computer\\r\\n| summarize count() by Process\\r\\n| join (Trend) on Process\\r\\n| sort by count_ desc\\r\\n| project Process, SoftwareInstances=count_, ObservedTrending=Trend\\r\\n| limit 2500\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Software Inventory (SWAM-1)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Process\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"CloudUpload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SoftwareInstances\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ObservedTrending\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AccessCount = SigninLogs\\r\\n| summarize count() by UserPrincipalName\\r\\n| project AccessCount=count_, UserPrincipalName;\\r\\nlet Profile = SigninLogs\\r\\n| project AADProfile=UserId, UserPrincipalName;\\r\\nIdentityInfo\\r\\n| summarize arg_max(TimeGenerated, GroupMembership, AssignedRoles) by AccountUPN\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles = strcat(AssignedRoles)\\r\\n| extend UserPrincipalName = AccountUPN\\r\\n| where AccountUPN <> \\\"\\\"\\r\\n| where GroupMemberships contains \\\"admin\\\" or GroupMemberships contains \\\"security\\\" or GroupMemberships contains \\\"contrib\\\" or AssignedRoles contains \\\"admin\\\" or AssignedRoles contains \\\"security\\\" or AssignedRoles contains \\\"contrib\\\"\\r\\n| join (Profile) on UserPrincipalName\\r\\n| join (AccessCount) on UserPrincipalName\\r\\n| project UserPrincipalName, AccessCount, AADProfile, GroupMemberships, AssignedRoles\\r\\n| sort by AccessCount desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Assigned Roles & Group Memberships (SWAM-3)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AccessCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"AADProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"AADProfile\"}]}}}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityNestedRecommendation\\r\\n| extend SoftwareName = tostring(AdditionalData.SoftwareName)\\r\\n| extend SoftwareVendor = tostring(AdditionalData.SoftwareVendor)\\r\\n| extend SoftwareVersion = tostring(AdditionalData.SoftwareVersion)\\r\\n| where SoftwareName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, SoftwareName, SoftwareVendor, SoftwareVersion\\r\\n| limit 2500\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Software Components (SWAM-5)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Process\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"CloudUpload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SoftwareInstances\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ObservedTrending\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"AssessedResourceId\"]}}},\"customWidth\":\"50\",\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSWAMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Software Asset Management (SWAM) Capability\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isAssetVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Asset Management Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identity & Access Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\n---\\r\\nCapability Area that addresses “Who is on the network” and consists of related capabilities that support the IdAM security discipline (i.e., TRUST, BEHAVE, CRED, PRIV). IdAM provides identity proofing and authentication aspects under identity management. It also supports the use, maintenance, and protection of sensitive resources (e.g., data, systems).\"},\"customWidth\":\"40\",\"name\":\"Common Requirements Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"User Trust (TRUST)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Trust\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Credentials & Authenticators (CRED)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Cred\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Privileges (PRIV)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Priv\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTrustVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Trust\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"b17f2902-5d29-45b2-8712-bff5b7dd1487\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCredVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Cred\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"793ffbca-13bc-4fac-9535-048cbd9efc54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPrivVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Priv\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [User Trust (TRUST)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nThe CDM TRUST capability reduces the probability of loss in \\r\\navailability, integrity, and confidentiality of data by ensuring that only properly vetted \\r\\nusers are given access to credentials and systems commensurate with their role. This \\r\\nincludes elevated privileges and special security roles. The vetted trust level is \\r\\nproperly monitored and renewed, per agency policies and applicable statutes.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Sentinel\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"microsoft.securityinsightsarg/sentinel\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"2be002d0-10f1-4369-8dcc-386c6431e721\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ActiveDirectoryMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"account\\\" or RecommendationDisplayName contains \\\"user\\\" or RecommendationDisplayName contains \\\"identity\\\" or RecommendationDisplayName contains \\\"trust\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"account\\\" or Description contains \\\"user\\\" or Description contains \\\"identity\\\" or Description contains \\\"trust\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"account\\\" or Description contains \\\"user\\\" or Description contains \\\"identity\\\" or Description contains \\\"trust\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo | extend UserPrincipalName = MailAddress| summarize arg_max(TimeGenerated, *) by UserPrincipalName) on UserPrincipalName\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles = strcat(AssignedRoles)\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, GivenName, Surname, Department, EmployeeId, JobTitle, Manager, StreetAddress, City, Country, State, Phone, Tags, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Attributes (Microsoft Entra ID)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isTrustVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Trust\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Credentials & Authenticators (CRED)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nThe CDM CRED (credentials and authenticators) capability ensures that account credentials are assigned to, and are used only by, authorized users or services to access agency systems, services, and facilities. CRED binds a type of credential or authenticator to an identity established in TRUST with a level of assurance and is used to grant logical access. The CRED capability will apply only to in-scope users (employees and contractors, who will each have a PIV card). In-scope users have network accounts, where the primary control mechanism for network authentication is the Agency’s Microsoft Active Directory Implementation.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Key Vault basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Key Vaults\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.KeyVault/vaults\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"2be002d0-10f1-4369-8dcc-386c6431e721\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ActiveDirectoryMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"access\\\" or RecommendationDisplayName contains \\\"auth\\\" or RecommendationDisplayName contains \\\"key\\\" or RecommendationDisplayName contains \\\"cert\\\" or RecommendationDisplayName contains \\\"token\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"access\\\" or Description contains \\\"auth\\\" or Description contains \\\"key\\\" or Description contains \\\"cert\\\" or Description contains \\\"token\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"access\\\" or Description contains \\\"auth\\\" or Description contains \\\"key\\\" or Description contains \\\"cert\\\" or Description contains \\\"token\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo | extend UserPrincipalName = MailAddress| summarize arg_max(TimeGenerated, *) by UserPrincipalName) on UserPrincipalName\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles = strcat(AssignedRoles)\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, Tags, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Credentials (Microsoft Entra ID)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Secrets Management (Key Vault)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Authenticator Management -- Leverage Authenticator Tooling\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"a32b5156-4cec-481d-83b3-165ca9208301\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Password Protection (Banned Passwords)\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"PasswordProtectionBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"27d9b4d1-fc6b-4813-b851-f8bd130d0be5\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Authenticator Management\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AuthenticationMethodsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"d1f6bb1b-7fa4-49cf-91cd-2f67465563aa\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Conditional Access\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ConditionalAccessBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCredVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Cred\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Privileges (PRIV)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nThe CDM PRIV capability provides the agency with insight into risks associated with authorized users being granted excessive privileges to systems and information at any level of sensitivity. The purpose of the capability is to ensure that privileges for logical access are assigned to authorized people or accounts that require authorized access for job functions. This capability is dependent on the existence of a set of attributes that denote roles or characteristics that require or restrict specific privileges per policy. Non-person entities are not covered by PRIV. The PRIV capability will apply only to in-scope users (employees and contractors, who will each have a PIV card) and associated accounts.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Privileged Identity Management\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"CommonMenuBlade\",\"extensionName\":\"Microsoft_Azure_PIMCommon\"}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"2be002d0-10f1-4369-8dcc-386c6431e721\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ActiveDirectoryMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"priv\\\" or RecommendationDisplayName contains \\\"admin\\\" or RecommendationDisplayName contains \\\"root\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"priv\\\" or Description contains \\\"admin\\\" or Description contains \\\"root\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"priv\\\" or Description contains \\\"admin\\\" or Description contains \\\"root\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo | extend UserPrincipalName = MailAddress| summarize arg_max(TimeGenerated, *) by UserPrincipalName) on UserPrincipalName\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles = strcat(AssignedRoles)\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, AssignedRoles, GroupMemberships, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Privileges (Microsoft Entra ID)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n| distinct OperationName, Identity, AADOperationType, InitiatedBy, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InitiatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPrivVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Priv\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIdentityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Identity & Access Management\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Security Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\n---\\r\\nThe Network Security Management (NSM) Capability Area builds on the CDM capabilities provided by Asset Management and Identity and Access Management. The NSM capabilities include network and perimeter components, host and device components, data at rest and in transit, and user behavior and activities. NSM capabilities move beyond asset management to a more extensive and dynamic monitoring of security controls. This includes preparing for and responding to behavior incidents, ensuring that software/system quality is integrated into the network/infrastructure, detecting internal actions and behaviors to determine who is doing what, and finally, mitigating security incidents to prevent propagation throughout the network/infrastructure.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"Common Requirements Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Boundary Protection (BOUND)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Bound\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Manage Events (MNGEVT)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Mngevt\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Endpoint Detection & Response (EDR)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Edr\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Operate, Monitor, & Improve (OMI)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Omi\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Design & Build in Security (DBS)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Dbs\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBoundVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Bound\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1f176b0f-1f2f-4e12-afb0-3f10c834ef24\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMngevtVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Mngevt\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1f176b0f-1f2f-4e12-afb0-3f10c834ef24\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEdrVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Edr\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"b17f2902-5d29-45b2-8712-bff5b7dd1487\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isOmiVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Omi\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"793ffbca-13bc-4fac-9535-048cbd9efc54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDbsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Dbs\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Boundary Protection (BOUND)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nDescribes how the network is protected through filtering, \\r\\nnetwork access control, and encryption.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Security Benchmark: Network Security](https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries)<br>\\r\\n💡 [Deploy and configure Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-deploy)<br>\\r\\n💡 [Tutorial: Filter network traffic with a network security group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)<br>\\r\\n💡 [Tutorial: Create a Web Application Firewall policy on Azure Front Door using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-create-portal)<br>\\r\\n💡 [What is Azure Network Watcher?](https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview)<br>\\r\\n💡 [Quickstart: Create a virtual network using the Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal)<br>\\r\\n💡 [Quickstart: Deploy Azure Bastion with default settings](https://docs.microsoft.com/azure/bastion/quickstart-host-portal)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Firewall\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/azureFirewalls\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Network Security Groups\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/NetworkSecurityGroups\"}]}},{\"id\":\"3d5452e8-f52e-45d1-a761-bb6ad06b0a1b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Web Application Firewalls\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\"}]}},{\"id\":\"bea0a8ab-83d1-4cd9-9414-addd92325ce6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Network Watcher\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"NetworkWatcherMenuBlade\",\"extensionName\":\"Microsoft_Azure_Network\"}},{\"id\":\"0e8cbff6-d8ed-4374-a64b-b619d9757d88\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Virtual Network Gateways\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/virtualNetworkGateways\"}]}},{\"id\":\"0335ed7a-7ccf-4400-a87d-bc91456e7fd9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Bastions\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/bastionHosts\"}]}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"network\\\" or RecommendationDisplayName contains \\\"internet\\\" or RecommendationDisplayName contains \\\"traffic\\\" or RecommendationDisplayName contains \\\"firewall\\\" or RecommendationDisplayName contains \\\"intrusion\\\" or RecommendationDisplayName contains \\\"bound\\\" or RecommendationDisplayName contains \\\"tls\\\" or RecommendationDisplayName contains \\\"gateway\\\" or RecommendationDisplayName contains \\\"subnet\\\" or RecommendationDisplayName contains \\\"web\\\" or RecommendationDisplayName contains \\\"url\\\" or RecommendationDisplayName contains \\\"proxy\\\" or RecommendationDisplayName contains \\\"just\\\" or RecommendationDisplayName contains \\\"port\\\" or RecommendationDisplayName contains \\\"http\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"network\\\" or Description contains \\\"internet\\\" or Description contains \\\"traffic\\\" or Description contains \\\"firewall\\\" or Description contains \\\"intrusion\\\" or Description contains \\\"bound\\\" or Description contains \\\"tls\\\" or Description contains \\\"gateway\\\" or Description contains \\\"subnet\\\" or Description contains \\\"web\\\" or Description contains \\\"url\\\" or Description contains \\\"proxy\\\" or Description contains \\\"just\\\" or Description contains \\\"port\\\" or Description contains \\\"http\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"network\\\" or Description contains \\\"internet\\\" or Description contains \\\"traffic\\\" or Description contains \\\"firewall\\\" or Description contains \\\"intrusion\\\" or Description contains \\\"bound\\\" or Description contains \\\"tls\\\" or Description contains \\\"gateway\\\" or Description contains \\\"subnet\\\" or Description contains \\\"web\\\" or Description contains \\\"url\\\" or Description contains \\\"proxy\\\" or Description contains \\\"just\\\" or Description contains \\\"port\\\" or Description contains \\\"http\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBoundVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bound\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Manage Events (MNGEVT)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nDescribes ongoing assessment, preparing for events/incidents, audit data collection from appropriate sources, and identifying incidents through the analysis of data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Tutorial: Collect and analyze resource logs from an Azure resource](https://docs.microsoft.com/azure/azure-monitor/essentials/tutorial-resource-logs)<br>\\r\\n💡 [Plan your Microsoft Defender for Endpoint deployment](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/deployment-strategy)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"bea0a8ab-83d1-4cd9-9414-addd92325ce6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Monitor\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AzureMonitoringBrowseBlade\",\"extensionName\":\"Microsoft_Azure_Monitoring\"}},{\"id\":\"0e8cbff6-d8ed-4374-a64b-b619d9757d88\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Endpoint\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"event\\\" or RecommendationDisplayName contains \\\"endpoint\\\" or RecommendationDisplayName contains \\\"protection\\\" or RecommendationDisplayName contains \\\"agent\\\" or RecommendationDisplayName contains \\\"incident\\\" or RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"privacy\\\" or RecommendationDisplayName contains \\\"audit\\\" or RecommendationDisplayName contains \\\"collect\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"event\\\" or Description contains \\\"endpoint\\\" or Description contains \\\"protection\\\" or Description contains \\\"agent\\\" or Description contains \\\"incident\\\" or Description contains \\\"back\\\" or Description contains \\\"privacy\\\" or Description contains \\\"audit\\\" or Description contains \\\"collect\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"event\\\" or Description contains \\\"endpoint\\\" or Description contains \\\"protection\\\" or Description contains \\\"agent\\\" or Description contains \\\"incident\\\" or Description contains \\\"back\\\" or Description contains \\\"privacy\\\" or Description contains \\\"audit\\\" or Description contains \\\"collect\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMngevtVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MNGEVT\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Endpoint Detection & Response (EDR)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nThe EDR capability provides cybersecurity monitoring and control of endpoint devices.29 EDR spans the full cybersecurity lifecycle, from the detection of events (observable occurrences in a network or system) and incidents (events that have been determined to have an impact on the organization, prompting the need for response and recovery) on endpoint devices (i.e., workstations, servers, laptops, thin clients, and virtual desktops) and users, to attack responses and incident follow-up and analysis.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) 🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceNetworkEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicenetworkevents) 🔷 [DeviceLogonEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicelogonevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents)🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) 🔷 [DeviceProcessEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceprocessevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft 365 Defender integration with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration)<br>\\r\\n💡 [Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"0e8cbff6-d8ed-4374-a64b-b619d9757d88\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Endpoint\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"edr\\\" or RecommendationDisplayName contains \\\"malware\\\" or RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"detect\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join kind=fullouter (SecurityAlert) on SystemAlertId\\r\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel + Microsoft Defender for Endpoint)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| project DeviceName, ActionType, InitiatingProcessFileName, InitiatingProcessAccountName, AdditionalFields, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device Events  (Microsoft Defender for Endpoint)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Fired\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n| project DeviceName, ActionType, FileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessParentFileName, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device File Events (Microsoft Defender for Endpoint)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Fired\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceLogonEvents\\r\\n| project AccountName, AccountDomain, ActionType, DeviceName, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device Logon Events (Microsoft Defender for Endpoint)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Fired\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEdrVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"EDR\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Operate, Monitor, & Improve (OMI)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nDescribes ongoing authorization, audit data \\r\\naggregation/correlation and analysis, incident prioritization and response, and post-incident activities (e.g., information sharing).\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/SecurityRegulatoryCompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Tutorial: Improve your regulatory compliance](https://docs.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard)<br>\\r\\n💡 [Details of the NIST SP 800-53 Regulatory Compliance built-in initiative](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Sentinel\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"microsoft.securityinsightsarg/sentinel\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n    | where ControlID contains \\\"SI.\\\"\\r\\n    | distinct RecommendationName, ControlID, Total, RecommendationLink, PassedControls, Passed, Failed, NotApplicable, Applicable, name\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"NIST SP 800-53: System & Information Integrity (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n    | where ControlID contains \\\"RA.\\\"\\r\\n    | distinct RecommendationName, ControlID, Total, RecommendationLink, PassedControls, Passed, Failed, NotApplicable, Applicable, name\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"NIST SP 800-53: Risk Assessment (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n    | where ControlID contains \\\"CA.\\\"\\r\\n    | distinct RecommendationName, ControlID, Total, RecommendationLink, PassedControls, Passed, Failed, NotApplicable, Applicable, name\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"NIST SP 800-53: Security & Assessment (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isOmiVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"OMI\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Design & Build in Security (DBS)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nDescribes preventing exploitable vulnerabilities from being \\r\\neffective in the software/system while the software/system is in development or \\r\\ndeployment.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityNestedRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [GitHubAuditLogPolling_CL](https://portal.azure.com/#create/microsoftcorporation1622712991604.sentinel4githubsentinel4github) 🔷 [AzureDevOpsAuditing](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure DevOps - audit streaming](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops&preserve-view=true)<br>\\r\\n💡 [GitHub logging](https://docs.github.com/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization)<br>\\r\\n💡 [Protecting your GitHub assets with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/protecting-your-github-assets-with-azure-sentinel/ba-p/1457721)<br>\\r\\n💡 [Deploy Microsoft Sentinel: Continuous Threat Monitoring for GitHub Solution](https://portal.azure.com/#create/microsoftcorporation1622712991604.sentinel4githubsentinel4github)<br>\\r\\n💡 [DAST tools in Azure DevOps marketplace](https://marketplace.visualstudio.com/search?term=DAST&target=AzureDevOps&category=All%20categories)<br>\\r\\n💡 [How to Implement Microsoft Defender for Cloud Vulnerability Assessment Recommendations](https://docs.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm)<br>\\r\\n💡 [Integrated Vulnerability Scanner for Virtual Machines](https://docs.