diff --git a/Solutions/GDPR Compliance & Data Security/Package/3.0.1.zip b/Solutions/GDPR Compliance & Data Security/Package/3.0.1.zip
new file mode 100644
index 00000000000..f9d896dae3e
Binary files /dev/null and b/Solutions/GDPR Compliance & Data Security/Package/3.0.1.zip differ
diff --git a/Solutions/GDPR Compliance & Data Security/Package/mainTemplate.json b/Solutions/GDPR Compliance & Data Security/Package/mainTemplate.json
index 45971b18543..e7258fe4659 100644
--- a/Solutions/GDPR Compliance & Data Security/Package/mainTemplate.json
+++ b/Solutions/GDPR Compliance & Data Security/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "GDPR Compliance & Data Security",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-gdpr-compliance",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -63,7 +63,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GDPRComplianceAndDataSecurity Workbook with template version 3.0.0",
+ "description": "GDPRComplianceAndDataSecurity Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -81,7 +81,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"typeSettings\":{\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [GDPR Compliance & Data Security Workbook for Microsoft Sentinel](https://learn.microsoft.com/en-us/compliance/regulatory/gdpr)\\n---\\n\\nWelcome to the **GDPR(General Data Protection Regulation) Compliance & Data Security Workbook for Microsoft Sentinel**. \\nThis workbook helps you **track, visualize and monitor GDPR related requirements** across your enterprise. \\nIt consolidates data from **Defender XDR, Microsoft Purview, Azure SQL Databases, Microsoft 365, UEBA and Entra ID solution.**\\n\\nUse this workbook to:\\n- 🔍 Monitor **GDPR and data-theft related alerts and incidents** across Microsoft Defender XDR \\n- 🗂 Gain visibility into **data classification and sensitivity labeling coverage** with Microsoft Purview\\n- 🗄 Detect **sensitive data queries, anomalous database activity, and unusual access patterns** in Azure SQL Databases\\n- ⚠ Investigate **identity risks, anomalous sign-ins, and insider behaviors** with Entra ID and UEBA \\n- 📝 Provide **clear audit evidence and compliance reports** across Microsoft 365 and related services\"},\"name\":\"text - 2\"}]},\"customWidth\":\"78\",\"name\":\"group - 5\"},{\"type\":1,\"content\":{\"json\":\" \"},\"customWidth\":\"21\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":1,\"content\":{\"json\":\"We’d love to hear your feedback! Share it with us [Here](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5vpbw39GIlPr6oh7FnjxTFUOVhBOFowTFlaT1pOSTAxVDdRT1pIUDlINy4u). \",\"style\":\"upsell\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ac6f7462-59ff-4d82-86b0-0a6eccc35a51\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserPrincipalName\",\"label\":\"🔀 User Selector\",\"type\":2,\"description\":\"This filter applies to metrics derived from Microsoft 365, UEBA, and Entra ID data sources.\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize by UserPrincipalName \",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"User Selector Parameter - Copy\"},{\"type\":1,\"content\":{\"json\":\"✅ **How to use this workbook** \\r\\n\\r\\nSelect one or more checkboxes below to display the GDPR relevant metrics for the corresponding source (e.g., Security Alerts, Purview, SQL, Microsoft 365).\\r\\n\"},\"name\":\"text - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Getting Started\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Help\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Security Alerts and Incidents (6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SecurityAlerts\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Data Loss Prevention (7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DLP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Purview Logs (8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PurviewLogs\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Azure SQL Databases (9)\\\\\\\", \\\\\\\"tab\\\\\\\":\\\\\\\"AzureSQLDatabases\\\\\\\"},\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Microsoft 365 Activity (20)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"M365Activity\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"User & Entity Behavior Analytics (12)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"UEBA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Sign-Ins (12)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SignIns\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Audit Logs (5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AuditLogs\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"tab2\"}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family \",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cbb7a53e-ea3b-44e3-804e-734662e21144\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isHelpVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Help\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSecurityAlertsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SecurityAlerts\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9ade41e9-0382-49a7-847a-472bfb7e284b\"},{\"id\":\"17988544-c3d6-46c0-9645-2d1ce07d8655\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDLPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DLP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"0299a507-8d53-4e80-bc8c-e3aa12522bab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPurviewLogsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PurviewLogs\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}]},{\"id\":\"553d4aff-e76d-418b-9edf-7fdcdacb6e0f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAzureSQLDatabasesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AzureSQLDatabases\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"f145d46a-1e01-49ff-99e7-87f6059ed960\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isM365ActivityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"M365Activity\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUEBAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"UEBA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"70014e2e-d25a-4cca-b78d-b6063795d138\"},{\"id\":\"14403a6f-fb83-492a-bea3-941048e30bb7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSignInsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SignIns\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}]},{\"id\":\"af09b9c4-3218-40de-8a1f-26f4a1c38a19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuditLogsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AuditLogs\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}]}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## 📂 Workbook Structure\\r\\n\\r\\nThis workbook is organized into the following sections:\\r\\n\\r\\n| Section | Description |\\r\\n|---------|-------------|\\r\\n| 🚨 **Security Alerts & Incidents** | Investigate security Alerts & incidents from hosts and resources hosting personal data. |\\r\\n| 🛡 **Data Loss Prevention (DLP)** | Monitor sensitive data access, leaks, and geolocation-based usage. |\\r\\n| 🔍 **Purview Logs** | Discover and classify assets, monitor sensitivity labeling, and track data governance. |\\r\\n| 🗄 **Azure SQL Databases** | Detect anomalies and monitor classified data queries. |\\r\\n| 📂 **Microsoft 365 Activity** | Monitor sensitive document/email activity. |\\r\\n| 📊 **UEBA** | Analyze anomalous user & entity behaviors. |\\r\\n| 👤 **Sign-Ins (Entra ID)** | Track risky sign-ins and monitor identity compliance. |\\r\\n| 📝 **Audit Logs** | Provide accountability and traceability of administrative activities. |\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"## 🔗 Data Sources & Permissions\\r\\n\\r\\nEnsure the following data connectors are enabled and ingested into Microsoft Sentinel:\\r\\n\\r\\n### 📂 Data Governance\\r\\n- ✅ **Microsoft Purview** (data classification & sensitivity logs. PurviewDataSensitivityLogs table) \\r\\n- ✅ **Microsoft Purview Information Protection** (DLP, labels, document access. MicrosoftPurviewInformationProtection table) \\r\\n- ✅ **Azure SQL Databases** (classification & anomaly scores. AzureDiagnostics table)\\r\\n\\r\\n\\r\\n### 👤 Identity & Access\\r\\n- ✅ **Microsoft Entra ID** (Sign-ins. SigninLogs table) \\r\\n- ✅ **BehaviorAnalytics** (UEBA. BehaviorAnalytics table) \\r\\n\\r\\n### 🛡 Security Monitoring\\r\\n- ✅ **Microsoft 365** (Microsoft 365 activity. OfficeActivity table) \\r\\n- ✅ **SecurityAlert / SecurityIncident** (Microsoft Defender XDR. SecurityAlert and SecurityIncident tables) \\r\\n- ✅ **AuditLogs** (Entra ID administrative traceability. AuditLogs table) \\r\\n\\r\\n📘 [How to configure data connectors in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n\\r\\n### 1. Security Alerts and Incidents\\r\\n\\r\\nFrom the Azure portal, install the **[Microsoft Defender XDR](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-microsoft365defender)** solution via **Content Hub**. \\r\\nThen, enable the **Microsoft Defender XDR** data connector to stream security alerts and incidents from Defender products into Microsoft Sentinel. \\r\\nThese records populate the **`SecurityAlert`** and **`SecurityIncident`** tables. \\r\\n\\r\\n⚠️ **Important:** \\r\\nAll workbook metrics in this section use a **watchlist** to filter only alerts and incidents involving servers that host **personal data**. \\r\\nYou must configure this watchlist in Sentinel and populate it with the names of your personal data hosting servers.\\r\\n\\r\\n#### 📂 Sample Watchlist (GDPR_PersonalData_Assets)\\r\\n\\r\\n| HostName |\\r\\n|------------------------|\\r\\n| server1 |\\r\\n| server2 |\\r\\n| server3 |\\r\\n| server4 |\\r\\n\\r\\n1. Save the watchlist as a CSV or TXT file. \\r\\n2. In Sentinel → **Configuration > Watchlists**, create a new watchlist (e.g., `GDPR_PersonalData_Assets`). \\r\\n3. Upload the file and confirm `HostName` is recognized as the search key.\\r\\n\\r\\nThis allows you to: \\r\\n- Focus alerts and incidents on GDPR-relevant systems \\r\\n- Monitor attack tactics and timelines against personal data servers \\r\\n- Provide auditors with clear evidence of incident detection and response for regulated data \\r\\n\\r\\nAll **Security Alerts & Incidents** visuals in this workbook will only display events related to servers listed in this watchlist.\\r\\n\\r\\n📘 [Setup guide – Microsoft Defender XDR connector](https://learn.microsoft.com/azure/sentinel/connect-microsoft-365-defender) \\r\\n📘 [How to create and use watchlists](https://learn.microsoft.com/azure/sentinel/watchlists)\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n\\r\\n### 2. Data Loss Prevention (Microsoft Purview Information Protection)\\r\\nFrom the Azure portal, install the **[Microsoft Purview Information Protection](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-mip)** solution via **Content Hub**. \\r\\nThen, enable the **Microsoft Purview Information Protection** data connector to ingest **sensitivity labeling and protection events** into the **`MicrosoftPurviewInformationProtection`** table. \\r\\nWith this configuration, you can: \\r\\n- Track **sensitivity label adoption and usage trends** \\r\\n- Monitor **labeled/protected documents and emails** across Microsoft 365 \\r\\n- Detect **label changes, downgrades, and policy enforcement outcomes** \\r\\n- Provide auditors with **evidence of applied protections on personal and sensitive data** \\r\\n\\r\\n📘 [Setup guide – Microsoft Purview Information Protection connector](https://learn.microsoft.com/azure/sentinel/connect-microsoft-purview)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n\\r\\n### 3. Microsoft Purview (Data Classification & Sensitivity Logs)\\r\\nFrom the Azure portal, install the **[Microsoft Purview](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-azurepurview)** solution via **Content Hub**. \\r\\nThen, configure the **Microsoft Purview** data connector to stream **Data Classification and Sensitivity scan events** into the **`PurviewDataSensitivityLogs`** table. \\r\\n\\r\\nWith this configuration, you can: \\r\\n- Discover **where personal and sensitive data resides** across your cloud resources \\r\\n- Monitor **assets with classifications and sensitivity labels** over time \\r\\n- Track **data types and categories** detected by Purview scans \\r\\n- Provide auditors with **an inventory of sensitive data processing** \\r\\n\\r\\n📘 [Setup guide – Microsoft Purview solution](https://learn.microsoft.com/azure/sentinel/purview-solution)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 10\"},{\"type\":1,\"content\":{\"json\":\"\\r\\n### 4. Azure SQL Databases\\r\\nFrom the Azure portal, install the **[Azure SQL Database](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/sentinel4sql.sentinel4sql)** solution via **Content Hub**. \\r\\nThen, connect the **Azure SQL Databases** data connector to stream **audit and diagnostic logs** into Microsoft Sentinel. \\r\\nThese logs populate the **`AzureDiagnostics`** table (and SQL-specific audit tables if enabled). \\r\\n\\r\\nWith this configuration, you can: \\r\\n- Monitor **sensitive queries by label, information type, and principal** \\r\\n- Detect **anomalous activity and anomaly scores** across databases \\r\\n- Track **application and IP access to classified data** \\r\\n- Provide auditors with **evidence of monitoring structured personal data in SQL systems** \\r\\n\\r\\n📘 [Setup guide – Configure Azure SQL logging to Sentinel](https://learn.microsoft.com/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure?view=azuresql&tabs=azure-portal)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 8\"},{\"type\":1,\"content\":{\"json\":\"### 5. Microsoft 365 Activity\\r\\n\\r\\nFrom the Azure portal, install the **[Microsoft 365](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-office365)** solution via **Content Hub**. \\r\\nThen, enable the **Microsoft 365 (formerly Office 365)** data connector to stream **unified audit logs** into Microsoft Sentinel. \\r\\nThese logs populate the **`OfficeActivity`** table. \\r\\n\\r\\nWith this configuration, you can: \\r\\n- Monitor **user and administrator activity** across Exchange, SharePoint, OneDrive, and Teams \\r\\n- Detect **risky file sharing, mailbox access by non-owners, and suspicious admin operations** \\r\\n- Identify **unusual Teams or SharePoint activity** (e.g., mass deletions, uploads from unseen devices) \\r\\n- Provide auditors with a **comprehensive audit trail of data activity** in Microsoft 365 services\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 9\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 10\"},{\"type\":1,\"content\":{\"json\":\"### 6. User & Entity Behavior Analytics (UEBA)\\r\\n\\r\\nFrom the Azure portal, enable **User and Entity Behavior Analytics (UEBA)** in Microsoft Sentinel settings. \\r\\nUEBA builds baselines of user and entity activities and writes enriched risk insights into the **`BehaviorAnalytics`** table.\\r\\n\\r\\nThis enables you to: \\r\\n- Detect anomalous behaviors across users and entities \\r\\n- Correlate activities across multiple data sources \\r\\n- Identify potential insider threats and compromised accounts \\r\\n\\r\\n📘 [Setup guide](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics?tabs=azure)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 11\"},{\"type\":1,\"content\":{\"json\":\"### 7. Sign-ins and Audit (Microsoft Entra ID)\\r\\n\\r\\nFrom the Azure portal, install the **[Microsoft Entra ID](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-azureactivedirectory)** solution via **Content Hub**. \\r\\nThen, enable the **Microsoft Entra ID (Sign-in, Audit Logs)** data connector to stream authentication events into Microsoft Sentinel. \\r\\n\\r\\nThese logs populate the **`SigninLogs`** and **`AuditLogs`** table and allow you to: \\r\\n- Monitor successful vs. failed sign-ins \\r\\n- Detect risky logins, brute-force attempts, and unusual geolocations \\r\\n- Investigate access patterns to applications and resources handling personal data\\r\\n- Monitor changes to users, groups, and applications \\r\\n- Track administrative actions such as role assignments, policy changes, and resource access grants \\r\\n- Provide a traceable record of identity-related activities for GDPR accountability \\r\\n\\r\\n📘 [Setup guide](https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"isHelpVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Overview Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"7afa304d-b448-4d6c-8c54-69e51a7249a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results113\",\"type\":1,\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityAlert\\r\\n| mv-expand Entity = todynamic(Entities)\\r\\n| extend EntityType = tostring(Entity.Type)\\r\\n| extend HostName = iff(EntityType == \\\"host\\\",tolower(tostring(Entity.HostName)), \\\"\\\")\\r\\n| where HostName <> \\\"\\\"\\r\\n// Keep only alerts where HostName is in the watchlist\\r\\n| join kind=inner (PersonalDataServers) on HostName\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Results113\",\"styleSettings\":{\"maxWidth\":\"33\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"9b6b6d2b-a6d9-46c6-882d-722c0c9d455f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results114\",\"type\":1,\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n| project HostName = tolower(HostName);\\r\\nSecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"host\\\"\\r\\n | extend HostName = tolower(tostring(Entities.HostName))\\r\\n | where Entities[\\\"HostName\\\"] <> \\\"\\\"\\r\\n // Keep only alerts where HostName is in the watchlist\\r\\n | join kind=inner (PersonalDataServers) on HostName\\r\\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\\r\\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Results114\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"572e4329-8e88-4492-972a-86267f66f8a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results115\",\"type\":1,\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | extend EntitiesSet = todynamic(Entities)\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"host\\\"\\r\\n | extend HostName = tolower(tostring(Entities.HostName))\\r\\n | where Entities[\\\"HostName\\\"] <> \\\"\\\"\\r\\n // Keep only alerts where HostName is in the watchlist\\r\\n | join kind=inner (PersonalDataServers) on HostName\\r\\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\\r\\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n | mv-expand todynamic(EntitiesSet)\\r\\n | extend Name = tostring(tolower(EntitiesSet[\\\"Name\\\"])), UPNSuffix = tostring(EntitiesSet[\\\"UPNSuffix\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | where UPN <> \\\"\\\"\\r\\n | summarize count() by UPN\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Results115\"},{\"type\":1,\"content\":{\"json\":\"# 🚨 [Security Alerts and Incidents](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)\\n---\\n\\nThis section consolidates security alerts and incidents that may involve systems storing or processing personal data. It supports GDPR obligations for **security of processing (Art. 32)**, **breach notification (Art. 33 & 34)**, and **accountability (Art. 5(2))** by ensuring that organizations can quickly detect, investigate, and respond to threats that impact personal data. \\n\\nKey objectives of this section: \\n- Track **security alerts involving personal data servers** to prioritize investigations of GDPR-relevant risks \\n- Monitor **alerts mapped to MITRE ATT&CK® tactics** to understand adversary techniques targeting personal data \\n- Review **incident counts and timelines** to measure responsiveness and compliance with breach notification requirements \\n- Provide auditors with documented evidence of **security monitoring, incident management, and remediation activities** \\n\\nBy analyzing these metrics, analysts can ensure that **personal data risks are rapidly identified and addressed**, and that the organization maintains the ability to **demonstrate incident response readiness** in alignment with GDPR.\"},\"customWidth\":\"40\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 15\"},{\"type\":1,\"content\":{\"json\":\"| Security Alerts And Incidents | | |\\r\\n|:--| - | - |\\r\\n| Alerts Over Time for Personal Data Hosting Systems | Alerts Details | Alerts by MITRE ATT&CK® Tactics|\\r\\n| Security Incidents Over Time for Personal Data Hosting Systems | Security Incidents By Users |Security Incidents Details|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, and Time range. Only panels with data are shown.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"SI OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityAlert\\r\\n| mv-expand Entity = todynamic(Entities)\\r\\n| extend EntityType = tostring(Entity.Type)\\r\\n| extend HostName = iff(EntityType == \\\"host\\\",tolower(tostring(Entity.HostName)), \\\"\\\")\\r\\n| where HostName <> \\\"\\\"\\r\\n// Keep only alerts where HostName is in the watchlist\\r\\n| join kind=inner (PersonalDataServers) on HostName\\r\\n| extend DeviceName = HostName, AlertId = SystemAlertId\\r\\n| summarize by AlertId, AlertName, TimeGenerated\\r\\n| make-series Alerts = count() on TimeGenerated step 1d by AlertName\",\"size\":0,\"title\":\"Alerts Over Time for Personal Data Hosting Systems\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"Results113\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityAlert\\r\\n| mv-expand Entity = todynamic(Entities)\\r\\n| extend EntityType = tostring(Entity.Type)\\r\\n| extend HostName = iff(EntityType == \\\"host\\\",tolower(tostring(Entity.HostName)), \\\"\\\")\\r\\n| where HostName <> \\\"\\\"\\r\\n// Keep only alerts where HostName is in the watchlist\\r\\n| join kind=inner (PersonalDataServers) on HostName\\r\\n| summarize \\r\\n AlertName = any(AlertName),\\r\\n AlertSeverity = any(AlertSeverity),\\r\\n DeviceNames = make_set(HostName,10),\\r\\n TimeGenerated = any(TimeGenerated)\\r\\n by AlertId = SystemAlertId, AlertLink\\r\\n | project-reorder AlertName, AlertSeverity, AlertLink, DeviceNames, TimeGenerated, AlertId\\r\\n| order by TimeGenerated desc\\r\\n| take 100\",\"size\":0,\"title\":\"Alerts Details\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Alert >>\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"Results113\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityAlert\\r\\n| mv-expand Entity = todynamic(Entities)\\r\\n| extend EntityType = tostring(Entity.Type)\\r\\n| extend HostName = iff(EntityType == \\\"host\\\",tolower(tostring(Entity.HostName)), \\\"\\\")\\r\\n| where HostName <> \\\"\\\"\\r\\n// Keep only alerts where HostName is in the watchlist\\r\\n| join kind=inner (PersonalDataServers) on HostName\\r\\n| summarize by Tactics, SystemAlertId\\r\\n| summarize Count=count() by Tactics\\r\\n| sort by Count desc\",\"size\":0,\"title\":\"Alerts by MITRE ATT&CK® Tactics\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Tactics\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"Results113\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"host\\\"\\r\\n | extend HostName = tolower(tostring(Entities.HostName))\\r\\n | where Entities[\\\"HostName\\\"] <> \\\"\\\"\\r\\n // Keep only alerts where HostName is in the watchlist\\r\\n | join kind=inner (PersonalDataServers) on HostName\\r\\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\\r\\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Title\\r\\n| render timechart\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents Over Time for Personal Data Hosting Systems\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"UserPrincipalName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results114\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results114e\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | extend EntitiesSet = todynamic(Entities)\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"host\\\"\\r\\n | extend HostName = tolower(tostring(Entities.HostName))\\r\\n | where Entities[\\\"HostName\\\"] <> \\\"\\\"\\r\\n // Keep only alerts where HostName is in the watchlist\\r\\n | join kind=inner (PersonalDataServers) on HostName\\r\\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\\r\\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n | mv-expand todynamic(EntitiesSet)\\r\\n | extend Name = tostring(tolower(EntitiesSet[\\\"Name\\\"])), UPNSuffix = tostring(EntitiesSet[\\\"UPNSuffix\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | where UPN <> \\\"\\\"\\r\\n | summarize count() by UPN\\r\\n | render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results115\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results113h\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"host\\\"\\r\\n | extend HostName = tolower(tostring(Entities.HostName))\\r\\n | where Entities[\\\"HostName\\\"] <> \\\"\\\"\\r\\n // Keep only alerts where HostName is in the watchlist\\r\\n | join kind=inner (PersonalDataServers) on HostName\\r\\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\\r\\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber \\r\\n | sort by TimeGenerated desc\\r\\n | limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Title\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"Results114\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results153\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSecurityAlertsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Alerts Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# 🛡 [Data Loss Prevention](https://docs.microsoft.com/microsoft-365/solutions/information-protection-deploy)\\n---\\n\\nThis section helps you monitor and control the **movement of sensitive and personal data**, directly supporting GDPR principles of **data protection by design (Art. 25)** and **security of processing (Art. 32)**. \\n\\nKey objectives of this section: \\n- Track **where sensitive data is accessed** and from which geolocations \\n- Detect and investigate **potential leaks or unauthorized transfers** of personal data \\n- Measure **label-based access patterns** (sensitivity labels applied through Microsoft Information Protection) \\n- Provide evidence of **preventive and detective controls** for GDPR audits \\n\\nBy monitoring these metrics, you can quickly identify risky behaviors such as **unusual data access locations**, **exfiltration attempts**, or **leak alerts**, and take corrective actions to protect personal data.\\n\"},\"customWidth\":\"40\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"| Data Loss Prevention | | |\\r\\n|:--| - | - |\\r\\n| Sensitive Label Access by Geolocations | Sensitive Label Access by Geolocation Details | Sensitive Data Alerts over Time|\\r\\n| Sensitive Data Alert Details | Data Access by Sensitivity Labels Over Time | Data Access by Sensitivity Label |\\r\\n|Sensitive Data Access Details|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, and Time range. Only panels with data are shown. \\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 13\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"7afa304d-b448-4d6c-8c54-69e51a7249a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results305\",\"type\":1,\"query\":\"SecurityAlert\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n| extend UserPrincipalName = UPN\\r\\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\\r\\n| where AlertName contains \\\"sensitive\\\" or AlertName contains \\\"data\\\" or AlertName contains \\\"leak\\\" or Tactics contains \\\"exfil\\\" or AlertName contains \\\"theft\\\" or AlertName contains \\\"steal\\\" or AlertName contains \\\"PII\\\" or AlertName contains \\\"intellectual\\\" or AlertName contains \\\"confidential\\\" or AlertName contains \\\"spill\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results305\",\"styleSettings\":{\"maxWidth\":\"10\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"04a06f0b-7190-4af9-9d04-473d54a3f923\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results306\",\"type\":1,\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results306\",\"styleSettings\":{\"maxWidth\":\"10\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"84d1a90a-923f-4fe1-88a0-b5603f0530b6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results307\",\"type\":1,\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| extend UserPrincipalName = UserId\\r\\n| where LabelName <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Results307\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| extend UserPrincipalName = UserId\\r\\n| where LabelName <> \\\"\\\"\\r\\n// 🔎 Filter out common or non-critical labels here (example excludes \\\"General\\\").\\r\\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\\r\\n// | where LabelName !in (\\\"General\\\")\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n| project Location\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Label Access by Geolocations\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"Results307\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| extend UserPrincipalName = UserId\\r\\n| where LabelName <> \\\"\\\"\\r\\n// 🔎 Filter out common or non-critical labels here (example excludes \\\"General\\\").\\r\\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\\r\\n// | where LabelName !in (\\\"General\\\")\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n| summarize count() by UserPrincipalName, LabelName, City, State, Country_Region\\r\\n| sort by count_ desc\\r\\n| limit 100\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Label Access by Geolocation Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LabelName_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"City\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Country_Region\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"turquoise\"}]}}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"Results307\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"]), UserPrincipalName = tostring(Entities[\\\"UserPrincipalName\\\"])\\r\\n | extend UPN = coalesce (UserPrincipalName, iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\"))\\r\\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n| extend UserPrincipalName = UPN\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\\r\\n| where (AlertName contains \\\"sensitive\\\" or AlertName contains \\\"leak\\\" or AlertName contains \\\"theft\\\" or AlertName contains \\\"steal\\\" or AlertName contains \\\"PII\\\" or AlertName contains \\\"intellectual\\\" or AlertName contains \\\"confidential\\\" or AlertName contains \\\"spill\\\") or (Tactics contains \\\"exfil\\\")\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by AlertName\\r\\n| render timechart\",\"size\":0,\"title\":\"Sensitive Data Alerts over Time\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"Results305\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"305\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"]), UserPrincipalName = tostring(Entities[\\\"UserPrincipalName\\\"])\\r\\n | extend UPN = coalesce (UserPrincipalName, iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\"))\\r\\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n| extend UserPrincipalName = UPN\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| distinct UserPrincipalName, AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| where (AlertName contains \\\"sensitive\\\" or AlertName contains \\\"leak\\\" or AlertName contains \\\"theft\\\" or AlertName contains \\\"steal\\\" or AlertName contains \\\"PII\\\" or AlertName contains \\\"intellectual\\\" or AlertName contains \\\"confidential\\\" or AlertName contains \\\"spill\\\") or (Tactics contains \\\"exfil\\\")\\r\\n| sort by TimeGenerated desc\\r\\n| limit 100\",\"size\":0,\"title\":\"Sensitive Data Alert Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"Results305\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"305b\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| where LabelName <> \\\"\\\"\\r\\n| extend CommonProperties = parse_json(Common)\\r\\n| extend ApplicationName = tostring(CommonProperties.ApplicationName)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by LabelName, ApplicationName\\r\\n| render timechart\",\"size\":0,\"title\":\"Data Access by Sensitivity Labels Over Time\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results306\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"306a\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| where LabelName <> \\\"\\\"\\r\\n// 🔎 Filter out common or non-critical labels here (example excludes \\\"General\\\").\\r\\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\\r\\n// | where LabelName !in (\\\"General\\\")\\r\\n| summarize count() by LabelName\\r\\n| render piechart\",\"size\":0,\"title\":\"Data Access by Sensitivity Label\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results306\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"306b\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| where LabelName <> \\\"\\\"\\r\\n| extend CommonProperties = parse_json(Common)\\r\\n| extend ApplicationName = tostring(CommonProperties.ApplicationName)\\r\\n| extend properties = parse_json(ProtectionEventData)\\r\\n| extend ProtectionOwner = tostring(properties.ProtectionOwner)\\r\\n| extend IsProtected = tostring(properties.IsProtected)\\r\\n| distinct UserId, LabelName, ApplicationName, Operation, IsProtected, Platform, ProtectionOwner, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Data Access Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"Results306\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results306c\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDLPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DLP\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## 🔍 Purview Logs\\r\\n\\r\\nThis section provides visibility into the **classification and labeling of personal and sensitive data** across your Azure and Microsoft 365 environment. It directly supports GDPR principles of **lawfulness, fairness, transparency, and accountability (Art. 5)** as well as requirements for **records of processing activities (Art. 30)** and **data protection by design and by default (Art. 25)**. \\r\\n\\r\\nKey objectives of this section: \\r\\n- Track **classified Azure sources by region** to understand where personal data is stored and processed \\r\\n- Monitor the **volume and types of classified assets** across different resource types \\r\\n- Drill down to the **asset and file level** to validate that personal data is discovered and properly classified \\r\\n- Assess the application of **sensitivity labels** to ensure data is protected according to organizational policy \\r\\n- Provide auditors with clear evidence of **data inventory and classification coverage** \\r\\n\\r\\nBy reviewing these metrics, analysts can verify that **data discovery, classification, and labeling controls** are functioning as required, and quickly spot gaps where sensitive data may not be properly governed.