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm)<br>\\r\\n💡 [SQL Vulnerability Assessment](https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment)<br>\\r\\n💡 [Exporting Microsoft Defender for Cloud Vulnerability Scan Results](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Sentinel\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"microsoft.securityinsightsarg/sentinel\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"aks\\\" or RecommendationDisplayName contains \\\"contain\\\" or RecommendationDisplayName contains \\\"kube\\\" or RecommendationDisplayName contains \\\"supply\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics <> \\\"[]\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Tactics\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Modeling: MITRE ATT&CK® Tactics Observed (Microsoft Sentinel)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditLogPolling_CL \\r\\n| project actor_s, org_s, repo_s, action_s, name_s, _document_id_s, visibility_s, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs (GitHub)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"actor_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"action_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDevOpsAuditing\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs (Azure DevOps)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityNestedRecommendation\\r\\n| extend CVE = tostring(parse_json(tostring(AdditionalData.Cve))[0].Title)\\r\\n| where Description <> \\\"\\\"\\r\\n| where Description <> \\\"N/A\\\"\\r\\n| summarize count() by Description, CVE\\r\\n| sort by count_ desc\\r\\n| project Description, CVE, count_\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\" System/Application Vulnerabilities (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Confirm ASC SecurityNestedRecommendation logging is enabled and/or extend time thresholds for a larger data-set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDbsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DBS\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Network Security Management\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Protection Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\n---\\r\\nData Protection Management (DPM) Capability Area focuses on “How is data protected?” and builds on the CDM capabilities provided by Asset Management, Identity and Access Management, and Network Security Management.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"Common Requirements Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Protection Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"All\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAllVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"All\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Protection Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\\r\\nData Protection Management (DPM) Capability Area focuses on “How is data protected?” and builds on the CDM capabilities provided by Asset Management, Identity and Access Management, and Network Security Management.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Data classification overview](https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-compliance/data-classification)<br>\\r\\n💡 [Label your sensitive data using Azure Purview](https://docs.microsoft.com/azure/purview/create-sensitivity-label)<br>\\r\\n💡 [Tag Sensitive Information Using Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\\r\\n💡 [How to implement Azure SQL Data Discovery](https://docs.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview)<br>\\r\\n💡 [Azure Purview data sources](https://docs.microsoft.com/azure/purview/purview-connector-overview#purview-data-sources)<br>\\r\\n💡 [Azure Key Vault overview](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [BYOK (Bring Your Own Key) specification](https://docs.microsoft.com/azure/key-vault/keys/byok-specification)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Sentinel\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"microsoft.securityinsightsarg/sentinel\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}},{\"id\":\"e4385e0c-e410-4d0e-8fc6-d5c6fe97c0ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Key Vault\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.KeyVault/vaults\"}]}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"data\\\" or RecommendationDisplayName contains \\\"storage\\\" or RecommendationDisplayName contains \\\"sql\\\" or RecommendationDisplayName contains \\\"cmk\\\" or RecommendationDisplayName contains \\\"key\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"data\\\" or Description contains \\\"storage\\\" or Description contains \\\"sql\\\" or Description contains \\\"cmk\\\" or Description contains \\\"key\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| summarize count() by LabelName_s, AIP\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data Discovery/Classification (Azure Information Protection)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LabelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProtectionOwner\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Run query to see results.\\r\\nresources\\r\\n| where type =~ 'Microsoft.KeyVault/vaults'\\r\\n| project name,resourceGroup,location,id,type,subscriptionId,kind,tags\\r\\n| extend typeDisplayName=case(type =~ 'microsoft.keyvault/vaults','Key vault',type)\\r\\n| extend locationDisplayName=case(location =~ 'eastus','East US',location =~ 'eastus2','East US 2',location =~ 'southcentralus','South Central US',location =~ 'westus2','West US 2',location =~ 'westus3','West US 3',location =~ 'australiaeast','Australia East',location =~ 'southeastasia','Southeast Asia',location =~ 'northeurope','North Europe',location =~ 'swedencentral','Sweden Central',location =~ 'uksouth','UK South',location =~ 'westeurope','West Europe',location =~ 'centralus','Central US',location =~ 'northcentralus','North Central US',location =~ 'westus','West US',location =~ 'southafricanorth','South Africa North',location =~ 'centralindia','Central India',location =~ 'eastasia','East Asia',location =~ 'japaneast','Japan East',location =~ 'jioindiawest','Jio India West',location =~ 'koreacentral','Korea Central',location =~ 'canadacentral','Canada Central',location =~ 'francecentral','France Central',location =~ 'germanywestcentral','Germany West Central',location =~ 'norwayeast','Norway East',location =~ 'switzerlandnorth','Switzerland North',location =~ 'uaenorth','UAE North',location =~ 'brazilsouth','Brazil South',location =~ 'centralusstage','Central US (Stage)',location =~ 'eastusstage','East US (Stage)',location =~ 'eastus2stage','East US 2 (Stage)',location =~ 'northcentralusstage','North Central US (Stage)',location =~ 'southcentralusstage','South Central US (Stage)',location =~ 'westusstage','West US (Stage)',location =~ 'westus2stage','West US 2 (Stage)',location =~ 'asia','Asia',location =~ 'asiapacific','Asia Pacific',location =~ 'australia','Australia',location =~ 'brazil','Brazil',location =~ 'canada','Canada',location =~ 'europe','Europe',location =~ 'france','France',location =~ 'germany','Germany',location =~ 'global','Global',location =~ 'india','India',location =~ 'japan','Japan',location =~ 'korea','Korea',location =~ 'norway','Norway',location =~ 'southafrica','South Africa',location =~ 'switzerland','Switzerland',location =~ 'uae','United Arab Emirates',location =~ 'uk','United Kingdom',location =~ 'unitedstates','United States',location =~ 'eastasiastage','East Asia (Stage)',location =~ 'southeastasiastage','Southeast Asia (Stage)',location =~ 'westcentralus','West Central US',location =~ 'southafricawest','South Africa West',location =~ 'australiacentral','Australia Central',location =~ 'australiacentral2','Australia Central 2',location =~ 'australiasoutheast','Australia Southeast',location =~ 'japanwest','Japan West',location =~ 'jioindiacentral','Jio India Central',location =~ 'koreasouth','Korea South',location =~ 'southindia','South India',location =~ 'westindia','West India',location =~ 'canadaeast','Canada East',location =~ 'francesouth','France South',location =~ 'germanynorth','Germany North',location =~ 'norwaywest','Norway West',location =~ 'switzerlandwest','Switzerland West',location =~ 'ukwest','UK West',location =~ 'uaecentral','UAE Central',location =~ 'brazilsoutheast','Brazil Southeast',location)\\r\\n| extend tagsString=tostring(tags)\\r\\n| where (type !~ ('dynatrace.observability/monitors'))\\r\\n| where (type !~ ('nginx.nginxplus/nginxdeployments'))\\r\\n| where (type !~ ('microsoft.agfoodplatform/farmbeats'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/afdendpoints'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/customdomains'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/origingroups'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/rulesets'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/secrets'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/securitypolicies'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/afdendpoints/routes'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/origingroups/origins'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/rulesets/rules'))\\r\\n| where (type !~ ('microsoft.kubernetes/connectedclusters/microsoft.kubernetesconfiguration/fluxconfigurations'))\\r\\n| where (type !~ ('microsoft.containerservice/managedclusters/microsoft.kubernetesconfiguration/fluxconfigurations'))\\r\\n| where (type !~ ('microsoft.portal/extensions/deployments'))\\r\\n| where (type !~ ('microsoft.portal/extensions'))\\r\\n| where (type !~ ('microsoft.portal/extensions/slots'))\\r\\n| where (type !~ ('microsoft.portal/extensions/versions'))\\r\\n| where (type !~ ('microsoft.datacollaboration/workspaces'))\\r\\n| where (type !~ ('microsoft.network/dnsforwardingrulesets'))\\r\\n| where (type !~ ('microsoft.network/dnsresolvers'))\\r\\n| where (type !~ ('microsoft.azurestack/registrations'))\\r\\n| where (type !~ ('microsoft.communication/emailservices'))\\r\\n| where (type !~ ('microsoft.hdinsight/clusterpools/clusters'))\\r\\n| where (type !~ ('microsoft.hdinsight/clusterpools/clusters/sessionclusters'))\\r\\n| where (type !~ ('microsoft.hdinsight/clusterpools'))\\r\\n| where (type !~ ('microsoft.hpcworkbench/instances'))\\r\\n| where (type !~ ('microsoft.scvmm/vmmservers'))\\r\\n| where (type !~ ('microsoft.connectedvmwarevsphere/vcenters'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins/assets'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins/tests'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins/executionplans'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins/testplans'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins'))\\r\\n| where not((type =~ ('microsoft.network/serviceendpointpolicies')) and ((kind =~ ('internal'))))\\r\\n| where (type !~ ('microsoft.openlogisticsplatform/workspaces'))\\r\\n| where (type !~ ('microsoft.scom/managedinstances'))\\r\\n| where (type !~ ('microsoft.orbital/spacecrafts/contacts'))\\r\\n| where (type !~ ('microsoft.orbital/contactprofiles'))\\r\\n| where (type !~ ('microsoft.orbital/edgesites'))\\r\\n| where (type !~ ('microsoft.orbital/groundstations'))\\r\\n| where (type !~ ('microsoft.orbital/l2connections'))\\r\\n| where (type !~ ('microsoft.orbital/spacecrafts'))\\r\\n| where (type !~ ('microsoft.azurepercept/accounts'))\\r\\n| where (type !~ ('microsoft.workloads/phpworkloads'))\\r\\n| where (type !~ ('microsoft.playfab/playeraccountpools'))\\r\\n| where (type !~ ('microsoft.playfab/playfabresources'))\\r\\n| where (type !~ ('microsoft.playfab/titles'))\\r\\n| where (type !~ ('microsoft.recommendationsservice/accounts/modeling'))\\r\\n| where (type !~ ('microsoft.recommendationsservice/accounts/serviceendpoints'))\\r\\n| where (type !~ ('microsoft.recoveryservicesbvtd2/vaults'))\\r\\n| where (type !~ ('microsoft.recoveryservicesbvtd/vaults'))\\r\\n| where (type !~ ('microsoft.recoveryservicesintd/vaults'))\\r\\n| where (type !~ ('microsoft.recoveryservicesintd2/vaults'))\\r\\n| where (type !~ ('microsoft.workloads/sapvirtualinstances/applicationinstances'))\\r\\n| where (type !~ ('microsoft.workloads/sapvirtualinstances/centralinstances'))\\r\\n| where (type !~ ('microsoft.workloads/sapvirtualinstances/databaseinstances'))\\r\\n| where (type !~ ('microsoft.workloads/sapvirtualinstances'))\\r\\n| where (type !~ ('microsoft.datareplication/replicationvaults'))\\r\\n| where (type !~ ('microsoft.storagecache/amlfilesystems'))\\r\\n| where not((type =~ ('microsoft.synapse/workspaces/sqlpools')) and ((kind =~ ('v3'))))\\r\\n| where (type !~ ('microsoft.mobilenetwork/mobilenetworks'))\\r\\n| where (type !~ ('microsoft.mobilenetwork/mobilenetworks/sites'))\\r\\n| where (type !~ ('microsoft.mobilenetwork/packetcorecontrolplanes'))\\r\\n| where (type !~ ('microsoft.mobilenetwork/mobilenetworks/services'))\\r\\n| where (type !~ ('microsoft.mobilenetwork/sims'))\\r\\n| where (type !~ ('microsoft.workloads/monitors'))\\r\\n| where not((type =~ ('microsoft.sql/servers/databases')) and ((kind in~ ('system','v2.0,system','v12.0,system','v12.0,user,datawarehouse,gen2,analytics'))))\\r\\n| where not((type =~ ('microsoft.sql/servers')) and ((kind =~ ('v12.0,analytics'))))\\r\\n| project id,typeDisplayName,resourceGroup,locationDisplayName,tagsString,name,type,kind,location,subscriptionId,tags\\r\\n| sort by (tolower(tostring(name))) asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAllVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"All\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Management\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Asset / Indicator Search](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\r\\n---\\r\\n\\r\\nThreat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. Indicator search provides a free-text search of indicators (Ip address, file, hash, email address, username) to determine:\\r\\n\\r\\n\\t•\\tIndicators in your data\\r\\n\\t•\\tPattern of the indicator over time\\r\\n\\t•\\tReporting threat intelligence feed and details\\r\\n\\t•\\tSecurity Incidents for investigation and response\\r\\n\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"521d368e-c46e-41b5-bea0-fd07dc96b511\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Threat Intelligence >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}}]},\"customWidth\":\"20\",\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Indicator Search\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n    | where TimeGenerated < now()\\r\\n    | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n    | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n    | mvexpand(Entities)\\r\\n    | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n                      iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n                      iif(isnotempty(Entities.Url), Entities.Url,\\r\\n                      iif(isnotempty(Entities.Value), Entities.Value,\\r\\n                      iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n    | where isnotempty(entity) \\r\\n    | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n    | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n    | mv-expand AlertIds\\r\\n    | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n    | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n    | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join (SecurityAlert \\r\\n| where Entities <> \\\"\\\"\\r\\n| mv-expand parse_json(Entities)\\r\\n| where Entities contains '{Indicator}'\\r\\n| project SystemAlertId, Entities\\r\\n) on SystemAlertId\\r\\n| where Title <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, IncidentNumber desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents\",\"noDataMessage\":\"No incidents observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"isTIVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n---\\r\\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Microsoft Entra ID tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"1cf637a7-121d-4722-b511-b0c460625e31\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Lighthouse >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"LighthouseBlade\",\"extensionName\":\"Microsoft_Azure_CustomerHub\"}}]},\"customWidth\":\"50\",\"name\":\"links - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend ManageeTenantId = tostring(properties.registrationDefinition.properties.manageeTenantId)\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantId\",\"formatter\":1,\"formatOptions\":{\"linkTarget\":\"Resource\"}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"CreatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 21 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isALVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\n\\r\\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"b1cd1f8a-e807-4deb-93f4-7812e5ed014a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Data Connectors >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorsBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"40\",\"name\":\"EL0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/best-practices\",\"linkTarget\":\"Url\",\"linkLabel\":\"Best Practices\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-all-in-one-accelerator/ba-p/1807933\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel All-In-One Accelerator\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://docs.microsoft.com/learn/browse/?wt.mc_id=resilience_skilling_webpage_gdc&terms=sentinel\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel Training\",\"style\":\"link\"}]},\"customWidth\":\"40\",\"name\":\"links - 29\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Foundational\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"58cc25ab-a9af-4516-99e1-fa22e0637a76\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Activity Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectory\"}]}},{\"id\":\"7c97e893-29f3-4d4c-a379-f220bb82518c\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActivity\"}]}},{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Office 365 Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Office365\"}]}},{\"id\":\"56600b70-0e55-433a-be86-b7c561bced8b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSecurityCenter\"}]}},{\"id\":\"935bb630-1fce-4021-b7b4-c010b9e05973\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Network Security Groups Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureNSG\"}]}},{\"id\":\"d002eb41-c632-429b-8504-846b69314620\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Windows Security Event (AMA) Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsSecurityEvents\"}]}},{\"id\":\"9a8b0649-e79b-4a30-be25-4a5486f302ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Windows Security Event (MMA) Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"SecurityEvents\"}]}},{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"DNS Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DNS\"}]}},{\"id\":\"6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Storage Account Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureStorageAccount\"}]}},{\"id\":\"452e02e1-b0c4-4b9b-8a54-bc9295db22b9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Common Event Format (CEF) Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"CEF\"}]}},{\"id\":\"021644a3-bd51-4b09-8117-017a89c71d58\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Syslog Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Syslog\"}]}},{\"id\":\"393c465e-4398-428b-8da2-87ac07d8a987\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Amazon Web Services (AWS) Connector >> \",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AWS\"}]}},{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Amazon Web Services (S3) Connector >> \",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AwsS3\"}]}}]},\"customWidth\":\"50\",\"name\":\"EL0\"}]},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Basic\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft 365 Defender Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}},{\"id\":\"94a0e6f0-7918-4575-baf4-6e52541646dd\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Firewall Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureFirewall\"}]}},{\"id\":\"d40e1198-0e60-4672-9ad1-c70c58dcb39d\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Windows Firewall Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsFirewall\"}]}},{\"id\":\"18bb33e3-9d70-4043-925d-30af02d24991\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure WAF Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WAF\"}]}},{\"id\":\"5ece71ef-6973-449a-899d-514b41c7bfb7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure KeyVault Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKeyVault\"}]}},{\"id\":\"e4eb576b-5ab7-474f-bfc8-7310ad92acbc\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure DDoS Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DDOS\"}]}},{\"id\":\"c41a232a-e50e-421b-ac72-235c2bb58bf6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Export Security Recommendations >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"customWidth\":\"50\",\"name\":\"EL0\"}]},\"name\":\"group - 3 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Intermediate\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"b7426ec2-789c-45e0-8d43-11dfb2c3e539\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureInformationProtection\"}]}},{\"id\":\"1ca7a45b-98bd-4fb9-944f-fcc6a54188b7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Dynamics 365 Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Dynamics365\"}]}},{\"id\":\"7e4f324f-8529-4ae0-b47b-b24697b8fc5d\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Kubernetes Service (AKS) Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKubernetes\"}]}},{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Qualys Vulnerability Management Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"QualysVulnerabilityManagement\"}]}}]},\"customWidth\":\"50\",\"name\":\"EL0\"}]},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Advanced\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"0bb302f6-3711-459c-ba1b-5ae434c35ca2\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID Protection Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectoryIdentityProtection\"}]}},{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Threat Intelligence TAXII Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}},{\"id\":\"b96a3f2e-61f1-4f30-ae85-b45e6e83402b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Threat Intelligence Platform Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligence\"}]}},{\"id\":\"6f75e7eb-1a0f-466d-8b26-de898770f1bf\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for IoT Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"IoT\"}]}},{\"id\":\"6b8e85f4-e8aa-4b06-8c8d-c3fa3d442ab6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Purview: Insider Risk Management Connector >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"OfficeIRM\"}]}}]},\"customWidth\":\"50\",\"name\":\"EL0\"}]},\"name\":\"group - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Data Connectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Content](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog)\\r\\n---\\r\\n\\r\\nThe following content packages provide utility for regulated industries use cases.\"},\"name\":\"NS Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions\",\"linkTarget\":\"Url\",\"linkLabel\":\"About Microsoft Sentinel Content & Solutions\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog\",\"linkTarget\":\"Url\",\"linkLabel\":\"Content Hub Catalog\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"40\",\"name\":\"group - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"76c7831e-386d-4289-8145-486f52cba8ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Content Hub >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ContentHub.ReactView\",\"extensionName\":\"Microsoft_Azure_SentinelUS\"}}]},\"customWidth\":\"40\",\"name\":\"EL0\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/331934iC71A9ECE39F53E71/image-size/large?v=v2&px=999)\\r\\n\\r\\n\"},\"customWidth\":\"80\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)\"},\"customWidth\":\"90\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\n\\r\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/366916iE9E6352466301203/image-size/large?v=v2&px=999)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Security Benchmark v3](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nEnables Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673\",\"linkTarget\":\"Url\",\"linkLabel\":\"Announce Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/v57gWjvcY4o\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"cc5f4830-f090-4f5e-afb2-47adba6be532\",\"cellValue\":\"https://youtu.be/qVJjwOipHDA\",\"linkTarget\":\"Url\",\"linkLabel\":\"ASC in the Field\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Azure%20Security%20Benchmark%20v3\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/356031i1852A90B40FA85CF/image-size/large?v=v2&px=999)\"},\"customWidth\":\"86\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Insider Risk Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786)\\r\\n---\\r\\n\\r\\nInsider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional). This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftInsiderRiskManagement\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/326371i9E5EA3A8269A3D54/image-size/large?v=v2&px=999)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)\\r\\n---\\r\\n\\r\\nThis solution provides the foundation for building a SOC for monitoring IoT/ OT and includes (1) workbook for visibility/reporting, (14) analytics rules for monitoring, and (4) playbooks for response. The workbook leverages Microsoft Sentinel telemetry to create visualization to understand, analyze, and respond to IoT/OT threats. Understanding alerts over time provides unprecedented insights into security posture and where teams need to focus to harden against threats. Deep links directly to Microsoft Defender for IoT alerts empower analysts to focus on remediating threats rather than pivoting between tools. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"8f7dce97-a41c-42b3-b62f-a21fbf5a1420\",\"cellValue\":\"https://youtu.be/hZS2aplJoy8\",\"linkTarget\":\"Url\",\"linkLabel\":\"YouTube Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/339516iD1FE1014CDCB1E04/image-size/large?v=v2&px=999)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maturity Model for Event Log Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident.\\\"Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.\\\" For more information, see 💡[OMB's M-21-31 Memorandum](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/quV_80ts__k\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MaturityModelForEventLogManagementM2131\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342601i34E2E96C5959D837/image-dimensions/799x468?v=v2)\"},\"customWidth\":\"75\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\\r\\n---\\r\\n\\r\\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis&Response/Workbooks/Images/ThreatAnalysis&ResponseWhite.png?raw=true)\"},\"customWidth\":\" 100\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence Workbook](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nThe most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. <br>\\r\\n\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265\",\"linkTarget\":\"Url\",\"linkLabel\":\"Workbook Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/SjEG7iVVBbI\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/ThreatIntelligence.json\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/318165iE3D0AFA0BD5DF73C/image-size/large?v=v2&px=999)\"},\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isGCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Content\"}],\"fromTemplateId\":\"sentinel-ContinuousDiagnostics&Mitigation\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Getting Started\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis Solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All CDM requirements, validations, and controls are governed by the 💡[Cybersecurity & Infrastructure Security Agency](https://www.cisa.gov/cdm). This solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer.<br>\\r\\n\\r\\n### [Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions) / [Microsoft Defender for Endpoint Roles](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/user-roles)\\r\\n| <strong> Roles </strong> | <strong> Rights </strong> | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Security Admin| Onboard & Configure Endpoints |\\r\\n|Owner| Assign Regulatory Compliance Initiatives|\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\\r\\n2️⃣ [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n3️⃣ [Onboard Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-configure)<br>\\r\\n4️⃣ [Enable Microsoft Defender for Endpoint: Threat & Vulnerability Management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-prerequisites)<br>\\r\\n5️⃣ [Connect Microsoft Defender for Cloud to Microsoft Sentinel via Continuous Export](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n6️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\\r\\n7️⃣ [Connect Microsoft Defender for Endpoint to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n8️⃣ [Automated Data Export to CISA](https://github.com/Azure/trusted-internet-connection)<br>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/dAHTwp5qTy)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Continuous Diagnostics and Mitigation (CDM)](https://www.cisa.gov/cdm)\\n---\\n\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (1) Analytics rule for monitoring and (1) Hunting query for assessment. \\\"The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their \\nnetworks and defending against cyber adversaries.\\\" For more information, see 💡[Continuous Diagnostics and Mitigation (CDM)](https://www.cisa.gov/cdm). \\n\\n### Disclaimer\\nThe Microsoft Sentinel CDM Solution is not endorsed, nor required by the CDM PMO or CISA. The offering is also not a replacement for the CDM program's requirement for agency dashboard integration. While the offering does have similar visibility metrics, the agency and service integrator are still responsible for ensuring relevant cloud and asset data are integrated into the agency dashboard in accordance with CDM Program requirements. Similar, while Microsoft Sentinel CDM may make data aggregation and availability more rapid and efficient, the offering should not be viewed as a replacement for any specific CDM capability, until independently validated by appropriate CISA CDM contractor or federal teams. \\n\\n\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Crosswalk\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Asset Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Asset Management\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Identity & Access Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Identity\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Network Security Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Network\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 107\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cec6c07e-2856-4c77-8b48-98935f2c1218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"eab3e5a8-66c3-4304-8c2b-43264e858ba8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCrosswalkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Crosswalk\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"ec480379-6561-4a30-b005-7533da78ed14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssetVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Asset\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"2919b971-fb14-440c-ab42-50304df3ceab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIdentityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Identity\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"38d5c68b-fce9-479b-b8dd-acb7a97d85e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Network\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Data Protection Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Asset/Indicator Search\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"TI\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Azure Lighthouse for Multi-Tenant\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AL\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Data Connectors\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Content\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"GC\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 107 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"351dcb3f-0554-4677-8229-45bfd2aa3659\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isALVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AL\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4b0442c3-2175-4c05-a6dd-8f6a38ae9568\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d6d4eecf-14c7-47d3-a13e-f800180e62a1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isGCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"GC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5b008366-4fb9-41b2-b6e5-66785b614818\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTIVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"TI\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2e6a0fcc-7d2d-4009-9b31-43ff10b7bf0e\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis section provides a mechanism to implement CDM recommendations. A selector provides capability to filter by all, specific, or groups of capability areas. Upon selection, subordinate panels will summarize recommendations by capability area, status over time, recommendations, and resources identified. These panels are helpful for identifying the areas of interest, status over time, and which resources are most impacted by these gaps. \"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MaturityLevel\",\"label\":\"Capability Area\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Hardware Asset Management (HWAM)\\\", \\\"label\\\": \\\"Hardware Asset Management (HWAM)\\\"},\\r\\n    {\\\"value\\\": \\\"Software Asset Management (SWAM)\\\", \\\"label\\\": \\\"Software Asset Management (SWAM)\\\"},\\r\\n    {\\\"value\\\": \\\"User Trust (TRUST)\\\", \\\"label\\\": \\\"User Trust (TRUST)\\\"},\\r\\n    {\\\"value\\\": \\\"Credentials & Authenticators (CRED)\\\", \\\"label\\\": \\\"Credentials & Authenticators (CRED)\\\"},\\r\\n    {\\\"value\\\": \\\"Privileges (PRIV)\\\", \\\"label\\\": \\\"Privileges (PRIV)\\\"},\\r\\n    {\\\"value\\\": \\\"Boundary Protection (BOUND)\\\", \\\"label\\\": \\\"Boundary Protection (BOUND)\\\"},\\r\\n    {\\\"value\\\": \\\"Manage Events (MNGEVT)\\\", \\\"label\\\": \\\"Manage Events (MNGEVT)\\\"},\\r\\n    {\\\"value\\\": \\\"Endpoint Detection & Response (EDR)\\\", \\\"label\\\": \\\"Endpoint Detection & Response (EDR)\\\"},\\r\\n    {\\\"value\\\": \\\"Design & Build in Security (DBS)\\\", \\\"label\\\": \\\"Design & Build in Security (DBS)\\\"},\\r\\n    {\\\"value\\\": \\\"Data Protection Management (DPM)\\\", \\\"label\\\": \\\"Data Protection Management (DPM)\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by MaturityLevel\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\\r\\n| sort by Total, Passed desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Capability Area\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"MaturityLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by AssessedResourceId\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| project AssessedResourceId, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"red\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| make-series count() default=0 on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step 1d by MaturityLevel\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\\\"log\\\",\\\"defender\\\",\\\"asset\\\",\\\"arc\\\"), \\\"Hardware Asset Management (HWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"allow\\\",\\\"software\\\",\\\"application\\\"), \\\"Software Asset Management (SWAM)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"account\\\",\\\"user\\\",\\\"identity\\\",\\\"trust\\\"), \\\"User Trust (TRUST)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"access\\\",\\\"auth\\\",\\\"key\\\",\\\"cert\\\",\\\"token\\\"), \\\"Credentials & Authenticators (CRED)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"priv\\\",\\\"admin\\\",\\\"root\\\"), \\\"Privileges (PRIV)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\",\\\"internet\\\",\\\"traffic\\\",\\\"firewall\\\",\\\"intrusion\\\",\\\"bound\\\",\\\"tls\\\",\\\"gateway\\\",\\\"subnet\\\",\\\"web\\\",\\\"url\\\",\\\"proxy\\\",\\\"just\\\",\\\"port\\\",\\\"JIT\\\",\\\"http\\\"), \\\"Boundary Protection (BOUND)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"event\\\",\\\"agent\\\",\\\"incident\\\",\\\"back\\\",\\\"privacy\\\",\\\"audit\\\",\\\"collect\\\"), \\\"Manage Events (MNGEVT)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"edr\\\",\\\"malware\\\",\\\"endpoint protection\\\",\\\"detect\\\",\\\"respon\\\"), \\\"Endpoint Detection & Response (EDR)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"aks\\\",\\\"contain\\\",\\\"kube\\\",\\\"supply\\\"), \\\"Design & Build in Security (DBS)\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"data\\\",\\\"storage\\\",\\\"sql\\\",\\\"cmk\\\",\\\"key\\\"), \\\"Data Protection Management (DPM)\\\",\\\"Other\\\"))))))))))\\r\\n| where MaturityLevel in ({MaturityLevel})\\r\\n| extend RemediationLink = strcat(\\\"https://\\\",RecommendationLink)\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| project ResourceID=AssessedResourceId, RecommendationName=RecommendationDisplayName, MaturityLevel, Severity=RecommendationSeverity, RecommendationState, RemediationLink, DiscoveredDate=StatusChangeDate\\r\\n| parse RemediationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendation Details\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"MaturityLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"RemediationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Rank\",\"formatter\":5},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"ControlID\",\"formatter\":1}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Assessment\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Controls Crosswalk\\r\\n---\\r\\nControls crosswalk provides a mapping of CDM controls across respective overlays. This provides free-text search capabilities to facilitate navigation of the workbook. There is mapping by capability, capability area, recommended logs, and recommended products including export to excel for reporting. \"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Capability\\\"]: string, [\\\"Capability Area\\\"]: string, [\\\"Recommended Logs\\\"]: string, [\\\"Recommended Products\\\"]: string) [\\r\\n\\\"Hardware Asset Management (HWAM)\\\",\\\"Asset Management\\\",\\\"SecurityRegulatoryCompliance, Resources, ConfigurationData\\\",\\\"Microsoft Defender for Cloud, Azure Resource Graph, Azure Monitor, Microsoft 365 Defender\\\",\\r\\n\\\"Software Asset Management (SWAM)\\\",\\\"Asset Management\\\",\\\"SecurityRegulatoryCompliance, SecurityEvent, ConfigurationData, SigninLogs\\\",\\\"Microsoft Defender for Cloud, Microsoft Defender for Endpoint, Azure Monitor, Azure Active Directory\\\",\\r\\n\\\"User Trust (TRUST)\\\",\\\"Identity & Access Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline, SigninLogs, IdentityInfo\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud, Azure Active Directory\\\",\\r\\n\\\"Credentials & Authenticators (CRED)\\\",\\\"Identity & Access Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline, SigninLogs, IdentityInfo\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud, Azure Active Directory, Key Vault\\\",\\r\\n\\\"Privileges (PRIV)\\\",\\\"Identity & Access Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline, SigninLogs, IdentityInfo\\\",\\\"Microsoft Sentinel, Azure Active Directory, Privileged Identity Management, Microsoft Defender for Cloud\\\",\\r\\n\\\"Boundary Protection (BOUND)\\\",\\\"Network Security Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline\\\",\\\"Azure Firewall, Microsoft Defender for Cloud, Network Security Groups, Web Application Firewalls, Network Watcher, Virtual Network Gateways, Bastions\\\",\\r\\n\\\"Manage Events (MNGEVT)\\\",\\\"Network Security Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityBaseline\\\",\\\"Azure Monitor, Microsoft Defender for Endpoint\\\",\\r\\n\\\"Endpoint Detection & Response (EDR)\\\",\\\"Network Security Management\\\",\\\"SecurityIncident, SecurityRecommendation, SecurityAlert, DeviceEvents, DeviceNetworkEvents, DeviceLogonEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceProcessEvents\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Endpoint, Microsoft 365 Defender\\\",\\r\\n\\\"Operate, Monitor, & Improve (OMI)\\\",\\\"Network Security Management\\\",\\\"SecurityIncident, SecurityRegulatoryCompliance\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Design & Build in Security (DBS)\\\",\\\"Network Security Management\\\",\\\"SecurityRecommendation, SecurityNestedRecommendation, GitHubAuditLogPolling_CL, AzureDevOpsAuditing\\\",\\\"Microsoft Sentinel, Microsoft Defender for Cloud, GitHub, Azure DevOps\\\",\\r\\n\\\"Data Protection Management\\\",\\\"Data Protection Management\\\",\\\"SecurityIncident, SecurityRecommendation, InformationProtectionLogs_CL, Resources\\\",\\\"Microsoft Sentinel, InformationProtectionLogs_CL, SecurityRecommendation, Resources\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Capability\\\"],[\\\"Capability Area\\\"],[\\\"Recommended Logs\\\"],[\\\"Recommended Products\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Capability\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Recommended Logs\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Recommended Products\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCrosswalkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Asset Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\n---\\r\\nAsset Management Capability Area addresses “What is on the Network?’ and focuses on identifying and \\r\\nmonitoring Agency devices, ensuring that they are properly configured, and vulnerabilities have been identified and remediated. The Asset Management Capability Area consists of the HWAM, SWAM, CSM, VUL, and EMM capabilities.These functions are briefly summarized below, and the requirements are separately specified later in the HWAM, SWAM, CSM, VUL, and EMM sections.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"Common Requirements Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Hardware Asset Management (HWAM)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"HWAM\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Software Asset Management (SWAM)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SWAM\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control\",\"formatter\":1},{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isHWAMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"HWAM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSWAMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SWAM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"3981964c-5100-4acc-a9a2-336237a414a5\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Hardware Asset Management (HWAM)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nThe HWAM capability discovers IP-addressable hardware on a network.\\r\\nHWAM establishes and maintains an authorized hardware inventory baseline, unique identifiers (UIDs) for hardware, and other properties, such as the manager of the hardware.\\r\\nHWAM also establishes and maintains the actual inventory of hardware in accordance with data currency requirements, along with information needed to assess the risk to and locate the hardware.\\r\\nThe capability to maintain and update the inventory needs to allow for decentralized administration and only for assets for which they are accountable. Data in the authorized hardware inventory baseline must be validated continuously through automated hardware discovery. Manual processes, such as assigning hardware to the baseline, are expected to integrate with and be supported by automated processes.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br>\\r\\n🔷 [ConfigurationData](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationdata) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Introduction to Hardware Inventory](https://docs.microsoft.com/mem/configmgr/core/clients/manage/inventory/introduction-to-hardware-inventory) <br>\\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\\r\\n💡 [Device Management Overview](https://docs.microsoft.com/mem/intune/fundamentals/what-is-device-management) <br>\\r\\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \\r\\n💡 [Configure data collection for the Azure Monitor agent](https://docs.microsoft.com/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent)<br> \\r\\n\\t\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products\"},\"name\":\"text - 2\"}]},\"name\":\"group - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"94af2358-8b87-44b2-ad87-c84568ab2efd\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"19aa07ff-e996-47a7-99f1-b4a6e6ebe5ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft 365 Defender\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}},{\"id\":\"974e5615-0367-4fca-bdb8-dc2b1b3d38c8\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Resource Graph\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ArgQueryBlade\",\"extensionName\":\"HubsExtension\"}}]},\"name\":\"links - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName \\r\\n| extend Remediate=RecommendationLink\\r\\n| where RecommendationName contains \\\"log \\\" or RecommendationName contains \\\"endpoint\\\" or RecommendationName contains \\\"defender\\\" or RecommendationName contains \\\"asset\\\" or RecommendationName contains \\\"arc\\\"\\r\\n| parse Remediate with * '#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| distinct RecommendationName, Total, Remediate, PassedControls, Passed, Failed, NotApplicable, Applicable, assessmentKey\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations (HWAM-1) \",\"noDataMessage\":\"No Recommendations Observed Within These Thresholds. Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for Azure Security Benchmark is Enabled\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"Remediate\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"filter\":true},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failed\",\"color\":\"redBright\"},{\"seriesName\":\"Passed\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| sort by id desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Inventory (HWAM-2 / HWAM-7) \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines (HWAM-3 / HWAM-4)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Total\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device Count by Type (HWAM-5) \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device Count by Location (HWAM-6-1) \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true},\"mapSettings\":{\"locInfo\":\"AzureLoc\",\"locInfoColumn\":\"location\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"labelSettings\":\"location\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ConfigurationData\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configuration Data (HWAM-6-2)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Computer\"],\"expandTopLevel\":true,\"finalBy\":\"ConfigDataType\"}}},\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isHWAMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Hardware Asset Management (HWAM) Capability\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Software Asset Management (SWAM)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nThe SWAM capability discovers software installed on devices operating on an Agency’s network that are categorized as endpoints.6 A complete, accurate, and timely software inventory is essential to support awareness and effective control of software vulnerabilities and security configuration settings.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityEvent](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender)<br>\\r\\n🔷 [ConfigurationData](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationdata) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)<br>\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br\\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\\r\\n💡 [Device Management Overview](https://docs.microsoft.com/mem/intune/fundamentals/what-is-device-management) <br>\\r\\n💡 [Microsoft 365 Defender integration with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration)<br> \\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br> \\r\\n\\t\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products\"},\"name\":\"text - 2\"}]},\"name\":\"group - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"94af2358-8b87-44b2-ad87-c84568ab2efd\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"19aa07ff-e996-47a7-99f1-b4a6e6ebe5ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ActiveDirectoryMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"974e5615-0367-4fca-bdb8-dc2b1b3d38c8\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Monitor\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AzureMonitoringBrowseBlade\",\"extensionName\":\"Microsoft_Azure_Monitoring\"}}]},\"name\":\"links - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"Azure Security Benchmark\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName \\r\\n| extend Remediate=RecommendationLink\\r\\n| where RecommendationName contains \\\"allowlist\\\" or RecommendationName contains \\\"application control\\\" or RecommendationName contains \\\"software\\\"\\r\\n| parse Remediate with * '#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| distinct RecommendationName, Total, Remediate, PassedControls, Passed, Failed, NotApplicable, Applicable, assessmentKey\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations (SWAM-1) \",\"noDataMessage\":\"No Recommendations Observed Within These Thresholds. Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for Azure Security Benchmark is Enabled\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"Remediate\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"filter\":true},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failed\",\"color\":\"redBright\"},{\"seriesName\":\"Passed\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Trend = SigninLogs\\r\\n| make-series Trend = dcount(UserPrincipalName) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by ResourceDisplayName;\\r\\nSigninLogs\\r\\n| summarize arg_max(TimeGenerated, *) by ResourceDisplayName, UserPrincipalName\\r\\n| summarize count() by ResourceDisplayName\\r\\n| where ResourceDisplayName <> \\\"\\\"\\r\\n| join (Trend) on ResourceDisplayName\\r\\n| project Application=ResourceDisplayName, UsersAccessing=count_, AccessTrending=Trend\\r\\n| sort by UsersAccessing desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Application Inventory (SWAM-1)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Application\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Capture\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UsersAccessing\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"AccessTrending\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Trend = SecurityEvent\\r\\n| make-series Trend = dcount(Computer) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Process;\\r\\nSecurityEvent\\r\\n| where Process <> \\\"\\\"\\r\\n| where Process <> \\\"-\\\"\\r\\n| summarize arg_max(TimeGenerated, EventID) by Process, Computer\\r\\n| summarize count() by Process\\r\\n| join (Trend) on Process\\r\\n| sort by count_ desc\\r\\n| project Process, SoftwareInstances=count_, ObservedTrending=Trend\\r\\n| limit 2500\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Software Inventory (SWAM-1)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Process\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"CloudUpload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SoftwareInstances\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ObservedTrending\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AccessCount = SigninLogs\\r\\n| summarize count() by UserPrincipalName\\r\\n| project AccessCount=count_, UserPrincipalName;\\r\\nlet Profile = SigninLogs\\r\\n| project AADProfile=UserId, UserPrincipalName;\\r\\nIdentityInfo\\r\\n| summarize arg_max(TimeGenerated, GroupMembership, AssignedRoles) by AccountUPN\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles = strcat(AssignedRoles)\\r\\n| extend UserPrincipalName = AccountUPN\\r\\n| where AccountUPN <> \\\"\\\"\\r\\n| where GroupMemberships contains \\\"admin\\\" or GroupMemberships contains \\\"security\\\" or GroupMemberships contains \\\"contrib\\\" or AssignedRoles contains \\\"admin\\\" or AssignedRoles contains \\\"security\\\" or AssignedRoles contains \\\"contrib\\\"\\r\\n| join (Profile) on UserPrincipalName\\r\\n| join (AccessCount) on UserPrincipalName\\r\\n| project UserPrincipalName, AccessCount, AADProfile, GroupMemberships, AssignedRoles\\r\\n| sort by AccessCount desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Assigned Roles & Group Memberships (SWAM-3)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AccessCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"AADProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"AADProfile\"}]}}}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityNestedRecommendation\\r\\n| extend SoftwareName = tostring(AdditionalData.SoftwareName)\\r\\n| extend SoftwareVendor = tostring(AdditionalData.SoftwareVendor)\\r\\n| extend SoftwareVersion = tostring(AdditionalData.SoftwareVersion)\\r\\n| where SoftwareName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, SoftwareName, SoftwareVendor, SoftwareVersion\\r\\n| limit 2500\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Software Components (SWAM-5)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Process\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"CloudUpload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SoftwareInstances\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ObservedTrending\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"AssessedResourceId\"]}}},\"customWidth\":\"50\",\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSWAMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Software Asset Management (SWAM) Capability\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isAssetVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Asset Management Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identity & Access Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\n---\\r\\nCapability Area that addresses “Who is on the network” and consists of related capabilities that support the IdAM security discipline (i.e., TRUST, BEHAVE, CRED, PRIV). IdAM provides identity proofing and authentication aspects under identity management. It also supports the use, maintenance, and protection of sensitive resources (e.g., data, systems).\"},\"customWidth\":\"40\",\"name\":\"Common Requirements Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"User Trust (TRUST)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Trust\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Credentials & Authenticators (CRED)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Cred\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Privileges (PRIV)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Priv\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTrustVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Trust\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"b17f2902-5d29-45b2-8712-bff5b7dd1487\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCredVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Cred\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"793ffbca-13bc-4fac-9535-048cbd9efc54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPrivVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Priv\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [User Trust (TRUST)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nThe CDM TRUST capability reduces the probability of loss in \\r\\navailability, integrity, and confidentiality of data by ensuring that only properly vetted \\r\\nusers are given access to credentials and systems commensurate with their role. This \\r\\nincludes elevated privileges and special security roles. The vetted trust level is \\r\\nproperly monitored and renewed, per agency policies and applicable statutes.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Sentinel\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"microsoft.securityinsightsarg/sentinel\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"2be002d0-10f1-4369-8dcc-386c6431e721\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ActiveDirectoryMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"account\\\" or RecommendationDisplayName contains \\\"user\\\" or RecommendationDisplayName contains \\\"identity\\\" or RecommendationDisplayName contains \\\"trust\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"account\\\" or Description contains \\\"user\\\" or Description contains \\\"identity\\\" or Description contains \\\"trust\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"account\\\" or Description contains \\\"user\\\" or Description contains \\\"identity\\\" or Description contains \\\"trust\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo | extend UserPrincipalName = MailAddress| summarize arg_max(TimeGenerated, *) by UserPrincipalName) on UserPrincipalName\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles = strcat(AssignedRoles)\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, GivenName, Surname, Department, EmployeeId, JobTitle, Manager, StreetAddress, City, Country, State, Phone, Tags, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Attributes (Microsoft Entra ID)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isTrustVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Trust\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Credentials & Authenticators (CRED)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nThe CDM CRED (credentials and authenticators) capability ensures that account credentials are assigned to, and are used only by, authorized users or services to access agency systems, services, and facilities. CRED binds a type of credential or authenticator to an identity established in TRUST with a level of assurance and is used to grant logical access. The CRED capability will apply only to in-scope users (employees and contractors, who will each have a PIV card). In-scope users have network accounts, where the primary control mechanism for network authentication is the Agency’s Microsoft Active Directory Implementation.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Key Vault basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Key Vaults\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.KeyVault/vaults\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"2be002d0-10f1-4369-8dcc-386c6431e721\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ActiveDirectoryMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"access\\\" or RecommendationDisplayName contains \\\"auth\\\" or RecommendationDisplayName contains \\\"key\\\" or RecommendationDisplayName contains \\\"cert\\\" or RecommendationDisplayName contains \\\"token\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"access\\\" or Description contains \\\"auth\\\" or Description contains \\\"key\\\" or Description contains \\\"cert\\\" or Description contains \\\"token\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"access\\\" or Description contains \\\"auth\\\" or Description contains \\\"key\\\" or Description contains \\\"cert\\\" or Description contains \\\"token\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo | extend UserPrincipalName = MailAddress| summarize arg_max(TimeGenerated, *) by UserPrincipalName) on UserPrincipalName\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles = strcat(AssignedRoles)\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, Tags, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Credentials (Microsoft Entra ID)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Secrets Management (Key Vault)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Authenticator Management -- Leverage Authenticator Tooling\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"a32b5156-4cec-481d-83b3-165ca9208301\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Password Protection (Banned Passwords)\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"PasswordProtectionBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"27d9b4d1-fc6b-4813-b851-f8bd130d0be5\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Authenticator Management\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AuthenticationMethodsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"d1f6bb1b-7fa4-49cf-91cd-2f67465563aa\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Conditional Access\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ConditionalAccessBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCredVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Cred\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Privileges (PRIV)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nThe CDM PRIV capability provides the agency with insight into risks associated with authorized users being granted excessive privileges to systems and information at any level of sensitivity. The purpose of the capability is to ensure that privileges for logical access are assigned to authorized people or accounts that require authorized access for job functions. This capability is dependent on the existence of a set of attributes that denote roles or characteristics that require or restrict specific privileges per policy. Non-person entities are not covered by PRIV. The PRIV capability will apply only to in-scope users (employees and contractors, who will each have a PIV card) and associated accounts.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Privileged Identity Management\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"CommonMenuBlade\",\"extensionName\":\"Microsoft_Azure_PIMCommon\"}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"2be002d0-10f1-4369-8dcc-386c6431e721\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ActiveDirectoryMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"priv\\\" or RecommendationDisplayName contains \\\"admin\\\" or RecommendationDisplayName contains \\\"root\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"priv\\\" or Description contains \\\"admin\\\" or Description contains \\\"root\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"priv\\\" or Description contains \\\"admin\\\" or Description contains \\\"root\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo | extend UserPrincipalName = MailAddress| summarize arg_max(TimeGenerated, *) by UserPrincipalName) on UserPrincipalName\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles = strcat(AssignedRoles)\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, AssignedRoles, GroupMemberships, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Privileges (Microsoft Entra ID)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n| distinct OperationName, Identity, AADOperationType, InitiatedBy, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InitiatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPrivVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Priv\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIdentityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Identity & Access Management\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Security Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\n---\\r\\nThe Network Security Management (NSM) Capability Area builds on the CDM capabilities provided by Asset Management and Identity and Access Management. The NSM capabilities include network and perimeter components, host and device components, data at rest and in transit, and user behavior and activities. NSM capabilities move beyond asset management to a more extensive and dynamic monitoring of security controls. This includes preparing for and responding to behavior incidents, ensuring that software/system quality is integrated into the network/infrastructure, detecting internal actions and behaviors to determine who is doing what, and finally, mitigating security incidents to prevent propagation throughout the network/infrastructure.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"Common Requirements Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Boundary Protection (BOUND)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Bound\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Manage Events (MNGEVT)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Mngevt\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Endpoint Detection & Response (EDR)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Edr\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Operate, Monitor, & Improve (OMI)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Omi\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Design & Build in Security (DBS)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Dbs\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBoundVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Bound\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1f176b0f-1f2f-4e12-afb0-3f10c834ef24\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMngevtVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Mngevt\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1f176b0f-1f2f-4e12-afb0-3f10c834ef24\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEdrVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Edr\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"b17f2902-5d29-45b2-8712-bff5b7dd1487\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isOmiVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Omi\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"793ffbca-13bc-4fac-9535-048cbd9efc54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDbsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Dbs\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Boundary Protection (BOUND)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nDescribes how the network is protected through filtering, \\r\\nnetwork access control, and encryption.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Security Benchmark: Network Security](https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries)<br>\\r\\n💡 [Deploy and configure Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-deploy)<br>\\r\\n💡 [Tutorial: Filter network traffic with a network security group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)<br>\\r\\n💡 [Tutorial: Create a Web Application Firewall policy on Azure Front Door using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-create-portal)<br>\\r\\n💡 [What is Azure Network Watcher?](https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview)<br>\\r\\n💡 [Quickstart: Create a virtual network using the Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal)<br>\\r\\n💡 [Quickstart: Deploy Azure Bastion with default settings](https://docs.microsoft.com/azure/bastion/quickstart-host-portal)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Firewall\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/azureFirewalls\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Network Security Groups\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/NetworkSecurityGroups\"}]}},{\"id\":\"3d5452e8-f52e-45d1-a761-bb6ad06b0a1b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Web Application Firewalls\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\"}]}},{\"id\":\"bea0a8ab-83d1-4cd9-9414-addd92325ce6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Network Watcher\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"NetworkWatcherMenuBlade\",\"extensionName\":\"Microsoft_Azure_Network\"}},{\"id\":\"0e8cbff6-d8ed-4374-a64b-b619d9757d88\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Virtual Network Gateways\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/virtualNetworkGateways\"}]}},{\"id\":\"0335ed7a-7ccf-4400-a87d-bc91456e7fd9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Bastions\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Network/bastionHosts\"}]}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"network\\\" or RecommendationDisplayName contains \\\"internet\\\" or RecommendationDisplayName contains \\\"traffic\\\" or RecommendationDisplayName contains \\\"firewall\\\" or RecommendationDisplayName contains \\\"intrusion\\\" or RecommendationDisplayName contains \\\"bound\\\" or RecommendationDisplayName contains \\\"tls\\\" or RecommendationDisplayName contains \\\"gateway\\\" or RecommendationDisplayName contains \\\"subnet\\\" or RecommendationDisplayName contains \\\"web\\\" or RecommendationDisplayName contains \\\"url\\\" or RecommendationDisplayName contains \\\"proxy\\\" or RecommendationDisplayName contains \\\"just\\\" or RecommendationDisplayName contains \\\"port\\\" or RecommendationDisplayName contains \\\"http\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"network\\\" or Description contains \\\"internet\\\" or Description contains \\\"traffic\\\" or Description contains \\\"firewall\\\" or Description contains \\\"intrusion\\\" or Description contains \\\"bound\\\" or Description contains \\\"tls\\\" or Description contains \\\"gateway\\\" or Description contains \\\"subnet\\\" or Description contains \\\"web\\\" or Description contains \\\"url\\\" or Description contains \\\"proxy\\\" or Description contains \\\"just\\\" or Description contains \\\"port\\\" or Description contains \\\"http\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"network\\\" or Description contains \\\"internet\\\" or Description contains \\\"traffic\\\" or Description contains \\\"firewall\\\" or Description contains \\\"intrusion\\\" or Description contains \\\"bound\\\" or Description contains \\\"tls\\\" or Description contains \\\"gateway\\\" or Description contains \\\"subnet\\\" or Description contains \\\"web\\\" or Description contains \\\"url\\\" or Description contains \\\"proxy\\\" or Description contains \\\"just\\\" or Description contains \\\"port\\\" or Description contains \\\"http\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBoundVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bound\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Manage Events (MNGEVT)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nDescribes ongoing assessment, preparing for events/incidents, audit data collection from appropriate sources, and identifying incidents through the analysis of data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Tutorial: Collect and analyze resource logs from an Azure resource](https://docs.microsoft.com/azure/azure-monitor/essentials/tutorial-resource-logs)<br>\\r\\n💡 [Plan your Microsoft Defender for Endpoint deployment](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/deployment-strategy)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"bea0a8ab-83d1-4cd9-9414-addd92325ce6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Monitor\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AzureMonitoringBrowseBlade\",\"extensionName\":\"Microsoft_Azure_Monitoring\"}},{\"id\":\"0e8cbff6-d8ed-4374-a64b-b619d9757d88\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Endpoint\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"event\\\" or RecommendationDisplayName contains \\\"endpoint\\\" or RecommendationDisplayName contains \\\"protection\\\" or RecommendationDisplayName contains \\\"agent\\\" or RecommendationDisplayName contains \\\"incident\\\" or RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"privacy\\\" or RecommendationDisplayName contains \\\"audit\\\" or RecommendationDisplayName contains \\\"collect\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description contains \\\"event\\\" or Description contains \\\"endpoint\\\" or Description contains \\\"protection\\\" or Description contains \\\"agent\\\" or Description contains \\\"incident\\\" or Description contains \\\"back\\\" or Description contains \\\"privacy\\\" or Description contains \\\"audit\\\" or Description contains \\\"collect\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines (Microsoft Defender for Cloud)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"event\\\" or Description contains \\\"endpoint\\\" or Description contains \\\"protection\\\" or Description contains \\\"agent\\\" or Description contains \\\"incident\\\" or Description contains \\\"back\\\" or Description contains \\\"privacy\\\" or Description contains \\\"audit\\\" or Description contains \\\"collect\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMngevtVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MNGEVT\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Endpoint Detection & Response (EDR)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nThe EDR capability provides cybersecurity monitoring and control of endpoint devices.29 EDR spans the full cybersecurity lifecycle, from the detection of events (observable occurrences in a network or system) and incidents (events that have been determined to have an impact on the organization, prompting the need for response and recovery) on endpoint devices (i.e., workstations, servers, laptops, thin clients, and virtual desktops) and users, to attack responses and incident follow-up and analysis.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) 🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceNetworkEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicenetworkevents) 🔷 [DeviceLogonEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicelogonevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents)🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) 🔷 [DeviceProcessEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceprocessevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft 365 Defender integration with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration)<br>\\r\\n💡 [Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"0e8cbff6-d8ed-4374-a64b-b619d9757d88\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Endpoint\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"edr\\\" or RecommendationDisplayName contains \\\"malware\\\" or RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"detect\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join kind=fullouter (SecurityAlert) on SystemAlertId\\r\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel + Microsoft Defender for Endpoint)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| project DeviceName, ActionType, InitiatingProcessFileName, InitiatingProcessAccountName, AdditionalFields, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device Events  (Microsoft Defender for Endpoint)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Fired\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n| project DeviceName, ActionType, FileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessParentFileName, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device File Events (Microsoft Defender for Endpoint)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Fired\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceLogonEvents\\r\\n| project AccountName, AccountDomain, ActionType, DeviceName, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Device Logon Events (Microsoft Defender for Endpoint)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Fired\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEdrVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"EDR\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Operate, Monitor, & Improve (OMI)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nDescribes ongoing authorization, audit data \\r\\naggregation/correlation and analysis, incident prioritization and response, and post-incident activities (e.g., information sharing).\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/SecurityRegulatoryCompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Tutorial: Improve your regulatory compliance](https://docs.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard)<br>\\r\\n💡 [Details of the NIST SP 800-53 Regulatory Compliance built-in initiative](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Sentinel\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"microsoft.securityinsightsarg/sentinel\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n    | where ControlID contains \\\"SI.\\\"\\r\\n    | distinct RecommendationName, ControlID, Total, RecommendationLink, PassedControls, Passed, Failed, NotApplicable, Applicable, name\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"NIST SP 800-53: System & Information Integrity (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n    | where ControlID contains \\\"RA.\\\"\\r\\n    | distinct RecommendationName, ControlID, Total, RecommendationLink, PassedControls, Passed, Failed, NotApplicable, Applicable, name\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"NIST SP 800-53: Risk Assessment (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n    | where ControlID contains \\\"CA.\\\"\\r\\n    | distinct RecommendationName, ControlID, Total, RecommendationLink, PassedControls, Passed, Failed, NotApplicable, Applicable, name\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"NIST SP 800-53: Security & Assessment (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isOmiVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"OMI\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Design & Build in Security (DBS)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nDescribes preventing exploitable vulnerabilities from being \\r\\neffective in the software/system while the software/system is in development or \\r\\ndeployment.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityNestedRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [GitHubAuditLogPolling_CL](https://portal.azure.com/#create/microsoftcorporation1622712991604.sentinel4githubsentinel4github) 🔷 [AzureDevOpsAuditing](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure DevOps - audit streaming](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops&preserve-view=true)<br>\\r\\n💡 [GitHub logging](https://docs.github.com/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization)<br>\\r\\n💡 [Protecting your GitHub assets with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/protecting-your-github-assets-with-azure-sentinel/ba-p/1457721)<br>\\r\\n💡 [Deploy Microsoft Sentinel: Continuous Threat Monitoring for GitHub Solution](https://portal.azure.com/#create/microsoftcorporation1622712991604.sentinel4githubsentinel4github)<br>\\r\\n💡 [DAST tools in Azure DevOps marketplace](https://marketplace.visualstudio.com/search?term=DAST&target=AzureDevOps&category=All%20categories)<br>\\r\\n💡 [How to Implement Microsoft Defender for Cloud Vulnerability Assessment Recommendations](https://docs.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm)<br>\\r\\n💡 [Integrated Vulnerability Scanner for Virtual Machines](https://docs.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm)<br>\\r\\n💡 [SQL Vulnerability Assessment](https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment)<br>\\r\\n💡 [Exporting Microsoft Defender for Cloud Vulnerability Scan Results](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Sentinel\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"microsoft.securityinsightsarg/sentinel\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Defender for Cloud\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"aks\\\" or RecommendationDisplayName contains \\\"contain\\\" or RecommendationDisplayName contains \\\"kube\\\" or RecommendationDisplayName contains \\\"supply\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics <> \\\"[]\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Tactics\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Modeling: MITRE ATT&CK® Tactics Observed (Microsoft Sentinel)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditLogPolling_CL \\r\\n| project actor_s, org_s, repo_s, action_s, name_s, _document_id_s, visibility_s, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs (GitHub)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"actor_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"action_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDevOpsAuditing\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs (Azure DevOps)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityNestedRecommendation\\r\\n| extend CVE = tostring(parse_json(tostring(AdditionalData.Cve))[0].Title)\\r\\n| where Description <> \\\"\\\"\\r\\n| where Description <> \\\"N/A\\\"\\r\\n| summarize count() by Description, CVE\\r\\n| sort by count_ desc\\r\\n| project Description, CVE, count_\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\" System/Application Vulnerabilities (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Confirm ASC SecurityNestedRecommendation logging is enabled and/or extend time thresholds for a larger data-set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDbsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DBS\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Network Security Management\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Protection Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\n---\\r\\nData Protection Management (DPM) Capability Area focuses on “How is data protected?” and builds on the CDM capabilities provided by Asset Management, Identity and Access Management, and Network Security Management.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"Common Requirements Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Protection Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"All\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAllVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"All\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Protection Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\\r\\nData Protection Management (DPM) Capability Area focuses on “How is data protected?” and builds on the CDM capabilities provided by Asset Management, Identity and Access Management, and Network Security Management.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Data classification overview](https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-compliance/data-classification)<br>\\r\\n💡 [Label your sensitive data using Azure Purview](https://docs.microsoft.com/azure/purview/create-sensitivity-label)<br>\\r\\n💡 [Tag Sensitive Information Using Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\\r\\n💡 [How to implement Azure SQL Data Discovery](https://docs.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview)<br>\\r\\n💡 [Azure Purview data sources](https://docs.microsoft.com/azure/purview/purview-connector-overview#purview-data-sources)<br>\\r\\n💡 [Azure Key Vault overview](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [BYOK (Bring Your Own Key) specification](https://docs.microsoft.com/azure/key-vault/keys/byok-specification)<br>\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Recommended Microsoft Products <br>\\r\\n\"},\"name\":\"text - 1 - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"3c316419-bc18-41ba-a503-8e45e8f6b8f7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Sentinel\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"microsoft.securityinsightsarg/sentinel\"}]}},{\"id\":\"eab3f582-841d-45fb-9c29-b0cfaef3aae6\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}},{\"id\":\"e4385e0c-e410-4d0e-8fc6-d5c6fe97c0ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Key Vault\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.KeyVault/vaults\"}]}}]},\"name\":\"links - 2\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), NotApplicable = countif(RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\"), Applicable = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\"),Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"NotApplicable\\\" or RecommendationState == \\\"Removed\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, Applicable, NotApplicable, assessmentKey\\r\\n| where RecommendationDisplayName contains \\\"data\\\" or RecommendationDisplayName contains \\\"storage\\\" or RecommendationDisplayName contains \\\"sql\\\" or RecommendationDisplayName contains \\\"cmk\\\" or RecommendationDisplayName contains \\\"key\\\"\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Recommendations (Microsoft Defender for Cloud)\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 2 & 5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":2,\"minimumFractionDigits\":2,\"maximumFractionDigits\":2,\"minimumSignificantDigits\":2,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"data\\\" or Description contains \\\"storage\\\" or Description contains \\\"sql\\\" or Description contains \\\"cmk\\\" or Description contains \\\"key\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, Severity, IncidentUrl, IncidentNumber, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents (Microsoft Sentinel)\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds. Review MITRE ATT&CK Blade for Coverage Assessment\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| summarize count() by LabelName_s, AIP\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data Discovery/Classification (Azure Information Protection)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LabelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProtectionOwner\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Run query to see results.\\r\\nresources\\r\\n| where type =~ 'Microsoft.KeyVault/vaults'\\r\\n| project name,resourceGroup,location,id,type,subscriptionId,kind,tags\\r\\n| extend typeDisplayName=case(type =~ 'microsoft.keyvault/vaults','Key vault',type)\\r\\n| extend locationDisplayName=case(location =~ 'eastus','East US',location =~ 'eastus2','East US 2',location =~ 'southcentralus','South Central US',location =~ 'westus2','West US 2',location =~ 'westus3','West US 3',location =~ 'australiaeast','Australia East',location =~ 'southeastasia','Southeast Asia',location =~ 'northeurope','North Europe',location =~ 'swedencentral','Sweden Central',location =~ 'uksouth','UK South',location =~ 'westeurope','West Europe',location =~ 'centralus','Central US',location =~ 'northcentralus','North Central US',location =~ 'westus','West US',location =~ 'southafricanorth','South Africa North',location =~ 'centralindia','Central India',location =~ 'eastasia','East Asia',location =~ 'japaneast','Japan East',location =~ 'jioindiawest','Jio India West',location =~ 'koreacentral','Korea Central',location =~ 'canadacentral','Canada Central',location =~ 'francecentral','France Central',location =~ 'germanywestcentral','Germany West Central',location =~ 'norwayeast','Norway East',location =~ 'switzerlandnorth','Switzerland North',location =~ 'uaenorth','UAE North',location =~ 'brazilsouth','Brazil South',location =~ 'centralusstage','Central US (Stage)',location =~ 'eastusstage','East US (Stage)',location =~ 'eastus2stage','East US 2 (Stage)',location =~ 'northcentralusstage','North Central US (Stage)',location =~ 'southcentralusstage','South Central US (Stage)',location =~ 'westusstage','West US (Stage)',location =~ 'westus2stage','West US 2 (Stage)',location =~ 'asia','Asia',location =~ 'asiapacific','Asia Pacific',location =~ 'australia','Australia',location =~ 'brazil','Brazil',location =~ 'canada','Canada',location =~ 'europe','Europe',location =~ 'france','France',location =~ 'germany','Germany',location =~ 'global','Global',location =~ 'india','India',location =~ 'japan','Japan',location =~ 'korea','Korea',location =~ 'norway','Norway',location =~ 'southafrica','South Africa',location =~ 'switzerland','Switzerland',location =~ 'uae','United Arab Emirates',location =~ 'uk','United Kingdom',location =~ 'unitedstates','United States',location =~ 'eastasiastage','East Asia (Stage)',location =~ 'southeastasiastage','Southeast Asia (Stage)',location =~ 'westcentralus','West Central US',location =~ 'southafricawest','South Africa West',location =~ 'australiacentral','Australia Central',location =~ 'australiacentral2','Australia Central 2',location =~ 'australiasoutheast','Australia Southeast',location =~ 'japanwest','Japan West',location =~ 'jioindiacentral','Jio India Central',location =~ 'koreasouth','Korea South',location =~ 'southindia','South India',location =~ 'westindia','West India',location =~ 'canadaeast','Canada East',location =~ 'francesouth','France South',location =~ 'germanynorth','Germany North',location =~ 'norwaywest','Norway West',location =~ 'switzerlandwest','Switzerland West',location =~ 'ukwest','UK West',location =~ 'uaecentral','UAE Central',location =~ 'brazilsoutheast','Brazil Southeast',location)\\r\\n| extend tagsString=tostring(tags)\\r\\n| where (type !~ ('dynatrace.observability/monitors'))\\r\\n| where (type !~ ('nginx.nginxplus/nginxdeployments'))\\r\\n| where (type !~ ('microsoft.agfoodplatform/farmbeats'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/afdendpoints'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/customdomains'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/origingroups'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/rulesets'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/secrets'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/securitypolicies'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/afdendpoints/routes'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/origingroups/origins'))\\r\\n| where (type !~ ('microsoft.cdn/profiles/rulesets/rules'))\\r\\n| where (type !~ ('microsoft.kubernetes/connectedclusters/microsoft.kubernetesconfiguration/fluxconfigurations'))\\r\\n| where (type !~ ('microsoft.containerservice/managedclusters/microsoft.kubernetesconfiguration/fluxconfigurations'))\\r\\n| where (type !~ ('microsoft.portal/extensions/deployments'))\\r\\n| where (type !~ ('microsoft.portal/extensions'))\\r\\n| where (type !~ ('microsoft.portal/extensions/slots'))\\r\\n| where (type !~ ('microsoft.portal/extensions/versions'))\\r\\n| where (type !~ ('microsoft.datacollaboration/workspaces'))\\r\\n| where (type !~ ('microsoft.network/dnsforwardingrulesets'))\\r\\n| where (type !~ ('microsoft.network/dnsresolvers'))\\r\\n| where (type !~ ('microsoft.azurestack/registrations'))\\r\\n| where (type !~ ('microsoft.communication/emailservices'))\\r\\n| where (type !~ ('microsoft.hdinsight/clusterpools/clusters'))\\r\\n| where (type !~ ('microsoft.hdinsight/clusterpools/clusters/sessionclusters'))\\r\\n| where (type !~ ('microsoft.hdinsight/clusterpools'))\\r\\n| where (type !~ ('microsoft.hpcworkbench/instances'))\\r\\n| where (type !~ ('microsoft.scvmm/vmmservers'))\\r\\n| where (type !~ ('microsoft.connectedvmwarevsphere/vcenters'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins/assets'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins/tests'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins/executionplans'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins/testplans'))\\r\\n| where (type !~ ('microsoft.intelligentitdigitaltwin/digitaltwins'))\\r\\n| where not((type =~ ('microsoft.network/serviceendpointpolicies')) and ((kind =~ ('internal'))))\\r\\n| where (type !~ ('microsoft.openlogisticsplatform/workspaces'))\\r\\n| where (type !~ ('microsoft.scom/managedinstances'))\\r\\n| where (type !~ ('microsoft.orbital/spacecrafts/contacts'))\\r\\n| where (type !~ ('microsoft.orbital/contactprofiles'))\\r\\n| where (type !~ ('microsoft.orbital/edgesites'))\\r\\n| where (type !~ ('microsoft.orbital/groundstations'))\\r\\n| where (type !~ ('microsoft.orbital/l2connections'))\\r\\n| where (type !~ ('microsoft.orbital/spacecrafts'))\\r\\n| where (type !~ ('microsoft.azurepercept/accounts'))\\r\\n| where (type !~ ('microsoft.workloads/phpworkloads'))\\r\\n| where (type !~ ('microsoft.playfab/playeraccountpools'))\\r\\n| where (type !~ ('microsoft.playfab/playfabresources'))\\r\\n| where (type !~ ('microsoft.playfab/titles'))\\r\\n| where (type !~ ('microsoft.recommendationsservice/accounts/modeling'))\\r\\n| where (type !~ ('microsoft.recommendationsservice/accounts/serviceendpoints'))\\r\\n| where (type !~ ('microsoft.recoveryservicesbvtd2/vaults'))\\r\\n| where (type !~ ('microsoft.recoveryservicesbvtd/vaults'))\\r\\n| where (type !~ ('microsoft.recoveryservicesintd/vaults'))\\r\\n| where (type !~ ('microsoft.recoveryservicesintd2/vaults'))\\r\\n| where (type !~ ('microsoft.workloads/sapvirtualinstances/applicationinstances'))\\r\\n| where (type !~ ('microsoft.workloads/sapvirtualinstances/centralinstances'))\\r\\n| where (type !~ ('microsoft.workloads/sapvirtualinstances/databaseinstances'))\\r\\n| where (type !~ ('microsoft.workloads/sapvirtualinstances'))\\r\\n| where (type !~ ('microsoft.datareplication/replicationvaults'))\\r\\n| where (type !~ ('microsoft.storagecache/amlfilesystems'))\\r\\n| where not((type =~ ('microsoft.synapse/workspaces/sqlpools')) and ((kind =~ ('v3'))))\\r\\n| where (type !~ ('microsoft.mobilenetwork/mobilenetworks'))\\r\\n| where (type !~ ('microsoft.mobilenetwork/mobilenetworks/sites'))\\r\\n| where (type !~ ('microsoft.mobilenetwork/packetcorecontrolplanes'))\\r\\n| where (type !~ ('microsoft.mobilenetwork/mobilenetworks/services'))\\r\\n| where (type !~ ('microsoft.mobilenetwork/sims'))\\r\\n| where (type !~ ('microsoft.workloads/monitors'))\\r\\n| where not((type =~ ('microsoft.sql/servers/databases')) and ((kind in~ ('system','v2.0,system','v12.0,system','v12.0,user,datawarehouse,gen2,analytics'))))\\r\\n| where not((type =~ ('microsoft.sql/servers')) and ((kind =~ ('v12.0,analytics'))))\\r\\n| project id,typeDisplayName,resourceGroup,locationDisplayName,tagsString,name,type,kind,location,subscriptionId,tags\\r\\n| sort by (tolower(tostring(name))) asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAllVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"All\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Management\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Asset / Indicator Search](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\r\\n---\\r\\n\\r\\nThreat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. Indicator search provides a free-text search of indicators (Ip address, file, hash, email address, username) to determine:\\r\\n\\r\\n\\t•\\tIndicators in your data\\r\\n\\t•\\tPattern of the indicator over time\\r\\n\\t•\\tReporting threat intelligence feed and details\\r\\n\\t•\\tSecurity Incidents for investigation and response\\r\\n\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"521d368e-c46e-41b5-bea0-fd07dc96b511\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Threat Intelligence >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}}]},\"customWidth\":\"20\",\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Indicator Search\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n    | where TimeGenerated < now()\\r\\n    | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n    | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n    | mvexpand(Entities)\\r\\n    | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n                      iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n                      iif(isnotempty(Entities.Url), Entities.Url,\\r\\n                      iif(isnotempty(Entities.Value), Entities.Value,\\r\\n                      iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n    | where isnotempty(entity) \\r\\n    | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n    | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n    | mv-expand AlertIds\\r\\n    | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n    | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n    | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join (SecurityAlert \\r\\n| where Entities <> \\\"\\\"\\r\\n| mv-expand parse_json(Entities)\\r\\n| where Entities contains '{Indicator}'\\r\\n| project SystemAlertId, Entities\\r\\n) on SystemAlertId\\r\\n| where Title <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, IncidentNumber desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents\",\"noDataMessage\":\"No incidents observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"isTIVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n---\\r\\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Microsoft Entra ID tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"1cf637a7-121d-4722-b511-b0c460625e31\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Lighthouse >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"LighthouseBlade\",\"extensionName\":\"Microsoft_Azure_CustomerHub\"}}]},\"customWidth\":\"50\",\"name\":\"links - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend ManageeTenantId = tostring(properties.registrationDefinition.properties.manageeTenantId)\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantId\",\"formatter\":1,\"formatOptions\":{\"linkTarget\":\"Resource\"}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"CreatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 21 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isALVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\n\\r\\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"b1cd1f8a-e807-4deb-93f4-7812e5ed014a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Data Connectors >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorsBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"20\",\"name\":\"EL0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/best-practices\",\"linkTarget\":\"Url\",\"linkLabel\":\"Best Practices\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-all-in-one-accelerator/ba-p/1807933\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel All-In-One Accelerator\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://docs.microsoft.com/learn/browse/?wt.mc_id=resilience_skilling_webpage_gdc&terms=sentinel\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel Training\",\"style\":\"link\"}]},\"customWidth\":\"40\",\"name\":\"links - 29\"}],\"exportParameters\":true},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Foundational Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Activity Connector](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"909d0019-23cb-43ad-8285-9f1dca1cd1be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"58cc25ab-a9af-4516-99e1-fa22e0637a76\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActivity\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"33\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"23ba579d-c894-43be-9fe1-d1b04bc34d7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SignInLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"SigninLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Active Directory\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"7c97e893-29f3-4d4c-a379-f220bb82518c\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectory\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory (AAD) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Office 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-365-formerly-office-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"68bd12c8-e473-45d1-8bbc-2dd9f326ea69\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"OfficeActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Office365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Office 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#tenant-based-microsoft-defender-for-cloud)\\r\\n\\r\\n\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"1673e4cf-354f-4a42-bed2-2374be47779e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDfC\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Azure Security Center\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"56600b70-0e55-433a-be86-b7c561bced8b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSecurityCenter\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for Cloud Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Network Security Groups (NSG) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#network-security-groups)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b17ce357-e8d5-4c7c-a4f0-765598462a1c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NSG\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"NetworkSecurityGroupEvent\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"935bb630-1fce-4021-b7b4-c010b9e05973\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureNSG\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Network Security Groups (NSG) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Security Events (AMA) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"d9af27d9-8c90-4c85-a57f-f329257d9956\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AMA\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d002eb41-c632-429b-8504-846b69314620\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsSecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Security Events (AMA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Security Events via Legacy Agent Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CLAA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b2737fbc-c0e2-4584-9fba-ee7d057d7db0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityEvent\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9a8b0649-e79b-4a30-be25-4a5486f302ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"SecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Security Events via Legacy Agent Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [DNS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dns)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNS\",\"label\":\"Status\",\"type\":1,\"query\":\"DnsEvents\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DNS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"DNS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Storage Accounts Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-storage-account)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4f291c03-8d98-47b6-ba82-1282322bb7a5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"StorageLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"StorageBlobLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureStorageAccount\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Storage Logs Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Common Event Format (CEF) Connector](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4fcf795c-75b8-4010-bd24-1d66511ff6e8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CommonSecurityLog\",\"label\":\"Status\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"452e02e1-b0c4-4b9b-8a54-bc9295db22b9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"CEF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Common Event Format (CEF) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Syslog Connector](https://docs.microsoft.com/azure/sentinel/connect-syslog)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"fa63a08f-dd08-4e11-bcb6-c075a6d6c15c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Syslog\",\"label\":\"Status\",\"type\":1,\"query\":\"Syslog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"021644a3-bd51-4b09-8117-017a89c71d58\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Syslog\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Syslog Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"18ed59f0-c497-44b1-94b7-8700051cf189\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWS\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSCloudTrail\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"393c465e-4398-428b-8da2-87ac07d8a987\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AWS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) S3 Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWSS3\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSVPCFlow\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AwsS3\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Google Cloud Platform IAM Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#google-cloud-platform-iam-via-codeless-connector-framework)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GCP\",\"label\":\"Status\",\"type\":1,\"query\":\"GCP_IAM_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"1f2ba663-dd7a-49b6-87ba-0b8adf6d2d34\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector - Copy\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Basic Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft 365 Defender Connector](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"M365Defender\",\"label\":\"Status\",\"type\":1,\"query\":\"AlertEvidence\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Endpoint Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-endpoint)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDE\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftDefenderAdvancedThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WindowsFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"WindowsFirewall\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Web Application Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-web-application-firewall-waf)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureWAF\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType in (\\\"APPLICATIONGATEWAYS\\\", \\\"FRONTDOORS\\\", \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"PROFILES\\\")\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WAF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Web Application Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure SQL Databases Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-sql-databases)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SQL\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where Category contains \\\"SQL\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSql\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"SQL Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Key Vault Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-key-vault)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureKeyVault\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceProvider == \\\"MICROSOFT.KEYVAULT\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKeyVault\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Key Vault Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure DDoS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DDoS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType == \\\"PUBLICIPADDRESSES\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DDOS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure DDoS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [VMware Carbon Black Cloud via AWS S3](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#vmware-carbon-black-cloud-via-aws-s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VMwareCarbon\",\"label\":\"Status\",\"type\":1,\"query\":\"CarbonBlack_Alerts_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"VMwareESXi\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"VMware ESXi Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud: Continuous Export](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export?tabs=azure-portal)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityRecommendation\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityRecommendation\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Continuous Export Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Intermediate Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview Information Protection](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-information-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MicrosoftPurviewInformationProtection\",\"type\":1,\"query\":\"MicrosoftPurviewInformationProtection​​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Status\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureInformationProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Information Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Dynamics 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dynamics365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dynamics365Activity\",\"label\":\"Status\",\"type\":1,\"query\":\"Dynamics365Activity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Dynamics365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Dynamics 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Kubernetes Service (AKS) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-kubernetes-service-aks)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AKS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"kube-audit\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKubernetes\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Kubernetes Service (AKS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Qualys Vulnerability Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-via-codeless-connector-framework)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Qualys\",\"label\":\"Status\",\"type\":1,\"query\":\"QualysHostDetectionV3_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"QualysVulnerabilityManagement\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Qualys Vulnerability Management Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Advanced Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Entity Behavior (UEBA)](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"BehaviorAnalytics\",\"label\":\"Status\",\"type\":1,\"query\":\"BehaviorAnalytics​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"EntitySearchBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Entity Behavior (UEBA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-entra-id-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AADIP\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Active Directory Identity Protection\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectoryIdentityProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory Identity Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence TAXII Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-taxii)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TAXII\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem !in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence TAXII Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence Platform Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-tip)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatIntelligence\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligence\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence Platform Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for IoT Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-iot)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MD4IOT\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Security Center for IoT\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"IoT\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for IoT Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview: Insider Risk Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-information-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IRM\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProductName == \\\"Microsoft 365 Insider Risk Management\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"OfficeIRM\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Purview: Insider Risk Management Connector\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 6\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"isDCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Data Connectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Content](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog)\\r\\n---\\r\\n\\r\\nThe following content packages provide utility for regulated industries use cases.\"},\"name\":\"NS Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions\",\"linkTarget\":\"Url\",\"linkLabel\":\"About Microsoft Sentinel Content & Solutions\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog\",\"linkTarget\":\"Url\",\"linkLabel\":\"Content Hub Catalog\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"40\",\"name\":\"group - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"76c7831e-386d-4289-8145-486f52cba8ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Content Hub >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ContentHub.ReactView\",\"extensionName\":\"Microsoft_Azure_SentinelUS\"}}]},\"customWidth\":\"40\",\"name\":\"EL0\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)\"},\"customWidth\":\"90\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\\r\\n---\\r\\n\\r\\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis%26Response/Workbooks/Images/ThreatAnalysis%26ResponseWhite1.png?raw=true)\"},\"customWidth\":\" 100\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\n\\r\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Security Benchmark v3](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nEnables Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673\",\"linkTarget\":\"Url\",\"linkLabel\":\"Announce Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/v57gWjvcY4o\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"cc5f4830-f090-4f5e-afb2-47adba6be532\",\"cellValue\":\"https://youtu.be/qVJjwOipHDA\",\"linkTarget\":\"Url\",\"linkLabel\":\"ASC in the Field\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Azure%20Security%20Benchmark%20v3\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Insider Risk Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786)\\r\\n---\\r\\n\\r\\nInsider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional). This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftInsiderRiskManagement\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)\\r\\n---\\r\\n\\r\\nThis solution provides the foundation for building a SOC for monitoring IoT/ OT and includes (1) workbook for visibility/reporting, (14) analytics rules for monitoring, and (4) playbooks for response. The workbook leverages Microsoft Sentinel telemetry to create visualization to understand, analyze, and respond to IoT/OT threats. Understanding alerts over time provides unprecedented insights into security posture and where teams need to focus to harden against threats. Deep links directly to Microsoft Defender for IoT alerts empower analysts to focus on remediating threats rather than pivoting between tools. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"8f7dce97-a41c-42b3-b62f-a21fbf5a1420\",\"cellValue\":\"https://youtu.be/hZS2aplJoy8\",\"linkTarget\":\"Url\",\"linkLabel\":\"YouTube Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maturity Model for Event Log Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident.\\\"Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.\\\" For more information, see 💡[OMB's M-21-31 Memorandum](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/quV_80ts__k\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MaturityModelForEventLogManagementM2131\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence Workbook](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nThe most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. <br>\\r\\n\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265\",\"linkTarget\":\"Url\",\"linkLabel\":\"Workbook Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/SjEG7iVVBbI\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/ThreatIntelligence.json\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isGCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Content\"}],\"fromTemplateId\":\"sentinel-ContinuousDiagnostics&Mitigation\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -286,7 +286,7 @@
               "apiVersion": "2022-01-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
               "properties": {
-                "description": "@{workbookKey=ContinuousDiagnostics&Mitigation; logoFileName=Azure_Sentinel.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=ContinuousDiagnostics&Mitigation; templateRelativePath=ContinuousDiagnostics&Mitigation.json; subtitle=; provider=Microsoft}.description",
+                "description": "@{workbookKey=ContinuousDiagnostics&Mitigation; logoFileName=Azure_Sentinel.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=ContinuousDiagnostics&Mitigation; templateRelativePath=ContinuousDiagnostics&Mitigation.json; subtitle=; provider=Microsoft}.description",
                 "parentId": "[variables('workbookId1')]",
                 "contentId": "[variables('_workbookContentId1')]",
                 "kind": "Workbook",
@@ -328,12 +328,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.1",
+        "version": "3.0.2",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "ContinuousDiagnostics&Mitigation",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>This solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/reporting, (1) Analytics rule for monitoring and (1) Hunting query for assessment.</p>\n<p>The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries.For more information, see <a href=\"https://www.cisa.gov/cdm\">Continuous Diagnostics and Mitigation (CDM)</a>.</p>\n<p><strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 1, <strong>Hunting Queries:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ContinuousDiagnostics%26Mitigation/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>This solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/reporting, (1) Analytics rule for monitoring and (1) Hunting query for assessment.</p>\n<p>The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries.For more information, see <a href=\"https://www.cisa.gov/cdm\">Continuous Diagnostics and Mitigation (CDM)</a>.</p>\n<p><strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 1, <strong>Hunting Queries:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
diff --git a/Solutions/ContinuousDiagnostics&Mitigation/ReleaseNotes.md b/Solutions/ContinuousDiagnostics&Mitigation/ReleaseNotes.md
index e1bbb822630..02617915ec4 100644
--- a/Solutions/ContinuousDiagnostics&Mitigation/ReleaseNotes.md
+++ b/Solutions/ContinuousDiagnostics&Mitigation/ReleaseNotes.md
@@ -1,4 +1,5 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                            |
 |-------------|--------------------------------|-----------------------------------------------------------------------------------------------|
+| 3.0.2       | 29-09-2025                     |	Updated the broken metrics in the workbook                  |
 | 3.0.1       | 29-01-2024                     |	Updated the solution to fix Analytic Rules deployment issue |
 | 3.0.0       | 09-11-2023                     |	Changes for rebranding from Azure Active Directory Identity Protection to Microsoft Entra ID Protection |
\ No newline at end of file
diff --git a/Solutions/ContinuousDiagnostics&Mitigation/Workbooks/ContinuousDiagnostics&Mitigation.json b/Solutions/ContinuousDiagnostics&Mitigation/Workbooks/ContinuousDiagnostics&Mitigation.json
index a97fc056764..db2af5d5f61 100644
--- a/Solutions/ContinuousDiagnostics&Mitigation/Workbooks/ContinuousDiagnostics&Mitigation.json
+++ b/Solutions/ContinuousDiagnostics&Mitigation/Workbooks/ContinuousDiagnostics&Mitigation.json
@@ -1241,7 +1241,7 @@
           {
             "type": 1,
             "content": {
-              "json": "# [Asset Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\n---\r\nAsset Management Capability Area addresses “What is on the Network?’ and focuses on identifying and \r\nmonitoring Agency devices, ensuring that they are properly configured, and vulnerabilities have been identified and remediated. The Asset Management Capability Area consists of the HWAM, SWAM, CSM, VUL, and EMM capabilities.These functions are briefly summarized below, and the requirements are separately specified later in the HWAM, SWAM, CSM, VUL, and EMM sections.\r\n"
+              "json": "# [Asset Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\n---\r\nAsset Management Capability Area addresses “What is on the Network?’ and focuses on identifying and \r\nmonitoring Agency devices, ensuring that they are properly configured, and vulnerabilities have been identified and remediated. The Asset Management Capability Area consists of the HWAM, SWAM, CSM, VUL, and EMM capabilities.These functions are briefly summarized below, and the requirements are separately specified later in the HWAM, SWAM, CSM, VUL, and EMM sections.\r\n"
             },
             "customWidth": "40",
             "name": "Common Requirements Overview"
@@ -1376,7 +1376,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Hardware Asset Management (HWAM)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nThe HWAM capability discovers IP-addressable hardware on a network.\r\nHWAM establishes and maintains an authorized hardware inventory baseline, unique identifiers (UIDs) for hardware, and other properties, such as the manager of the hardware.\r\nHWAM also establishes and maintains the actual inventory of hardware in accordance with data currency requirements, along with information needed to assess the risk to and locate the hardware.\r\nThe capability to maintain and update the inventory needs to allow for decentralized administration and only for assets for which they are accountable. Data in the authorized hardware inventory baseline must be validated continuously through automated hardware discovery. Manual processes, such as assigning hardware to the baseline, are expected to integrate with and be supported by automated processes.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br>\r\n🔷 [ConfigurationData](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationdata) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\r\n\r\n### Implementation \r\n💡 [Introduction to Hardware Inventory](https://docs.microsoft.com/mem/configmgr/core/clients/manage/inventory/introduction-to-hardware-inventory) <br>\r\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\r\n💡 [Device Management Overview](https://docs.microsoft.com/mem/intune/fundamentals/what-is-device-management) <br>\r\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \r\n💡 [Configure data collection for the Azure Monitor agent](https://docs.microsoft.com/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent)<br> \r\n\t\r\n### Control Assessment"
+                          "json": "# [Hardware Asset Management (HWAM)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nThe HWAM capability discovers IP-addressable hardware on a network.\r\nHWAM establishes and maintains an authorized hardware inventory baseline, unique identifiers (UIDs) for hardware, and other properties, such as the manager of the hardware.\r\nHWAM also establishes and maintains the actual inventory of hardware in accordance with data currency requirements, along with information needed to assess the risk to and locate the hardware.\r\nThe capability to maintain and update the inventory needs to allow for decentralized administration and only for assets for which they are accountable. Data in the authorized hardware inventory baseline must be validated continuously through automated hardware discovery. Manual processes, such as assigning hardware to the baseline, are expected to integrate with and be supported by automated processes.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br>\r\n🔷 [ConfigurationData](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationdata) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\r\n\r\n### Implementation \r\n💡 [Introduction to Hardware Inventory](https://docs.microsoft.com/mem/configmgr/core/clients/manage/inventory/introduction-to-hardware-inventory) <br>\r\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\r\n💡 [Device Management Overview](https://docs.microsoft.com/mem/intune/fundamentals/what-is-device-management) <br>\r\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \r\n💡 [Configure data collection for the Azure Monitor agent](https://docs.microsoft.com/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent)<br> \r\n\t\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -2110,7 +2110,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Software Asset Management (SWAM)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nThe SWAM capability discovers software installed on devices operating on an Agency’s network that are categorized as endpoints.6 A complete, accurate, and timely software inventory is essential to support awareness and effective control of software vulnerabilities and security configuration settings.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SecurityEvent](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender)<br>\r\n🔷 [ConfigurationData](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationdata) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)<br>\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br\r\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\r\n💡 [Device Management Overview](https://docs.microsoft.com/mem/intune/fundamentals/what-is-device-management) <br>\r\n💡 [Microsoft 365 Defender integration with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration)<br> \r\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br> \r\n\t\r\n### Control Assessment"
+                          "json": "# [Software Asset Management (SWAM)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nThe SWAM capability discovers software installed on devices operating on an Agency’s network that are categorized as endpoints.6 A complete, accurate, and timely software inventory is essential to support awareness and effective control of software vulnerabilities and security configuration settings.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SecurityEvent](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender)<br>\r\n🔷 [ConfigurationData](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationdata) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)<br>\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\r\n\r\n### Implementation \r\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br\r\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\r\n💡 [Device Management Overview](https://docs.microsoft.com/mem/intune/fundamentals/what-is-device-management) <br>\r\n💡 [Microsoft 365 Defender integration with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration)<br> \r\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br> \r\n\t\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -2628,7 +2628,7 @@
           {
             "type": 1,
             "content": {
-              "json": "# [Identity & Access Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\n---\r\nCapability Area that addresses “Who is on the network” and consists of related capabilities that support the IdAM security discipline (i.e., TRUST, BEHAVE, CRED, PRIV). IdAM provides identity proofing and authentication aspects under identity management. It also supports the use, maintenance, and protection of sensitive resources (e.g., data, systems)."
+              "json": "# [Identity & Access Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\n---\r\nCapability Area that addresses “Who is on the network” and consists of related capabilities that support the IdAM security discipline (i.e., TRUST, BEHAVE, CRED, PRIV). IdAM provides identity proofing and authentication aspects under identity management. It also supports the use, maintenance, and protection of sensitive resources (e.g., data, systems)."
             },
             "customWidth": "40",
             "name": "Common Requirements Overview"
@@ -2789,7 +2789,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [User Trust (TRUST)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nThe CDM TRUST capability reduces the probability of loss in \r\navailability, integrity, and confidentiality of data by ensuring that only properly vetted \r\nusers are given access to credentials and systems commensurate with their role. This \r\nincludes elevated privileges and special security roles. The vetted trust level is \r\nproperly monitored and renewed, per agency policies and applicable statutes.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Implementation\r\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\r\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\r\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\r\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\r\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\r\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\r\n\r\n### Control Assessment"
+                          "json": "# [User Trust (TRUST)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nThe CDM TRUST capability reduces the probability of loss in \r\navailability, integrity, and confidentiality of data by ensuring that only properly vetted \r\nusers are given access to credentials and systems commensurate with their role. This \r\nincludes elevated privileges and special security roles. The vetted trust level is \r\nproperly monitored and renewed, per agency policies and applicable statutes.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Implementation\r\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\r\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\r\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\r\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\r\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\r\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -3421,7 +3421,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Credentials & Authenticators (CRED)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nThe CDM CRED (credentials and authenticators) capability ensures that account credentials are assigned to, and are used only by, authorized users or services to access agency systems, services, and facilities. CRED binds a type of credential or authenticator to an identity established in TRUST with a level of assurance and is used to grant logical access. The CRED capability will apply only to in-scope users (employees and contractors, who will each have a PIV card). In-scope users have network accounts, where the primary control mechanism for network authentication is the Agency’s Microsoft Active Directory Implementation.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Implementation\r\n💡 [Azure Key Vault basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts)<br>\r\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\r\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\r\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\r\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\r\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\r\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\r\n\r\n### Control Assessment"
+                          "json": "# [Credentials & Authenticators (CRED)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nThe CDM CRED (credentials and authenticators) capability ensures that account credentials are assigned to, and are used only by, authorized users or services to access agency systems, services, and facilities. CRED binds a type of credential or authenticator to an identity established in TRUST with a level of assurance and is used to grant logical access. The CRED capability will apply only to in-scope users (employees and contractors, who will each have a PIV card). In-scope users have network accounts, where the primary control mechanism for network authentication is the Agency’s Microsoft Active Directory Implementation.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Implementation\r\n💡 [Azure Key Vault basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts)<br>\r\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\r\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\r\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\r\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\r\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\r\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -4131,7 +4131,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Privileges (PRIV)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nThe CDM PRIV capability provides the agency with insight into risks associated with authorized users being granted excessive privileges to systems and information at any level of sensitivity. The purpose of the capability is to ensure that privileges for logical access are assigned to authorized people or accounts that require authorized access for job functions. This capability is dependent on the existence of a set of attributes that denote roles or characteristics that require or restrict specific privileges per policy. Non-person entities are not covered by PRIV. The PRIV capability will apply only to in-scope users (employees and contractors, who will each have a PIV card) and associated accounts.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Implementation\r\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\r\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\r\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\r\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\r\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\r\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\r\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\r\n\r\n### Control Assessment"
+                          "json": "# [Privileges (PRIV)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nThe CDM PRIV capability provides the agency with insight into risks associated with authorized users being granted excessive privileges to systems and information at any level of sensitivity. The purpose of the capability is to ensure that privileges for logical access are assigned to authorized people or accounts that require authorized access for job functions. This capability is dependent on the existence of a set of attributes that denote roles or characteristics that require or restrict specific privileges per policy. Non-person entities are not covered by PRIV. The PRIV capability will apply only to in-scope users (employees and contractors, who will each have a PIV card) and associated accounts.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \r\n\r\n### Implementation\r\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\r\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\r\n💡 [Continuously export Microsoft Defender for Cloud data](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export)<br>\r\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\r\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\r\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\r\n💡 [What are custom security attributes in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/fundamentals/custom-security-attributes-overview)<br>\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -4933,7 +4933,7 @@
           {
             "type": 1,
             "content": {
-              "json": "# [Network Security Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\n---\r\nThe Network Security Management (NSM) Capability Area builds on the CDM capabilities provided by Asset Management and Identity and Access Management. The NSM capabilities include network and perimeter components, host and device components, data at rest and in transit, and user behavior and activities. NSM capabilities move beyond asset management to a more extensive and dynamic monitoring of security controls. This includes preparing for and responding to behavior incidents, ensuring that software/system quality is integrated into the network/infrastructure, detecting internal actions and behaviors to determine who is doing what, and finally, mitigating security incidents to prevent propagation throughout the network/infrastructure.\r\n"
+              "json": "# [Network Security Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\n---\r\nThe Network Security Management (NSM) Capability Area builds on the CDM capabilities provided by Asset Management and Identity and Access Management. The NSM capabilities include network and perimeter components, host and device components, data at rest and in transit, and user behavior and activities. NSM capabilities move beyond asset management to a more extensive and dynamic monitoring of security controls. This includes preparing for and responding to behavior incidents, ensuring that software/system quality is integrated into the network/infrastructure, detecting internal actions and behaviors to determine who is doing what, and finally, mitigating security incidents to prevent propagation throughout the network/infrastructure.\r\n"
             },
             "customWidth": "40",
             "name": "Common Requirements Overview"
@@ -5154,7 +5154,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Boundary Protection (BOUND)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nDescribes how the network is protected through filtering, \r\nnetwork access control, and encryption.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n\r\n### Implementation\r\n💡 [Azure Security Benchmark: Network Security](https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries)<br>\r\n💡 [Deploy and configure Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-deploy)<br>\r\n💡 [Tutorial: Filter network traffic with a network security group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)<br>\r\n💡 [Tutorial: Create a Web Application Firewall policy on Azure Front Door using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-create-portal)<br>\r\n💡 [What is Azure Network Watcher?](https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview)<br>\r\n💡 [Quickstart: Create a virtual network using the Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal)<br>\r\n💡 [Quickstart: Deploy Azure Bastion with default settings](https://docs.microsoft.com/azure/bastion/quickstart-host-portal)<br>\r\n\r\n### Control Assessment"
+                          "json": "# [Boundary Protection (BOUND)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nDescribes how the network is protected through filtering, \r\nnetwork access control, and encryption.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n\r\n### Implementation\r\n💡 [Azure Security Benchmark: Network Security](https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries)<br>\r\n💡 [Deploy and configure Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-deploy)<br>\r\n💡 [Tutorial: Filter network traffic with a network security group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)<br>\r\n💡 [Tutorial: Create a Web Application Firewall policy on Azure Front Door using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-create-portal)<br>\r\n💡 [What is Azure Network Watcher?](https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview)<br>\r\n💡 [Quickstart: Create a virtual network using the Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal)<br>\r\n💡 [Quickstart: Deploy Azure Bastion with default settings](https://docs.microsoft.com/azure/bastion/quickstart-host-portal)<br>\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -5749,7 +5749,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Manage Events (MNGEVT)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nDescribes ongoing assessment, preparing for events/incidents, audit data collection from appropriate sources, and identifying incidents through the analysis of data.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n\r\n### Implementation\r\n💡 [Tutorial: Collect and analyze resource logs from an Azure resource](https://docs.microsoft.com/azure/azure-monitor/essentials/tutorial-resource-logs)<br>\r\n💡 [Plan your Microsoft Defender for Endpoint deployment](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/deployment-strategy)<br>\r\n\r\n### Control Assessment"
+                          "json": "# [Manage Events (MNGEVT)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nDescribes ongoing assessment, preparing for events/incidents, audit data collection from appropriate sources, and identifying incidents through the analysis of data.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n\r\n### Implementation\r\n💡 [Tutorial: Collect and analyze resource logs from an Azure resource](https://docs.microsoft.com/azure/azure-monitor/essentials/tutorial-resource-logs)<br>\r\n💡 [Plan your Microsoft Defender for Endpoint deployment](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/deployment-strategy)<br>\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -6274,7 +6274,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Endpoint Detection & Response (EDR)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nThe EDR capability provides cybersecurity monitoring and control of endpoint devices.29 EDR spans the full cybersecurity lifecycle, from the detection of events (observable occurrences in a network or system) and incidents (events that have been determined to have an impact on the organization, prompting the need for response and recovery) on endpoint devices (i.e., workstations, servers, laptops, thin clients, and virtual desktops) and users, to attack responses and incident follow-up and analysis.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) 🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceNetworkEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicenetworkevents) 🔷 [DeviceLogonEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicelogonevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents)🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) 🔷 [DeviceProcessEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceprocessevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> \r\n\r\n### Implementation\r\n💡 [Microsoft 365 Defender integration with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration)<br>\r\n💡 [Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\r\n\r\n### Control Assessment"
+                          "json": "# [Endpoint Detection & Response (EDR)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nThe EDR capability provides cybersecurity monitoring and control of endpoint devices.29 EDR spans the full cybersecurity lifecycle, from the detection of events (observable occurrences in a network or system) and incidents (events that have been determined to have an impact on the organization, prompting the need for response and recovery) on endpoint devices (i.e., workstations, servers, laptops, thin clients, and virtual desktops) and users, to attack responses and incident follow-up and analysis.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) 🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceNetworkEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicenetworkevents) 🔷 [DeviceLogonEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicelogonevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents)🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) 🔷 [DeviceProcessEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceprocessevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> \r\n\r\n### Implementation\r\n💡 [Microsoft 365 Defender integration with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration)<br>\r\n💡 [Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -6826,7 +6826,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Operate, Monitor, & Improve (OMI)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nDescribes ongoing authorization, audit data \r\naggregation/correlation and analysis, incident prioritization and response, and post-incident activities (e.g., information sharing).\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/SecurityRegulatoryCompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n\r\n### Implementation\r\n💡 [Tutorial: Improve your regulatory compliance](https://docs.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard)<br>\r\n💡 [Details of the NIST SP 800-53 Regulatory Compliance built-in initiative](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4)<br>\r\n\r\n### Control Assessment"
+                          "json": "# [Operate, Monitor, & Improve (OMI)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nDescribes ongoing authorization, audit data \r\naggregation/correlation and analysis, incident prioritization and response, and post-incident activities (e.g., information sharing).\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/SecurityRegulatoryCompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n\r\n### Implementation\r\n💡 [Tutorial: Improve your regulatory compliance](https://docs.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard)<br>\r\n💡 [Details of the NIST SP 800-53 Regulatory Compliance built-in initiative](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4)<br>\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -7317,7 +7317,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Design & Build in Security (DBS)](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nDescribes preventing exploitable vulnerabilities from being \r\neffective in the software/system while the software/system is in development or \r\ndeployment.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityNestedRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [GitHubAuditLogPolling_CL](https://portal.azure.com/#create/microsoftcorporation1622712991604.sentinel4githubsentinel4github) 🔷 [AzureDevOpsAuditing](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br> \r\n\r\n### Implementation\r\n💡 [Azure DevOps - audit streaming](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops&preserve-view=true)<br>\r\n💡 [GitHub logging](https://docs.github.com/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization)<br>\r\n💡 [Protecting your GitHub assets with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/protecting-your-github-assets-with-azure-sentinel/ba-p/1457721)<br>\r\n💡 [Deploy Microsoft Sentinel: Continuous Threat Monitoring for GitHub Solution](https://portal.azure.com/#create/microsoftcorporation1622712991604.sentinel4githubsentinel4github)<br>\r\n💡 [DAST tools in Azure DevOps marketplace](https://marketplace.visualstudio.com/search?term=DAST&target=AzureDevOps&category=All%20categories)<br>\r\n💡 [How to Implement Microsoft Defender for Cloud Vulnerability Assessment Recommendations](https://docs.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm)<br>\r\n💡 [Integrated Vulnerability Scanner for Virtual Machines](https://docs.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm)<br>\r\n💡 [SQL Vulnerability Assessment](https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment)<br>\r\n💡 [Exporting Microsoft Defender for Cloud Vulnerability Scan Results](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\r\n\r\n### Control Assessment"
+                          "json": "# [Design & Build in Security (DBS)](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nDescribes preventing exploitable vulnerabilities from being \r\neffective in the software/system while the software/system is in development or \r\ndeployment.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityNestedRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [GitHubAuditLogPolling_CL](https://portal.azure.com/#create/microsoftcorporation1622712991604.sentinel4githubsentinel4github) 🔷 [AzureDevOpsAuditing](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br> \r\n\r\n### Implementation\r\n💡 [Azure DevOps - audit streaming](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops&preserve-view=true)<br>\r\n💡 [GitHub logging](https://docs.github.com/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization)<br>\r\n💡 [Protecting your GitHub assets with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/protecting-your-github-assets-with-azure-sentinel/ba-p/1457721)<br>\r\n💡 [Deploy Microsoft Sentinel: Continuous Threat Monitoring for GitHub Solution](https://portal.azure.com/#create/microsoftcorporation1622712991604.sentinel4githubsentinel4github)<br>\r\n💡 [DAST tools in Azure DevOps marketplace](https://marketplace.visualstudio.com/search?term=DAST&target=AzureDevOps&category=All%20categories)<br>\r\n💡 [How to Implement Microsoft Defender for Cloud Vulnerability Assessment Recommendations](https://docs.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm)<br>\r\n💡 [Integrated Vulnerability Scanner for Virtual Machines](https://docs.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm)<br>\r\n💡 [SQL Vulnerability Assessment](https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment)<br>\r\n💡 [Exporting Microsoft Defender for Cloud Vulnerability Scan Results](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -8047,7 +8047,7 @@
           {
             "type": 1,
             "content": {
-              "json": "# [Data Protection Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\n---\r\nData Protection Management (DPM) Capability Area focuses on “How is data protected?” and builds on the CDM capabilities provided by Asset Management, Identity and Access Management, and Network Security Management.\r\n"
+              "json": "# [Data Protection Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\n---\r\nData Protection Management (DPM) Capability Area focuses on “How is data protected?” and builds on the CDM capabilities provided by Asset Management, Identity and Access Management, and Network Security Management.\r\n"
             },
             "customWidth": "40",
             "name": "Common Requirements Overview"
@@ -8148,7 +8148,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Data Protection Management](https://www.gsa.gov/cdnstatic/Integrated_Technology_Services/CDM-PROG-2021-CDM%20Technical%20Volume%202_v24.pdf)\r\nData Protection Management (DPM) Capability Area focuses on “How is data protected?” and builds on the CDM capabilities provided by Asset Management, Identity and Access Management, and Network Security Management.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\r\n\r\n### Implementation\r\n💡 [Data classification overview](https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-compliance/data-classification)<br>\r\n💡 [Label your sensitive data using Azure Purview](https://docs.microsoft.com/azure/purview/create-sensitivity-label)<br>\r\n💡 [Tag Sensitive Information Using Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\r\n💡 [How to implement Azure SQL Data Discovery](https://docs.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview)<br>\r\n💡 [Azure Purview data sources](https://docs.microsoft.com/azure/purview/purview-connector-overview#purview-data-sources)<br>\r\n💡 [Azure Key Vault overview](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\r\n💡 [BYOK (Bring Your Own Key) specification](https://docs.microsoft.com/azure/key-vault/keys/byok-specification)<br>\r\n\r\n### Control Assessment"
+                          "json": "# [Data Protection Management](https://www.cisa.gov/sites/default/files/2023-08/CDM_Tech%20Volume2_v2.5.pdf)\r\nData Protection Management (DPM) Capability Area focuses on “How is data protected?” and builds on the CDM capabilities provided by Asset Management, Identity and Access Management, and Network Security Management.\r\n\r\n### Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\r\n\r\n### Implementation\r\n💡 [Data classification overview](https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-compliance/data-classification)<br>\r\n💡 [Label your sensitive data using Azure Purview](https://docs.microsoft.com/azure/purview/create-sensitivity-label)<br>\r\n💡 [Tag Sensitive Information Using Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\r\n💡 [How to implement Azure SQL Data Discovery](https://docs.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview)<br>\r\n💡 [Azure Purview data sources](https://docs.microsoft.com/azure/purview/purview-connector-overview#purview-data-sources)<br>\r\n💡 [Azure Key Vault overview](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\r\n💡 [BYOK (Bring Your Own Key) specification](https://docs.microsoft.com/azure/key-vault/keys/byok-specification)<br>\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },
@@ -9476,7 +9476,7 @@
                       }
                     ]
                   },
-                  "customWidth": "40",
+                  "customWidth": "20",
                   "name": "EL0"
                 },
                 {
@@ -9511,7 +9511,8 @@
                   "customWidth": "40",
                   "name": "links - 29"
                 }
-              ]
+              ],
+              "exportParameters": true
             },
             "name": "group - 7"
           },
@@ -9520,577 +9521,2935 @@
             "content": {
               "version": "NotebookGroup/1.0",
               "groupType": "editable",
-              "title": "Foundational",
+              "loadType": "always",
               "items": [
                 {
-                  "type": 11,
+                  "type": 1,
                   "content": {
-                    "version": "LinkItem/1.0",
-                    "style": "list",
-                    "links": [
+                    "json": "## Foundational Connectors",
+                    "style": "info"
+                  },
+                  "name": "text - 13"
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
                       {
-                        "id": "58cc25ab-a9af-4516-99e1-fa22e0637a76",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Azure Activity Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
-                            {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureActiveDirectory"
-                            }
-                          ]
-                        }
+                        "type": 1,
+                        "content": {
+                          "json": "### [Azure Activity Connector](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "7c97e893-29f3-4d4c-a379-f220bb82518c",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Microsoft Entra ID Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureActivity"
+                              "id": "909d0019-23cb-43ad-8285-9f1dca1cd1be",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "AzureActivity",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AzureActivity\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector"
                       },
                       {
-                        "id": "6a86eb8d-5487-4aad-ae7b-b526e68a249f",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Office 365 Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "Office365"
+                              "id": "58cc25ab-a9af-4516-99e1-fa22e0637a76",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureActivity"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "33",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Microsoft Entra ID Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "56600b70-0e55-433a-be86-b7c561bced8b",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Microsoft Defender for Cloud Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureSecurityCenter"
+                              "id": "23ba579d-c894-43be-9fe1-d1b04bc34d7a",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "SignInLogs",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "SigninLogs\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Active Directory"
                       },
                       {
-                        "id": "935bb630-1fce-4021-b7b4-c010b9e05973",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Network Security Groups Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureNSG"
+                              "id": "7c97e893-29f3-4d4c-a379-f220bb82518c",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureActiveDirectory"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Azure Active Directory (AAD) Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Office 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-365-formerly-office-365)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "d002eb41-c632-429b-8504-846b69314620",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Windows Security Event (AMA) Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "WindowsSecurityEvents"
+                              "id": "68bd12c8-e473-45d1-8bbc-2dd9f326ea69",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "OfficeActivity",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "OfficeActivity\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy"
                       },
                       {
-                        "id": "9a8b0649-e79b-4a30-be25-4a5486f302ee",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Windows Security Event (MMA) Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "SecurityEvents"
+                              "id": "6a86eb8d-5487-4aad-ae7b-b526e68a249f",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "Office365"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Office 365 Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Microsoft Defender for Cloud Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#tenant-based-microsoft-defender-for-cloud)\r\n\r\n"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "2d8731f5-c225-4a39-9914-6391b2c89ecb",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "DNS Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "DNS"
+                              "id": "1673e4cf-354f-4a42-bed2-2374be47779e",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "MDfC",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "SecurityAlert\r\n| where ProviderName == \"Azure Security Center\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy"
                       },
                       {
-                        "id": "6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Azure Storage Account Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureStorageAccount"
+                              "id": "56600b70-0e55-433a-be86-b7c561bced8b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureSecurityCenter"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Microsoft Defender for Cloud Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Network Security Groups (NSG) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#network-security-groups)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "452e02e1-b0c4-4b9b-8a54-bc9295db22b9",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Common Event Format (CEF) Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "CEF"
+                              "id": "b17ce357-e8d5-4c7c-a4f0-765598462a1c",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "NSG",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AzureDiagnostics\r\n| where Category == \"NetworkSecurityGroupEvent\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy"
                       },
                       {
-                        "id": "021644a3-bd51-4b09-8117-017a89c71d58",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Syslog Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "Syslog"
+                              "id": "935bb630-1fce-4021-b7b4-c010b9e05973",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureNSG"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
-                      },
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Network Security Groups (NSG) Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Windows Security Events (AMA) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#windows-agent-based-connections)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "d9af27d9-8c90-4c85-a57f-f329257d9956",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "AMA",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "SecurityEvent\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d002eb41-c632-429b-8504-846b69314620",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "WindowsSecurityEvents"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Windows Security Events (AMA) Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Security Events via Legacy Agent Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CLAA#windows-agent-based-connections)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "b2737fbc-c0e2-4584-9fba-ee7d057d7db0",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "SecurityEvent",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "SecurityEvent\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "9a8b0649-e79b-4a30-be25-4a5486f302ee",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "SecurityEvents"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Security Events via Legacy Agent Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [DNS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dns)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "DNS",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "DnsEvents\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "2d8731f5-c225-4a39-9914-6391b2c89ecb",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "DNS"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "DNS Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Azure Storage Accounts Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-storage-account)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "4f291c03-8d98-47b6-ba82-1282322bb7a5",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "StorageLogs",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "StorageBlobLogs\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureStorageAccount"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Azure Storage Logs Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Common Event Format (CEF) Connector](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "4fcf795c-75b8-4010-bd24-1d66511ff6e8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "CommonSecurityLog",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "CommonSecurityLog\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "452e02e1-b0c4-4b9b-8a54-bc9295db22b9",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "CEF"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Common Event Format (CEF) Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Syslog Connector](https://docs.microsoft.com/azure/sentinel/connect-syslog)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "fa63a08f-dd08-4e11-bcb6-c075a6d6c15c",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "Syslog",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "Syslog\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "021644a3-bd51-4b09-8117-017a89c71d58",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "Syslog"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Syslog Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Amazon Web Services (AWS) Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "18ed59f0-c497-44b1-94b7-8700051cf189",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "AWS",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AWSCloudTrail\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "393c465e-4398-428b-8da2-87ac07d8a987",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AWS"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Amazon Web Services (AWS) Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Amazon Web Services (AWS) S3 Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "AWSS3",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AWSVPCFlow\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AwsS3"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Amazon Web Services (AWS) S3 Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Google Cloud Platform IAM Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#google-cloud-platform-iam-via-codeless-connector-framework)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "GCP",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "GCP_IAM_CL\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces",
+                              "value": null
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 3"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "1f2ba663-dd7a-49b6-87ba-0b8adf6d2d34"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Amazon Web Services (AWS) S3 Connector - Copy",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                }
+              ],
+              "exportParameters": true
+            },
+            "name": "group - 5",
+            "styleSettings": {
+              "showBorder": true
+            }
+          },
+          {
+            "type": 12,
+            "content": {
+              "version": "NotebookGroup/1.0",
+              "groupType": "editable",
+              "loadType": "always",
+              "items": [
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "## Basic Connectors",
+                    "style": "info"
+                  },
+                  "name": "text - 13"
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Microsoft 365 Defender Connector](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "M365Defender",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AlertEvidence\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 3"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "MicrosoftThreatProtection"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Microsoft 365 Defender Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Microsoft Defender for Endpoint Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-endpoint)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "MDE",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "SecurityAlert\r\n| where ProviderName == \"MDATP\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 3"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "MicrosoftDefenderAdvancedThreatProtection"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Microsoft 365 Defender Connector - Copy",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Azure Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "AzureFirewall",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureFirewall"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Azure Firewall Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Windows Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "WindowsFirewall",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "WindowsFirewall\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 3"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "WindowsFirewall"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Windows Firewall Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Azure Web Application Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-web-application-firewall-waf)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "AzureWAF",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AzureDiagnostics | where ResourceType in (\"APPLICATIONGATEWAYS\", \"FRONTDOORS\", \"CDNWEBAPPLICATIONFIREWALLPOLICIES\", \"PROFILES\")\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 3"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "WAF"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Azure Web Application Firewall Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Azure SQL Databases Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-sql-databases)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "SQL",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AzureDiagnostics | where Category contains \"SQL\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 3"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "2d8731f5-c225-4a39-9914-6391b2c89ecb",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureSql"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "SQL Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Azure Key Vault Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-key-vault)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "AzureKeyVault",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AzureDiagnostics | where ResourceProvider == \"MICROSOFT.KEYVAULT\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 3"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureKeyVault"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Azure Key Vault Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Azure DDoS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "DDoS",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AzureDiagnostics | where ResourceType == \"PUBLICIPADDRESSES\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "DDOS"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Azure DDoS Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [VMware Carbon Black Cloud via AWS S3](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#vmware-carbon-black-cloud-via-aws-s3)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "VMwareCarbon",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "CarbonBlack_Alerts_CL\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces",
+                              "value": null
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 3"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "VMwareESXi"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "VMware ESXi Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
                       {
-                        "id": "393c465e-4398-428b-8da2-87ac07d8a987",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Amazon Web Services (AWS) Connector >> ",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 1,
+                        "content": {
+                          "json": "### [Microsoft Defender for Cloud: Continuous Export](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export?tabs=azure-portal)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "SecurityRecommendation",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "SecurityRecommendation\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 3"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AWS"
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Feature",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "SecurityMenuBlade",
+                                "extensionName": "Microsoft_Azure_Security",
+                                "bladeParameters": []
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Continuous Export Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                }
+              ],
+              "exportParameters": true
+            },
+            "name": "group - 6",
+            "styleSettings": {
+              "showBorder": true
+            }
+          },
+          {
+            "type": 12,
+            "content": {
+              "version": "NotebookGroup/1.0",
+              "groupType": "editable",
+              "loadType": "always",
+              "items": [
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "## Intermediate Connectors",
+                    "style": "info"
+                  },
+                  "name": "text - 13"
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Microsoft Purview Information Protection](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-information-protection)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Amazon Web Services (S3) Connector >> ",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "MicrosoftPurviewInformationProtection",
+                              "type": 1,
+                              "query": "MicrosoftPurviewInformationProtection​​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces",
+                              "label": "Status"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AwsS3"
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureInformationProtection"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
                       }
-                    ]
+                    ],
+                    "exportParameters": true
                   },
-                  "customWidth": "50",
-                  "name": "EL0"
+                  "name": "Azure Information Protection Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Dynamics 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dynamics365)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "Dynamics365Activity",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "Dynamics365Activity\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "Dynamics365"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Dynamics 365 Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Azure Kubernetes Service (AKS) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-kubernetes-service-aks)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "AKS",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "AzureDiagnostics\r\n| where Category == \"kube-audit\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureKubernetes"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Azure Kubernetes Service (AKS) Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Qualys Vulnerability Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-via-codeless-connector-framework)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
+                            {
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "Qualys",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "QualysHostDetectionV3_CL\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces",
+                              "value": null
+                            }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
+                      },
+                      {
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
+                            {
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "QualysVulnerabilityManagement"
+                                  }
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Qualys Vulnerability Management Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
                 }
-              ]
+              ],
+              "exportParameters": true
             },
-            "name": "group - 3"
+            "name": "group - 6"
           },
           {
             "type": 12,
             "content": {
               "version": "NotebookGroup/1.0",
               "groupType": "editable",
-              "title": "Basic",
+              "loadType": "always",
               "items": [
                 {
-                  "type": 11,
+                  "type": 1,
                   "content": {
-                    "version": "LinkItem/1.0",
-                    "style": "list",
-                    "links": [
+                    "json": "## Advanced Connectors",
+                    "style": "info"
+                  },
+                  "name": "text - 13"
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
                       {
-                        "id": "6a86eb8d-5487-4aad-ae7b-b526e68a249f",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Microsoft 365 Defender Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
-                            {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "MicrosoftThreatProtection"
-                            }
-                          ]
-                        }
+                        "type": 1,
+                        "content": {
+                          "json": "### [Entity Behavior (UEBA)](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "94a0e6f0-7918-4575-baf4-6e52541646dd",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Azure Firewall Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureFirewall"
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "BehaviorAnalytics",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "BehaviorAnalytics​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
                       },
                       {
-                        "id": "d40e1198-0e60-4672-9ad1-c70c58dcb39d",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Windows Firewall Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "WindowsFirewall"
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Feature",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "EntitySearchBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": []
+                              }
                             }
                           ]
-                        }
-                      },
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Entity Behavior (UEBA) Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
                       {
-                        "id": "18bb33e3-9d70-4043-925d-30af02d24991",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Azure WAF Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
-                            {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "WAF"
-                            }
-                          ]
-                        }
+                        "type": 1,
+                        "content": {
+                          "json": "### [Microsoft Entra ID Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-entra-id-protection)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "5ece71ef-6973-449a-899d-514b41c7bfb7",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Azure KeyVault Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureKeyVault"
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "AADIP",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "SecurityAlert | where ProductName == \"Azure Active Directory Identity Protection\"​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
                       },
                       {
-                        "id": "e4eb576b-5ab7-474f-bfc8-7310ad92acbc",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Azure DDoS Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "DDOS"
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "AzureActiveDirectoryIdentityProtection"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
-                      },
-                      {
-                        "id": "c41a232a-e50e-421b-ac72-235c2bb58bf6",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Export Security Recommendations >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "SecurityMenuBlade",
-                          "extensionName": "Microsoft_Azure_Security",
-                          "bladeParameters": []
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
                       }
-                    ]
+                    ],
+                    "exportParameters": true
                   },
-                  "customWidth": "50",
-                  "name": "EL0"
-                }
-              ]
-            },
-            "name": "group - 3 - Copy"
-          },
-          {
-            "type": 12,
-            "content": {
-              "version": "NotebookGroup/1.0",
-              "groupType": "editable",
-              "title": "Intermediate",
-              "items": [
+                  "name": "Azure Active Directory Identity Protection Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
                 {
-                  "type": 11,
+                  "type": 12,
                   "content": {
-                    "version": "LinkItem/1.0",
-                    "style": "list",
-                    "links": [
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
                       {
-                        "id": "b7426ec2-789c-45e0-8d43-11dfb2c3e539",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Azure Information Protection Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 1,
+                        "content": {
+                          "json": "### [Threat Intelligence TAXII Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-taxii)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
+                      },
+                      {
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureInformationProtection"
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "TAXII",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") ​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
                       },
                       {
-                        "id": "1ca7a45b-98bd-4fb9-944f-fcc6a54188b7",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Dynamics 365 Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "Dynamics365"
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "ThreatIntelligenceTaxii"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Threat Intelligence TAXII Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Threat Intelligence Platform Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-tip)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "7e4f324f-8529-4ae0-b47b-b24697b8fc5d",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Azure Kubernetes Service (AKS) Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureKubernetes"
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "ThreatIntelligence",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "ThreatIntelligenceIndicator | where SourceSystem in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") ​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
                       },
                       {
-                        "id": "6a86eb8d-5487-4aad-ae7b-b526e68a249f",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Qualys Vulnerability Management Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "QualysVulnerabilityManagement"
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "ThreatIntelligence"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
                       }
-                    ]
+                    ],
+                    "exportParameters": true
                   },
-                  "customWidth": "50",
-                  "name": "EL0"
-                }
-              ]
-            },
-            "name": "group - 6"
-          },
-          {
-            "type": 12,
-            "content": {
-              "version": "NotebookGroup/1.0",
-              "groupType": "editable",
-              "title": "Advanced",
-              "items": [
+                  "name": "Threat Intelligence Platform Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
                 {
-                  "type": 11,
-                  "content": {
-                    "version": "LinkItem/1.0",
-                    "style": "list",
-                    "links": [
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
                       {
-                        "id": "0bb302f6-3711-459c-ba1b-5ae434c35ca2",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Microsoft Entra ID Protection Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
-                            {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "AzureActiveDirectoryIdentityProtection"
-                            }
-                          ]
-                        }
+                        "type": 1,
+                        "content": {
+                          "json": "### [Microsoft Defender for IoT Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-iot)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "6a86eb8d-5487-4aad-ae7b-b526e68a249f",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Threat Intelligence TAXII Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "ThreatIntelligenceTaxii"
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "MD4IOT",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "SecurityAlert | where ProductName == \"Azure Security Center for IoT\"​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
                       },
                       {
-                        "id": "b96a3f2e-61f1-4f30-ae85-b45e6e83402b",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Threat Intelligence Platform Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "ThreatIntelligence"
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "IoT"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
+                      }
+                    ],
+                    "exportParameters": true
+                  },
+                  "name": "Microsoft Defender for IoT Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "loadType": "always",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "### [Microsoft Purview: Insider Risk Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-information-protection)"
+                        },
+                        "customWidth": "33",
+                        "name": "text - 2"
                       },
                       {
-                        "id": "6f75e7eb-1a0f-466d-8b26-de898770f1bf",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Microsoft Defender for IoT Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 9,
+                        "content": {
+                          "version": "KqlParameterItem/1.0",
+                          "crossComponentResources": [
+                            "{Workspace}"
+                          ],
+                          "parameters": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "IoT"
+                              "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8",
+                              "version": "KqlParameterItem/1.0",
+                              "name": "IRM",
+                              "label": "Status",
+                              "type": 1,
+                              "query": "SecurityAlert\r\n| where ProductName == \"Microsoft 365 Insider Risk Management\"​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"✅ Connected\")\r\n| project Results",
+                              "crossComponentResources": [
+                                "{Workspace}"
+                              ],
+                              "timeContext": {
+                                "durationMs": 0
+                              },
+                              "timeContextFromParameter": "TimeRange",
+                              "queryType": 0,
+                              "resourceType": "microsoft.operationalinsights/workspaces"
                             }
-                          ]
-                        }
+                          ],
+                          "style": "pills",
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "customWidth": "33",
+                        "name": "parameters - 1"
                       },
                       {
-                        "id": "6b8e85f4-e8aa-4b06-8c8d-c3fa3d442ab6",
-                        "linkTarget": "OpenBlade",
-                        "linkLabel": "Microsoft Purview: Insider Risk Management Connector >>",
-                        "style": "secondary",
-                        "bladeOpenContext": {
-                          "bladeName": "DataConnectorBlade",
-                          "extensionName": "Microsoft_Azure_Security_Insights",
-                          "bladeParameters": [
+                        "type": 11,
+                        "content": {
+                          "version": "LinkItem/1.0",
+                          "style": "list",
+                          "links": [
                             {
-                              "name": "dataConnectorId",
-                              "source": "static",
-                              "value": "OfficeIRM"
+                              "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b",
+                              "linkTarget": "OpenBlade",
+                              "linkLabel": "Enable Connector",
+                              "style": "secondary",
+                              "bladeOpenContext": {
+                                "bladeName": "DataConnectorBlade",
+                                "extensionName": "Microsoft_Azure_Security_Insights",
+                                "bladeParameters": [
+                                  {
+                                    "name": "dataConnectorId",
+                                    "source": "static",
+                                    "value": "OfficeIRM"
+                                  }
+                                ]
+                              }
                             }
                           ]
-                        }
+                        },
+                        "customWidth": "33",
+                        "name": "EL0"
                       }
-                    ]
+                    ],
+                    "exportParameters": true
                   },
-                  "customWidth": "50",
-                  "name": "EL0"
+                  "name": "Microsoft Purview: Insider Risk Management Connector",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
                 }
               ]
             },
             "name": "group - 6"
           }
-        ]
+        ],
+        "exportParameters": true
       },
       "conditionalVisibility": {
         "parameterName": "isDCVisible",
@@ -10196,7 +12555,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\r\n\r\n---\r\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings.<br>\r\n\r\n---\r\n<a href=\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazurebutton\"/></a>\r\n<a href=\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazuregovbutton\"/></a>"
+                    "json": "# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\r\n\r\n---\r\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\r\n\r\n---\r\n<a href=\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazurebutton\"/></a>\r\n<a href=\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazuregovbutton\"/></a>"
                   },
                   "name": "text - 0"
                 },
@@ -10208,21 +12567,21 @@
                     "links": [
                       {
                         "id": "1bad541e-219a-4277-9510-876b0e8cad51",
-                        "cellValue": "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097",
+                        "cellValue": "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485",
                         "linkTarget": "Url",
                         "linkLabel": "Solution Blog",
                         "style": "link"
                       },
                       {
                         "id": "b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722",
-                        "cellValue": "https://youtu.be/CxLzTRPuw-4",
+                        "cellValue": "https://youtu.be/ju9hxtYnj7s",
                         "linkTarget": "Url",
                         "linkLabel": "Video Demo",
                         "style": "link"
                       },
                       {
                         "id": "7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31",
-                        "cellValue": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)",
+                        "cellValue": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053",
                         "linkTarget": "Url",
                         "linkLabel": "GitHub Repo",
                         "style": "link"
@@ -10234,15 +12593,15 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/331934iC71A9ECE39F53E71/image-size/large?v=v2&px=999)\r\n\r\n"
+                    "json": "![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)"
                   },
-                  "customWidth": "80",
+                  "customWidth": "90",
                   "name": "text - 2"
                 }
               ]
             },
             "customWidth": "50",
-            "name": "Zero Trust Solution"
+            "name": "group - 10"
           },
           {
             "type": 12,
@@ -10253,7 +12612,50 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\r\n\r\n---\r\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\r\n\r\n---\r\n<a href=\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazurebutton\"/></a>\r\n<a href=\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazuregovbutton\"/></a>"
+                    "json": "# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\r\n---\r\n\r\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\r\n\r\n---\r\n<a href=\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazurebutton\"/></a>\r\n<a href=\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazuregovbutton\"/></a>"
+                  },
+                  "name": "text - 0"
+                },
+                {
+                  "type": 11,
+                  "content": {
+                    "version": "LinkItem/1.0",
+                    "style": "nav",
+                    "links": [
+                      {
+                        "id": "7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31",
+                        "cellValue": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response",
+                        "linkTarget": "Url",
+                        "linkLabel": "GitHub Repo",
+                        "style": "link"
+                      }
+                    ]
+                  },
+                  "name": "links - 29"
+                },
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis%26Response/Workbooks/Images/ThreatAnalysis%26ResponseWhite1.png?raw=true)"
+                  },
+                  "customWidth": " 100",
+                  "name": "text - 2"
+                }
+              ]
+            },
+            "customWidth": "50",
+            "name": "group - 9"
+          },
+          {
+            "type": 12,
+            "content": {
+              "version": "NotebookGroup/1.0",
+              "groupType": "editable",
+              "items": [
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\r\n\r\n---\r\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings.<br>\r\n\r\n---\r\n<a href=\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazurebutton\"/></a>\r\n<a href=\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazuregovbutton\"/></a>"
                   },
                   "name": "text - 0"
                 },
@@ -10265,21 +12667,21 @@
                     "links": [
                       {
                         "id": "1bad541e-219a-4277-9510-876b0e8cad51",
-                        "cellValue": "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485",
+                        "cellValue": "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097",
                         "linkTarget": "Url",
                         "linkLabel": "Solution Blog",
                         "style": "link"
                       },
                       {
                         "id": "b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722",
-                        "cellValue": "https://youtu.be/ju9hxtYnj7s",
+                        "cellValue": "https://youtu.be/CxLzTRPuw-4",
                         "linkTarget": "Url",
                         "linkLabel": "Video Demo",
                         "style": "link"
                       },
                       {
                         "id": "7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31",
-                        "cellValue": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053",
+                        "cellValue": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)",
                         "linkTarget": "Url",
                         "linkLabel": "GitHub Repo",
                         "style": "link"
@@ -10287,19 +12689,11 @@
                     ]
                   },
                   "name": "links - 29"
-                },
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)"
-                  },
-                  "customWidth": "90",
-                  "name": "text - 2"
                 }
               ]
             },
             "customWidth": "50",
-            "name": "group - 10"
+            "name": "Zero Trust Solution"
           },
           {
             "type": 12,
@@ -10310,7 +12704,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://www.acq.osd.mil/cmmc/index.html)\r\n---\r\n\r\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\r\n\r\n---\r\n<a href=\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazurebutton\"/></a>\r\n<a href=\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazuregovbutton\"/></a>"
+                    "json": "# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://dodcio.defense.gov/CMMC/)\r\n---\r\n\r\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\r\n\r\n---\r\n<a href=\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazurebutton\"/></a>\r\n<a href=\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazuregovbutton\"/></a>"
                   },
                   "name": "text - 0"
                 },
@@ -10344,14 +12738,6 @@
                     ]
                   },
                   "name": "links - 29"
-                },
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/366916iE9E6352466301203/image-size/large?v=v2&px=999)"
-                  },
-                  "customWidth": "75",
-                  "name": "text - 2"
                 }
               ]
             },
@@ -10408,14 +12794,6 @@
                     ]
                   },
                   "name": "links - 29"
-                },
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/356031i1852A90B40FA85CF/image-size/large?v=v2&px=999)"
-                  },
-                  "customWidth": "86",
-                  "name": "text - 2"
                 }
               ]
             },
@@ -10458,14 +12836,6 @@
                     ]
                   },
                   "name": "links - 29"
-                },
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/326371i9E5EA3A8269A3D54/image-size/large?v=v2&px=999)"
-                  },
-                  "customWidth": "75",
-                  "name": "text - 2"
                 }
               ]
             },
@@ -10515,14 +12885,6 @@
                     ]
                   },
                   "name": "links - 29"
-                },
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/339516iD1FE1014CDCB1E04/image-size/large?v=v2&px=999)"
-                  },
-                  "customWidth": "75",
-                  "name": "text - 2"
                 }
               ]
             },
@@ -10572,63 +12934,12 @@
                     ]
                   },
                   "name": "links - 29"
-                },
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342601i34E2E96C5959D837/image-dimensions/799x468?v=v2)"
-                  },
-                  "customWidth": "75",
-                  "name": "text - 2"
                 }
               ]
             },
             "customWidth": "50",
             "name": "group - 8"
           },
-          {
-            "type": 12,
-            "content": {
-              "version": "NotebookGroup/1.0",
-              "groupType": "editable",
-              "items": [
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\r\n---\r\n\r\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\r\n\r\n---\r\n<a href=\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazurebutton\"/></a>\r\n<a href=\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\" target=\"_blank\"><img src=\"https://aka.ms/deploytoazuregovbutton\"/></a>"
-                  },
-                  "name": "text - 0"
-                },
-                {
-                  "type": 11,
-                  "content": {
-                    "version": "LinkItem/1.0",
-                    "style": "nav",
-                    "links": [
-                      {
-                        "id": "7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31",
-                        "cellValue": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response",
-                        "linkTarget": "Url",
-                        "linkLabel": "GitHub Repo",
-                        "style": "link"
-                      }
-                    ]
-                  },
-                  "name": "links - 29"
-                },
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis&Response/Workbooks/Images/ThreatAnalysis&ResponseWhite.png?raw=true)"
-                  },
-                  "customWidth": " 100",
-                  "name": "text - 2"
-                }
-              ]
-            },
-            "customWidth": "50",
-            "name": "group - 9"
-          },
           {
             "type": 12,
             "content": {
@@ -10672,13 +12983,6 @@
                     ]
                   },
                   "name": "links - 29"
-                },
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "![Image Name](https://techcommunity.microsoft.com/t5/image/serverpage/image-id/318165iE3D0AFA0BD5DF73C/image-size/large?v=v2&px=999)"
-                  },
-                  "name": "text - 2"
                 }
               ]
             },
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index 008126a5b2f..ffd25a657ce 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -5342,7 +5342,7 @@
 			"ContinuousDiagnostics&MitigationBlack.png",
 			"ContinuousDiagnostics&MitigationWhite.png"
 		],
-		"version": "1.0.0",
+		"version": "1.0.1",
 		"title": "ContinuousDiagnostics&Mitigation",
 		"templateRelativePath": "ContinuousDiagnostics&Mitigation.json",
 		"subtitle": "",