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 13\"},{\"type\":1,\"content\":{\"json\":\"| Purview Logs | | |\\r\\n|:--| - | - |\\r\\n| Classified Azure Sources by Region | Total Classified Assets by Resource Type | Select 'Data Source' below to view Assets Drilldown |\\r\\n| Assets Drilldown | Classifications by Asset Count and File Size |Classifications Drilldown- Asset Level|\\r\\n|Sensitivity Labels by Asset Count and File Size|Sensitivity Labels Drilldown- Asset Level|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range, Purview Account, Source Collectiona and Resource Type. Only panels with data are shown.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 14\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"a5b9cb0c-6219-4782-a10d-1370a8a6edb4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PurviewAccount\",\"label\":\"Purview Account\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n|distinct PurviewAccountName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"ea62a59c-3799-400d-a7af-f0ad14cc46c7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Collection\",\"label\":\"Source Collection\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\"\\r\\n| distinct SourceCollectionName \\r\\n| extend Collection = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\", SourceCollectionName)\\r\\n| project Collection\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"817265c3-f308-44e0-a24c-33dac7ee2c91\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DataSource\",\"label\":\"Resource Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\"\\r\\n| distinct SourceType \",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"7afa304d-b448-4d6c-8c54-69e51a7249a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results200\",\"type\":1,\"query\":\"let NumberofSourcesByRegion = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where SourceType contains \\\"Azure\\\"\\r\\n// GDPR filter: keep only sources with classification or sensitivity label\\r\\n| where array_length(todynamic(Classification)) > 0 or array_length(todynamic(SensitivityLabel)) > 0\\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"));\\r\\nNumberofSourcesByRegion\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results305\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"34376939-8858-4c9e-b1ff-a89df0cbd3e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results201\",\"type\":1,\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where ActivityType == \\\"Classification\\\" \\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\\r\\nlet AllAssets = MostRecentScanLogs\\r\\n | summarize AssetCount = count() by SourceType;\\r\\nlet ClassifiedAssets = MostRecentScanLogs\\r\\n | where Classification != \\\"[]\\\"\\r\\n | summarize AssetClassifiedCount = count() by SourceType;\\r\\nlet ClassifiedAssetsByResourceType = AllAssets\\r\\n | join kind= leftouter ClassifiedAssets on SourceType\\r\\n | extend AssetCount = strcat(AssetCount, \\\" assets found in total\\\")\\r\\n | project SourceType, AssetCount, AssetClassifiedCount;\\r\\nClassifiedAssetsByResourceType\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results305 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"84a173b6-3660-49aa-8949-729ed6cdbacb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results202\",\"type\":1,\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where ActivityType == \\\"Classification\\\"\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName) \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\\r\\nlet AllAssets = MostRecentScanLogs\\r\\n| summarize AssetCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\\r\\nlet ClassifiedAssets = MostRecentScanLogs\\r\\n| where Classification != \\\"[]\\\"\\r\\n| summarize AssetClassifiedCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\\r\\nlet AssetsDrilldown = AllAssets\\r\\n| join kind= leftouter ClassifiedAssets on DataSource, SourceType\\r\\n| extend PathName = substring(DataSource, 1)\\r\\n| extend ClassifiedPercentage = round((100.0 * AssetClassifiedCount / AssetCount),1)\\r\\n| project DataSource, SourceRegion, SourceType, ClassifiedPercentage, AssetClassifiedCount, AssetCount, PathName;\\r\\nAssetsDrilldown\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results202\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b145cf1-1b6e-41be-8266-b7e3f928bae8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results203\",\"type\":1,\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Classification\\\" \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\\r\\nlet Classifications = MostRecentScanLogs\\r\\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend Classification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where Classification != \\\"\\\"\\r\\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\\r\\n| project Classification, AssetCount, FileSize;\\r\\nClassifications\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results203\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"0d1bdef8-7287-4e24-a185-070cf1179d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results204\",\"type\":1,\"query\":\"let SensitivityLabels = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Labeling\\\" \\r\\n | extend SensitivityLabel = iff(SensitivityLabel[0] == \\\"\\\", \\\"No Label\\\", SensitivityLabel[0])\\r\\n | extend Label = replace(@\\\"\\\\\\\\\\\", \\\"/\\\", SensitivityLabel)\\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType\\r\\n | summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by SensitivityLabel, Label\\r\\n | project SensitivityLabel, FileSize, AssetCount, Label\\r\\n | sort by AssetCount;\\r\\nSensitivityLabels\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results204\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let NumberofSourcesByRegion = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where SourceType contains \\\"Azure\\\"\\r\\n// GDPR filter: keep only sources with classification or sensitivity label\\r\\n| where array_length(todynamic(Classification)) > 0 or array_length(todynamic(SensitivityLabel)) > 0\\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| distinct SourcePath, SourceRegion\\r\\n| summarize AssetCount = count() by SourceRegion;\\r\\nNumberofSourcesByRegion\",\"size\":0,\"title\":\"Classified Azure Sources by Region\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"AzureLoc\",\"locInfoColumn\":\"SourceRegion\",\"sizeSettings\":\"AssetCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"AssetCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"AssetCount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results200\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where ActivityType == \\\"Classification\\\" \\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\\r\\nlet AllAssets = MostRecentScanLogs\\r\\n | summarize AssetCount = count() by SourceType;\\r\\nlet ClassifiedAssets = MostRecentScanLogs\\r\\n | where Classification != \\\"[]\\\"\\r\\n | summarize AssetClassifiedCount = count() by SourceType;\\r\\nlet ClassifiedAssetsByResourceType = AllAssets\\r\\n | join kind= leftouter ClassifiedAssets on SourceType\\r\\n | extend AssetCount = strcat(AssetCount, \\\" assets found in total\\\")\\r\\n | project SourceType, AssetCount, AssetClassifiedCount;\\r\\nClassifiedAssetsByResourceType\",\"size\":0,\"title\":\"Total Classified Assets by Resource Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceType\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"AssetClassifiedCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"0\"}},\"secondaryContent\":{\"columnMatch\":\"AssetCount\"},\"showBorder\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"AssetClassifiedCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"AssetClassifiedCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"AssetClassifiedCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results201\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 25\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where ActivityType == \\\"Classification\\\"\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName) \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\\r\\nlet AllAssets = MostRecentScanLogs\\r\\n| summarize AssetCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\\r\\nlet ClassifiedAssets = MostRecentScanLogs\\r\\n| where Classification != \\\"[]\\\"\\r\\n| summarize AssetClassifiedCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\\r\\nlet AssetsDrilldown = AllAssets\\r\\n| join kind= leftouter ClassifiedAssets on DataSource, SourceType\\r\\n| extend PathName = substring(DataSource, 1)\\r\\n| extend ClassifiedPercentage = round((100.0 * AssetClassifiedCount / AssetCount),1)\\r\\n| project DataSource, SourceRegion, SourceType, ClassifiedPercentage, AssetClassifiedCount, AssetCount, PathName;\\r\\nAssetsDrilldown\",\"size\":0,\"showAnalytics\":true,\"title\":\"Select 'Data Source' below to view Assets Drilldown\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"PathName\",\"exportParameterName\":\"UserSelectedDataSource\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSource\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"ClassifiedPercentage\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"},\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":1}}},{\"columnMatch\":\"AssetClassifiedCount\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},{\"columnMatch\":\"AssetCount\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"PathName\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceType\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"DataSource\",\"label\":\"Data Source\"},{\"columnId\":\"SourceRegion\",\"label\":\"Source Region\"},{\"columnId\":\"SourceType\",\"label\":\"Source Type\"},{\"columnId\":\"ClassifiedPercentage\",\"label\":\"% Classified\"},{\"columnId\":\"AssetClassifiedCount\",\"label\":\"Classified Assets\"},{\"columnId\":\"AssetCount\",\"label\":\"Total Assets\"},{\"columnId\":\"PathName\",\"label\":\"Source Path\"}]},\"sortBy\":[{\"itemKey\":\"SourceType\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results202\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | where \\\"{UserSelectedDataSource:label}\\\" == \\\"All\\\" or (SourcePath contains \\\"{UserSelectedDataSource:label}\\\")\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\\r\\nlet ClassificationCounts = MostRecentScanLogs\\r\\n | where ActivityType == \\\"Classification\\\"\\r\\n | mv-expand Classification\\r\\n | summarize ClassificationCount= count(todynamic(Classification)) by AssetPath\\r\\n | project ClassificationCount, AssetPath;\\r\\nlet ClassifiedAssetsWithCounts = MostRecentScanLogs\\r\\n | where ActivityType == \\\"Classification\\\"\\r\\n | join kind= leftouter ClassificationCounts on AssetPath\\r\\n | summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId) by AssetPath ;\\r\\nlet LabeledAssets = MostRecentScanLogs\\r\\n | where ActivityType == \\\"Labeling\\\" \\r\\n | mv-expand SensitivityLabel to typeof(string)\\r\\n | where SensitivityLabel != int(null)\\r\\n | mv-expand SensitivityLabelDetails\\r\\n | summarize arg_max(SensitivityLabel, SourceType, SensitivityLabelTrigger, SensitivityLabelDetails) by AssetPath\\r\\n | project AssetPath, SensitivityLabel, SensitivityLabelTrigger, SensitivityLabelDetails;\\r\\nlet ClassificationCountWithSensitivityInformation = ClassifiedAssetsWithCounts\\r\\n | join kind= leftouter LabeledAssets on AssetPath\\r\\n | project\\r\\n TimeGenerated,\\r\\n PurviewTenantId,\\r\\n PurviewAccountName,\\r\\n PurviewRegion,\\r\\n AssetName,\\r\\n AssetPath,\\r\\n AssetType,\\r\\n AssetCreationTime,\\r\\n AssetModifiedTime,\\r\\n AssetLastScanTime,\\r\\n FileExtension,\\r\\n FileSize,\\r\\n ActivityType,\\r\\n ClassificationTrigger,\\r\\n Classification,\\r\\n ClassificationCount,\\r\\n ClassificationDetails,\\r\\n SensitivityLabelTrigger,\\r\\n SensitivityLabel,\\r\\n SensitivityLabelDetails,\\r\\n SourceName,\\r\\n SourceType,\\r\\n SourcePath,\\r\\n SourceSubscriptionId,\\r\\n SourceRegion,\\r\\n SourceCollectionName,\\r\\n SourceScanId\\r\\n | sort by ClassificationCount;\\r\\nClassificationCountWithSensitivityInformation\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets Drilldown\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"AssetLastScanTime\",\"formatter\":5},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"ClassificationCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},{\"columnMatch\":\"ClassificationDetails\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabel\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SensitivityLabelDetails\",\"formatter\":5},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceScanId\",\"formatter\":5},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"ClassificationActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"AssetPath\",\"label\":\"Asset Path\"},{\"columnId\":\"ClassificationCount\",\"label\":\"Classifications\"},{\"columnId\":\"SensitivityLabel\",\"label\":\"Sensitivity Label\"},{\"columnId\":\"SourcePath\",\"label\":\"Data Source\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results202\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Classification\\\" \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\\r\\nlet Classifications = MostRecentScanLogs\\r\\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend Classification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where Classification != \\\"\\\"\\r\\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\\r\\n| project Classification, AssetCount, FileSize;\\r\\nClassifications\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Select 'Classification' below to view Classification Drilldown\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Classification\",\"exportParameterName\":\"UserSelectedClassification\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Classification\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Classifications\"}},{\"columnMatch\":\"AssetCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"FileSize\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_AssetCount_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"AssetCount\",\"label\":\"Classified Asset Count\"},{\"columnId\":\"FileSize\",\"label\":\"Total Size of Files (MB)\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_AssetCount_1\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Size\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results203\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 4 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Classification\\\" \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\\r\\nlet ClassificationsDrilldown = MostRecentScanLogs\\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend SelectedClassification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where SelectedClassification != \\\"\\\"\\r\\n| where \\\"{UserSelectedClassification:label}\\\" == \\\"All\\\" or (split(\\\"{UserSelectedClassification:label}\\\", \\\", \\\") contains SelectedClassification)\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationDetails, SourceScanId) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\\r\\nClassificationsDrilldown\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Classifications Drilldown- Asset Level\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"AssetLastScanTime\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30ch\"}},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceScanId\",\"formatter\":5},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"AssetPath\",\"label\":\"Asset Path\"},{\"columnId\":\"AssetLastScanTime\",\"label\":\"Asset Last Scan Time\"},{\"columnId\":\"SourcePath\",\"label\":\"Data Source\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results203\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitivityLabels = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Labeling\\\" \\r\\n | extend SensitivityLabel = iff(SensitivityLabel[0] == \\\"\\\", \\\"No Label\\\", SensitivityLabel[0])\\r\\n | extend Label = replace(@\\\"\\\\\\\\\\\", \\\"/\\\", SensitivityLabel)\\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType\\r\\n | summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by SensitivityLabel, Label\\r\\n | project SensitivityLabel, FileSize, AssetCount, Label\\r\\n | sort by AssetCount;\\r\\nSensitivityLabels\",\"size\":0,\"showAnalytics\":true,\"title\":\"Select 'Sensitivity Label' below to view Sensitivity Labels Drilldown\",\"showRefreshButton\":true,\"exportFieldName\":\"Label\",\"exportParameterName\":\"UserSelectedLabel\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SensitivityLabel\",\"formatter\":1},{\"columnMatch\":\"FileSize\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Label\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"SensitivityLabel\",\"label\":\"Sensitivity Label\"},{\"columnId\":\"FileSize\",\"label\":\"File Size\"},{\"columnId\":\"AssetCount\",\"label\":\"Asset Count\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LabelCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results204\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 14 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Labeling\\\" \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\\r\\nlet LabelDrilldown = MostRecentScanLogs \\r\\n| extend SensitivityLabel = iff(SensitivityLabel[0] == \\\"\\\", \\\"No Label\\\", SensitivityLabel[0])\\r\\n| extend Label = replace(@\\\"\\\\\\\\\\\", \\\"/\\\", SensitivityLabel)\\r\\n| where \\\"{UserSelectedLabel:label}\\\" == \\\"All\\\" or \\\"{UserSelectedLabel:label}\\\" == Label\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceScanId) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\\r\\nLabelDrilldown\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitivity Labels Drilldown- Asset Level\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelTrigger\",\"formatter\":5,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SensitivityLabel\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SensitivityLabelDetails\",\"formatter\":5,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceScanId\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"ClassificationCount\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"AssetPath\",\"label\":\"Asset Path\"},{\"columnId\":\"AssetLastScanTime\",\"label\":\"Asset Last Scan Time\"},{\"columnId\":\"SensitivityLabel\",\"label\":\"Sensitivity Label\"},{\"columnId\":\"SourcePath\",\"label\":\"Source Path\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results204\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 13\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isPurviewLogsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Purview Logs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## 🗄 Azure SQL Databases\\r\\n\\r\\nThis section helps you monitor **access to classified and sensitive data stored in Azure SQL databases**. It supports GDPR requirements for **security of processing (Art. 32)** and **data protection by design and by default (Art. 25)** by detecting anomalies, tracking access patterns, and providing evidence of safeguards around personal data. \\r\\n\\r\\nKey objectives of this section: \\r\\n- Identify **daily anomaly scores** to highlight unusual database activity that may indicate misuse or data exfiltration \\r\\n- Monitor **queries by sensitivity labels and information types** to ensure personal data is accessed only for legitimate purposes \\r\\n- Track **application and IP access** to classified data for accountability and traceability \\r\\n- Detect potential **privilege misuse or unauthorized access attempts** by reviewing query and principal activity over time \\r\\n- Provide auditors with proof of **continuous monitoring of database activity** against sensitive data assets \\r\\n\\r\\nBy analyzing these metrics, analysts can confirm that **personal data stored in databases is accessed appropriately**, and that monitoring controls are in place to detect and respond to suspicious or non-compliant activity.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"| Azure SQL Databases | | |\\r\\n|:--| - | - |\\r\\n| Daily anomaly scores, by database | Anomaly score over time for the selected database (from the list above) | Daily activity over time for the selected database (from the list above) |\\r\\n| Number of queries, by sensitivity label | Number of queries, by information type | Number of queries, by principal |\\r\\n|Number of queries, Details|Application access to classified data (by information type)|IP access to classified data (by information type)|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range, Servers and Databases. Only panels with data are shown. \\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"332be9fd-33ad-407e-843e-5f2c49a50b6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Servers\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"where type == \\\"microsoft.sql/servers\\\"\\r\\n| project id=tolower(id)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"b4cc825f-166b-4929-916a-21b8073748c2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Databases\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type == \\\"microsoft.sql/servers/databases\\\"\\r\\n| project id=tolower(id)\\r\\n| extend serverName = split(id,'/databases/')[0]\\r\\n| where serverName in ({Servers})\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"7afa304d-b448-4d6c-8c54-69e51a7249a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results205\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n| where ResourceType == \\\"SERVERS/DATABASES\\\"\\r\\n| where Category == \\\"SQLSecurityAuditEvents\\\"\\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| extend Database = strcat(LogicalServerName_s, '/', database_name_s)\\r\\n| summarize DailyCount = count() by ResourceId, Database, bin_at(TimeGenerated, 1d, now())\\r\\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId, Database\\r\\n| extend series_decompose_anomalies(metric) // Anomaly detection\\r\\n| project ResourceId, Database, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\\r\\n| extend MaxAnomalyScore = AnomalyScore, MinAnomalyScore = AnomalyScore, AnomlyScoreTrend = AnomalyScore\\r\\n| mv-apply MaxAnomalyScore to typeof(real) on (top 1 by MaxAnomalyScore desc)\\r\\n| mv-apply MinAnomalyScore to typeof(real) on (top 1 by MinAnomalyScore asc)\\r\\n| mv-expand with_itemindex=Index AnomalyScore\\r\\n| where Index == array_length(DailyCounts)-1\\r\\n| project-away day, Index\\r\\n| extend AnomalyScoreAbs = abs(toreal(AnomalyScore))\\r\\n| extend WasAnomalous = iif(MaxAnomalyScore > 3 or MinAnomalyScore < -3, true, false)\\r\\n| extend Anomalous = iif(AnomalyScoreAbs > 3, true, false)\\r\\n| order by AnomalyScoreAbs desc\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results205\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"c303d4f8-4af1-4516-945e-66798123d9d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results206\",\"type\":1,\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend label = tostring(parsed[\\\"@label\\\"]) \\r\\n| where label != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by label\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results206\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"3ce1ba31-e991-4012-a9f9-b1196c54f4e5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results207\",\"type\":1,\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend info_type = tostring(parsed[\\\"@information_type\\\"]) \\r\\n| where info_type != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by info_type\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results207\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"a13bcd2c-8f8b-4087-94fe-862c41b78c56\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results208\",\"type\":1,\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend Principal = server_principal_name_s\\r\\n| summarize dcount = dcount(sequence_group_id_g) by Principal\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results208\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"3cc27864-9c39-42e8-9cd6-25e1dfb9bcca\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results210\",\"type\":1,\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend label = tostring(parsed[\\\"@label\\\"]) \\r\\n| where label != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by label_and_app = strcat(label, \\\" | \\\", application_name_s)\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results210\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"59b17e09-3c6d-4a11-a18d-2bc61a3ceba3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results211\",\"type\":1,\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend label = tostring(parsed[\\\"@label\\\"]) \\r\\n| where label != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by label_and_ip = strcat(label, \\\" | \\\", client_ip_s) \\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results211\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n| where ResourceType == \\\"SERVERS/DATABASES\\\"\\r\\n| where Category == \\\"SQLSecurityAuditEvents\\\"\\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| extend Database = strcat(LogicalServerName_s, '/', database_name_s)\\r\\n| summarize DailyCount = count() by ResourceId, Database, bin_at(TimeGenerated, 1d, now())\\r\\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId, Database\\r\\n| extend series_decompose_anomalies(metric) // Anomaly detection\\r\\n| project ResourceId, Database, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\\r\\n| extend MaxAnomalyScore = AnomalyScore, MinAnomalyScore = AnomalyScore, AnomlyScoreTrend = AnomalyScore\\r\\n| mv-apply MaxAnomalyScore to typeof(real) on (top 1 by MaxAnomalyScore desc)\\r\\n| mv-apply MinAnomalyScore to typeof(real) on (top 1 by MinAnomalyScore asc)\\r\\n| mv-expand with_itemindex=Index AnomalyScore\\r\\n| where Index == array_length(DailyCounts)-1\\r\\n| project-away day, Index\\r\\n| extend AnomalyScoreAbs = abs(toreal(AnomalyScore))\\r\\n| extend WasAnomalous = iif(MaxAnomalyScore > 3 or MinAnomalyScore < -3, true, false)\\r\\n| extend Anomalous = iif(AnomalyScoreAbs > 3, true, false)\\r\\n| order by AnomalyScoreAbs desc\\r\\n\",\"size\":0,\"title\":\"Daily anomaly scores, by database\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"ResourceId\",\"exportParameterName\":\"SelectedResource\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DailyCounts\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"AnomalyScore\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"startsWith\",\"thresholdValue\":\"-\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"trendup\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"MaxAnomalyScore\",\"formatter\":1},{\"columnMatch\":\"MinAnomalyScore\",\"formatter\":5},{\"columnMatch\":\"AnomlyScoreTrend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyScoreAbs\",\"formatter\":5},{\"columnMatch\":\"WasAnomalous\",\"formatter\":1},{\"columnMatch\":\"Anomalous\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"Results205\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n| where ResourceType == \\\"SERVERS/DATABASES\\\"\\r\\n| where Category == \\\"SQLSecurityAuditEvents\\\"\\r\\n| where tolower(ResourceId) == tolower('{SelectedResource}')\\r\\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\\r\\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId\\r\\n| extend series_decompose_anomalies(metric) // Anomaly detection\\r\\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\\r\\n\",\"size\":0,\"title\":\"Anomaly score over time for the selected database (from the list above)\",\"color\":\"orange\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"yAxis\":[\"AnomalyScore\"],\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results205\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n| where ResourceType == \\\"SERVERS/DATABASES\\\"\\r\\n| where Category == \\\"SQLSecurityAuditEvents\\\"\\r\\n| where tolower(ResourceId) == tolower('{SelectedResource}')\\r\\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\\r\\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId\\r\\n| extend series_decompose_anomalies(metric) // Anomaly detection\\r\\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\\r\\n\",\"size\":0,\"title\":\"Daily activity over time for the selected database (from the list above)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"yAxis\":[\"DailyCounts\"],\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results205\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend label = tostring(parsed[\\\"@label\\\"]) \\r\\n| where label != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by label\",\"size\":0,\"title\":\"Number of queries, by sensitivity label\",\"timeContextFromParameter\":\"TimeRange\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"label\",\"parameterName\":\"SelectedLabel\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"label\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"Results206\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend info_type = tostring(parsed[\\\"@information_type\\\"]) \\r\\n| where info_type != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by info_type\",\"size\":0,\"title\":\"Number of queries, by information type\",\"timeContextFromParameter\":\"TimeRange\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"info_type\",\"parameterName\":\"SelectedInformationType\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"info_type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"Results207\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend Principal = server_principal_name_s\\r\\n| summarize dcount = dcount(sequence_group_id_g) by Principal\",\"size\":0,\"title\":\"Number of queries, by principal\",\"timeContextFromParameter\":\"TimeRange\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"Principal\",\"parameterName\":\"SelectedPrincipal\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Principal\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"Results208\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 3 - Copy - Copy - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"387f6bac-5c95-41e3-9556-641188130759\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results209\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where isempty(data_sensitivity_information_s) == false\\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n//| evaluate bag_unpack(parsed, columnsConflict='keep_source')\\r\\n| mvexpand parsed \\r\\n| project TimeGenerated, ResourceId, Label = tostring(parsed.['@label']), InformationType = tostring(parsed.['@information_type'])\\r\\n , Succeeded = succeeded_s, Principal = server_principal_name_s, ClientIP = client_ip_s, Application = application_name_s, Statement = statement_s, Rows = response_rows_d, Action = action_name_s\\r\\n| where Label != \\\"\\\" or InformationType != \\\"\\\"\\r\\n| where isempty('{SelectedLabel}') or (strcat('\\\"',Label,'\\\"') in (split('{SelectedLabel}',',')))\\r\\n| where isempty('{SelectedInformationType}') or (strcat('\\\"',InformationType,'\\\"') in (split('{SelectedInformationType}',',')))\\r\\n| where isempty('{SelectedPrincipal}') or (strcat('\\\"',Principal,'\\\"') in (split('{SelectedPrincipal}',',')))\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results208\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where isempty(data_sensitivity_information_s) == false\\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n//| evaluate bag_unpack(parsed, columnsConflict='keep_source')\\r\\n| mvexpand parsed \\r\\n| project TimeGenerated, ResourceId, Label = tostring(parsed.['@label']), InformationType = tostring(parsed.['@information_type'])\\r\\n , Succeeded = succeeded_s, Principal = server_principal_name_s, ClientIP = client_ip_s, Application = application_name_s, Statement = statement_s, Rows = response_rows_d, Action = action_name_s\\r\\n| where Label != \\\"\\\" or InformationType != \\\"\\\"\\r\\n| where isempty('{SelectedLabel}') or (strcat('\\\"',Label,'\\\"') in (split('{SelectedLabel}',',')))\\r\\n| where isempty('{SelectedInformationType}') or (strcat('\\\"',InformationType,'\\\"') in (split('{SelectedInformationType}',',')))\\r\\n| where isempty('{SelectedPrincipal}') or (strcat('\\\"',Principal,'\\\"') in (split('{SelectedPrincipal}',',')))\",\"size\":0,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"conditionalVisibility\":{\"parameterName\":\"Results209\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend label = tostring(parsed[\\\"@label\\\"]) \\r\\n| where label != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by label_and_app = strcat(label, \\\" | \\\", application_name_s)\\r\\n| order by label_and_app asc, dcount desc\",\"size\":0,\"title\":\"Application access to classified data (by sensitivity label)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"Results210\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend label = tostring(parsed[\\\"@label\\\"]) \\r\\n| where label != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by label_and_ip = strcat(label, \\\" | \\\", client_ip_s) \\r\\n| order by label_and_ip asc, dcount desc\",\"size\":0,\"title\":\"IP access to classified data (by sensitivity label)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_name_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"action_name_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"Results211\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAzureSQLDatabasesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Azure SQL Databases\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"7afa304d-b448-4d6c-8c54-69e51a7249a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results46\",\"type\":1,\"query\":\"let AnomalySignIns = BehaviorAnalytics\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\\r\\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\\r\\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\\r\\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\\r\\n| where FirstTimeDeviceLogon == \\\"True\\\" or FirstTimeUserAction == \\\"True\\\" or UncommonAction == \\\"True\\\" or UncommonVolumeOfActions == \\\"True\\\";\\r\\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results205\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"1ba464d7-3754-40c5-9518-7fa597d2e910\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results47\",\"type\":1,\"query\":\"let AnomalySignIns = BehaviorAnalytics\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\\r\\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\\r\\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\\r\\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\\r\\n| where FirstTimeDeviceLogon == \\\"True\\\" or FirstTimeUserAction == \\\"True\\\" or UncommonAction == \\\"True\\\" or UncommonVolumeOfActions == \\\"True\\\";\\r\\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\\r\\n| where SourceIPLocation <> \\\"\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results47\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"65c2cb9f-754e-4a6e-9f49-f8d6b656a4f0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results48\",\"type\":1,\"query\":\"let UncommonActionVolume = BehaviorAnalytics\\r\\n| extend UncommonActionVolume = tostring(ActivityInsights.UncommonHighVolumeOfActions)\\r\\n| where UncommonActionVolume == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename UncommonActionVolume = count_;\\r\\nlet UncommonAction = BehaviorAnalytics\\r\\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\\r\\n| where UncommonAction == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename UncommonAction = count_;\\r\\nlet Uncommon = UncommonActionVolume | join(UncommonAction) on UserPrincipalName;\\r\\nlet FirstTimeDeviceLogon = BehaviorAnalytics\\r\\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\\r\\n| where FirstTimeDeviceLogon == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename FirstTimeDeviceLogon = count_;\\r\\nlet FirstTimeUserAction = BehaviorAnalytics\\r\\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\\r\\n| where FirstTimeUserAction == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename FirstTimeUserAction = count_;\\r\\nlet FirstTime = FirstTimeUserAction | join(FirstTimeDeviceLogon) on UserPrincipalName;\\r\\nUncommon | join kind=fullouter(FirstTime) on UserPrincipalName\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| project UserPrincipalName, UncommonActionVolume, UncommonAction, FirstTimeUserAction, FirstTimeDeviceLogon\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results48\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"802544a8-295d-49ac-ac30-7669812ffc07\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results49\",\"type\":1,\"query\":\"AADUserRiskEvents\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results49\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"292eaf4d-ee6f-4b78-acf1-2f625846dfdb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results50\",\"type\":1,\"query\":\"BehaviorAnalytics\\r\\n| where ActionType == \\\"Reset user password\\\"\\r\\n| where ActivityInsights has \\\"True\\\"\\r\\n| join (\\r\\n AuditLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n| mv-expand TargetResources\\r\\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n| extend UserPrincipalName = iff(UserPrincipalName has \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName has \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results50\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"402cb027-2e34-4a17-8ede-e0778b245e49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results51\",\"type\":1,\"query\":\"BehaviorAnalytics\\r\\n| where ActivityType == \\\"LogOn\\\"\\r\\n| where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n| join (\\r\\nSigninLogs | where Status.errorCode == 50126\\r\\n) on $left.SourceRecordId == $right._ItemId\\r\\n| extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName)\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results51\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"d6c529ca-65d1-49fc-87a0-5013578dcecf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results52\",\"type\":1,\"query\":\"BehaviorAnalytics\\r\\n| where ActionType == \\\"Sign-in\\\"\\r\\n| where ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True and ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True\\r\\n | join (\\r\\nSigninLogs\\r\\n) on $left.SourceRecordId == $right._ItemId\\r\\n| extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName)\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results52\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"776977c6-0e80-44ca-ac00-b875a0dbb650\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results53\",\"type\":1,\"query\":\"//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\\r\\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\\r\\nAuditLogs\\r\\n| where OperationName == \\\"Update user\\\"\\r\\n| mv-expand AdditionalDetails\\r\\n| mv-expand TargetResources\\r\\n| where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n| mv-expand TargetResources\\r\\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n| where RoleId in (critical,high)\\r\\n| where isnotempty(RoleId) or isnotempty(RoleName)\\r\\n| extend TargetId = tostring(TargetResources.id)\\r\\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\\r\\n| join kind=inner ( BehaviorAnalytics\\r\\n) on $left._ItemId == $right.SourceRecordId\\r\\n| where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights has \\\"True\\\"\\r\\n| extend UserPrincipalName = iff(UserPrincipalName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName) \\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results53\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"48c0ca65-2da9-4c48-a95b-ea7b5aebc36b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results54\",\"type\":1,\"query\":\"//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\\r\\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\\r\\nAuditLogs\\r\\n| where OperationName == \\\"Add user\\\"\\r\\n| mv-expand AdditionalDetails\\r\\n| mv-expand TargetResources\\r\\n| where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n| mv-expand TargetResources\\r\\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n| where RoleId in (critical,high)\\r\\n| where isnotempty(RoleId) or isnotempty(RoleName)\\r\\n| extend TargetId = tostring(TargetResources.id)\\r\\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\\r\\n| join kind=inner ( BehaviorAnalytics\\r\\n) on $left._ItemId == $right.SourceRecordId\\r\\n| where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights has \\\"True\\\"\\r\\n| extend UserPrincipalName = iff(UserPrincipalName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName) \\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results54\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"ef5b3c8e-c859-4e9a-8b73-c60f23732867\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results55\",\"type\":1,\"query\":\"let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\\r\\nAuditLogs\\r\\n| where OperationName == \\\"Add member to role\\\"\\r\\n| mv-expand TargetResources\\r\\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n| where RoleId in (critical,high)\\r\\n| extend TargetId = tostring(TargetResources.id)\\r\\n| extend Target = tostring(TargetResources.userPrincipalName)\\r\\n| where isnotempty(RoleId) or isnotempty(RoleName)\\r\\n| join kind=inner ( BehaviorAnalytics\\r\\n) on $left._ItemId == $right.SourceRecordId\\r\\n| where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights has \\\"True\\\"\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results55\"},{\"type\":1,\"content\":{\"json\":\"# 📊 [User & Entity Behavior Analytics (UEBA)](https://docs.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)\\n---\\n\\nThis section focuses on detecting **anomalous behaviors by users and entities** that may indicate insider threats, compromised accounts, or attempts to exfiltrate personal data. It supports GDPR obligations around **security of processing (Art. 32)** and **accountability (Art. 5(2))** by helping organizations proactively identify suspicious activity that could put personal data at risk. \\n\\nKey objectives of this section: \\n- Highlight **user anomalies** such as unusual access times, geolocations, or activity volumes \\n- Detect **high-risk behaviors** flagged by Microsoft’s identity protection and analytics models \\n- Monitor **entity risk scores** to prioritize investigations of potentially compromised accounts or devices \\n- Correlate **web session anomalies** to identify potential data exfiltration attempts \\n- Provide auditors with evidence of **continuous monitoring of user activity and proactive risk detection** \\n\\nBy reviewing these metrics, analysts can ensure that **unusual or risky behaviors are identified early**, reducing the likelihood of personal data misuse or unauthorized disclosure, and demonstrating effective monitoring controls under GDPR.\\n\"},\"customWidth\":\"40\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 14\"},{\"type\":1,\"content\":{\"json\":\"| User & Entity Behavior Analytics (UEBA) | - | - |\\r\\n|:--| :--| :--| \\r\\n| Anomalous Activity by Geolocation | Anomalous Activity by User & GeoLocation | Entity Behavior Analytics Alerts |\\r\\n| User Anomalies | User Sign-in Risk Details |ASim WebSession: Detect potential data exfilteration using timeseries anomaly|\\r\\n| Anomalous Password Reset | Anomalous Failed Logon |Anomalous Geolocation Logon|\\r\\n| Anomalous AAD Account Manipulation | Anomalous Account Creation |Anomalous Role Assignment|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User.\"},\"customWidth\":\"40\",\"name\":\"text - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalySignIns = BehaviorAnalytics\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\\r\\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\\r\\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\\r\\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\\r\\n| where FirstTimeDeviceLogon == \\\"True\\\" or FirstTimeUserAction == \\\"True\\\" or UncommonAction == \\\"True\\\" or UncommonVolumeOfActions == \\\"True\\\";\\r\\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Anomalous Activity by Geolocation\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results46\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results46\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalySignIns = BehaviorAnalytics\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\\r\\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\\r\\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\\r\\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\\r\\n| where FirstTimeDeviceLogon == \\\"True\\\" or FirstTimeUserAction == \\\"True\\\" or UncommonAction == \\\"True\\\" or UncommonVolumeOfActions == \\\"True\\\";\\r\\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\\r\\n| where SourceIPLocation <> \\\"\\\"\\r\\n| summarize count() by UserPrincipalName, SourceIPLocation\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Activity by User & GeoLocation\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SourceIPLocation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results47\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n | join (\\r\\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indication from AAD\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//insider\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n | where TimeGenerated > ago(28d)\\r\\n | where OperationName == \\\"Add member to role\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner (\\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Add member to role\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend AnomalyName = \\\"Anomalous Role Assignment\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to privileged role, or ones that add users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n | where ActionType == \\\"ResourceAccess\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n | where ActionType == \\\"InteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n Tactic = \\\"Privilege Escalation\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administrator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n | where ActionType == \\\"Reset user password\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n | join (\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Reset user password\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n Tactic = \\\"Impact\\\",\\r\\n Technique = \\\"Account Access Removal\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n | join (\\r\\n SigninLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Initial Access\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\"\\r\\n | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n | join (\\r\\n SigninLogs \\r\\n | where Status.errorCode == 50126\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n Tactic = \\\"Credential Access\\\",\\r\\n Technique = \\\"Brute Force\\\",\\r\\n SubTechnique = \\\"Password Guessing\\\",\\r\\n Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n | where OperationName == \\\"Update user\\\"\\r\\n | mv-expand AdditionalDetails\\r\\n | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner ( \\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Update user\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to privileged role, or ones that changed users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n | where ActionType == \\\"Add user\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n | join(\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Add user\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Create Account\\\",\\r\\n SubTechnique = \\\"Cloud Account\\\",\\r\\n Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | union TopUsersByAnomalies\\r\\n | extend \\r\\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n UPNExists = iff(isempty(UPN), false, true),\\r\\n NameExists = iff(isempty(Name), false, true),\\r\\n SidExists = iff(isempty(Sid), false, true),\\r\\n AADExists = iff(isempty(AadUserId), false, true)\\r\\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by AlertCount desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Entity Behavior Analytics Alerts\",\"noDataMessage\":\"No results, Confirm Sentinel Entity Behavior is Enabled\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_AlertCount_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_AlertCount_2\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let UncommonActionVolume = BehaviorAnalytics\\r\\n| extend UncommonActionVolume = tostring(ActivityInsights.UncommonHighVolumeOfActions)\\r\\n| where UncommonActionVolume == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename UncommonActionVolume = count_;\\r\\nlet UncommonAction = BehaviorAnalytics\\r\\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\\r\\n| where UncommonAction == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename UncommonAction = count_;\\r\\nlet Uncommon = UncommonActionVolume | join(UncommonAction) on UserPrincipalName;\\r\\nlet FirstTimeDeviceLogon = BehaviorAnalytics\\r\\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\\r\\n| where FirstTimeDeviceLogon == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename FirstTimeDeviceLogon = count_;\\r\\nlet FirstTimeUserAction = BehaviorAnalytics\\r\\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\\r\\n| where FirstTimeUserAction == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename FirstTimeUserAction = count_;\\r\\nlet FirstTime = FirstTimeUserAction | join(FirstTimeDeviceLogon) on UserPrincipalName;\\r\\nUncommon | join kind=fullouter(FirstTime) on UserPrincipalName\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| project UserPrincipalName, UncommonActionVolume, UncommonAction, FirstTimeUserAction, FirstTimeDeviceLogon\\r\\n| sort by UncommonActionVolume desc \\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Anomalies\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_FirstTimeDeviceLogon_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_FirstTimeDeviceLogon_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results48\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADUserRiskEvents\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend UserProfile = strcat(\\\"#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserId)\\r\\n| extend countryOrRegion_ = tostring(Location.countryOrRegion)\\r\\n| extend city_ = tostring(Location.city)\\r\\n| extend state_ = tostring(Location.state)\\r\\n| extend latitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).longitude)\\r\\n| distinct UserPrincipalName, UserProfile, RiskLevel, RiskEventType, city_, state_, countryOrRegion_, UserId\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Sign-in Risk Details\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See How To: Configure and enable Microsoft Entra ID: Identity Protection risk policies (https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"EntraID User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Results49\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let start = {TimeRange:grain};\\r\\nlet end = 1d;\\r\\nlet timeframe = 1h;\\r\\nlet scorethreshold = 5;\\r\\nlet bytessentperhourthreshold = 10;\\r\\nlet TimeSeriesData = _Im_WebSession(starttime=start, endtime=now())\\r\\n | where isnotempty(DstIpAddr)\\r\\n and not(ipv4_is_private(DstIpAddr))\\r\\n | summarize SrcBytesSum=tolong(sum(SrcBytes)) by EventProduct, bin(TimeGenerated, 1h)\\r\\n | extend EventTime = TimeGenerated\\r\\n | make-series TotalBytesSent = sum(SrcBytesSum) on EventTime from startofday(ago(start)) to startofday(now()) step timeframe by EventProduct;\\r\\n// TimeSeriesData block ends here\\r\\n//Take only anomalies in TimeSeriesData\\r\\nlet TimeSeriesAnomalies = materialize(TimeSeriesData\\r\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\\r\\n | mv-expand\\r\\n TotalBytesSent to typeof(long),\\r\\n EventTime to typeof(datetime),\\r\\n anomalies to typeof(double),\\r\\n score to typeof(double),\\r\\n baseline to typeof(long)\\r\\n | where anomalies > 0 and baseline > 0\\r\\n | extend AnomalyHour = EventTime\\r\\n | extend\\r\\n TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024) / 1024), 2),\\r\\n BaselineBytesSentinMBperHour = round(((baseline / 1024) / 1024), 2),\\r\\n score = round(score, 2)\\r\\n | project\\r\\n EventProduct,\\r\\n AnomalyHour,\\r\\n TotalBytesSentinMBperHour,\\r\\n BaselineBytesSentinMBperHour,\\r\\n anomalies,\\r\\n score\\r\\n //| where AnomalyHour between (startofday(ago(end)) .. startofday(now())) // Get TimeSeriesAnomalies in previous day\\r\\n );\\r\\n let AnomalyHours = materialize (TimeSeriesAnomalies\\r\\n | project AnomalyHour);\\r\\n //Previous day aggregated per hour\\r\\n let Last14DayLogs = \\r\\n _Im_WebSession(starttime=start, endtime=now())\\r\\n | extend DateHour = bin(TimeGenerated, timeframe) // create a new column and round to hour\\r\\n | where DateHour in (AnomalyHours) // Filter dataset to include only anomaly AnomalyHours\\r\\n | where isnotempty(DstIpAddr) and isnotempty(SrcIpAddr) and isnotempty(SrcBytes)\\r\\n | where not(ipv4_is_private(DstIpAddr))\\r\\n | project\\r\\n TimeGenerated,\\r\\n DateHour,\\r\\n DstIpAddr,\\r\\n SrcIpAddr,\\r\\n SrcBytes,\\r\\n DstBytes,\\r\\n DstPortNumber,\\r\\n EventProduct\\r\\n | summarize\\r\\n HourlyCount = count(),\\r\\n TimeGeneratedMax = arg_max(TimeGenerated, *),\\r\\n DestinationIPList = make_set(DstIpAddr, 100),\\r\\n DestinationPortList = make_set(DstPortNumber, 100),\\r\\n TotalSentBytes = tolong(sum(SrcBytes)),\\r\\n TotalReceivedBytes = tolong(sum(DstBytes))\\r\\n by SrcIpAddr, EventProduct, TimeGeneratedHour = bin(TimeGenerated, timeframe)\\r\\n | extend\\r\\n SentBytesinMB = ((TotalSentBytes / 1024) / 1024),\\r\\n ReceivedBytesinMB = ((TotalReceivedBytes / 1024) / 1024)\\r\\n | where SentBytesinMB > bytessentperhourthreshold\\r\\n | sort by TimeGeneratedHour asc, SentBytesinMB desc\\r\\n | extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\r\\n | where Rank <= 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\r\\n | project\\r\\n EventProduct,\\r\\n TimeGeneratedHour,\\r\\n TimeGeneratedMax,\\r\\n SrcIpAddr,\\r\\n DestinationIPList,\\r\\n DestinationPortList,\\r\\n SentBytesinMB,\\r\\n ReceivedBytesinMB,\\r\\n Rank,\\r\\n HourlyCount;\\r\\n Last14DayLogs\",\"size\":0,\"showAnalytics\":true,\"title\":\"ASim WebSession: Detect potential data exfilteration using timeseries anomaly\",\"noDataMessage\":\"There are no results within the selected thresholds.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"EntraID User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true}},\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where ActionType == \\\"Reset user password\\\"\\r\\n| where ActivityInsights has \\\"True\\\"\\r\\n| join (\\r\\n AuditLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n| mv-expand TargetResources\\r\\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n| extend UserPrincipalName = iff(UserPrincipalName has \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName has \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Password Reset\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results50\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results50\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where ActivityType == \\\"LogOn\\\"\\r\\n| where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n| join (\\r\\nSigninLogs | where Status.errorCode == 50126\\r\\n) on $left.SourceRecordId == $right._ItemId\\r\\n| extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName)\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Failed Logon\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results51\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results51\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where ActionType == \\\"Sign-in\\\"\\r\\n| where ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True and ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True\\r\\n | join (\\r\\nSigninLogs\\r\\n) on $left.SourceRecordId == $right._ItemId\\r\\n| extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName)\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Geolocation Logon\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results52\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results52\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\\r\\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\\r\\nAuditLogs\\r\\n| where OperationName == \\\"Update user\\\"\\r\\n| mv-expand AdditionalDetails\\r\\n| mv-expand TargetResources\\r\\n| where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n| mv-expand TargetResources\\r\\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n| where RoleId in (critical,high)\\r\\n| where isnotempty(RoleId) or isnotempty(RoleName)\\r\\n| extend TargetId = tostring(TargetResources.id)\\r\\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\\r\\n| join kind=inner ( BehaviorAnalytics\\r\\n) on $left._ItemId == $right.SourceRecordId\\r\\n| where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights has \\\"True\\\"\\r\\n| extend UserPrincipalName = iff(UserPrincipalName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName) \\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous AAD Account Manipulation\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results53\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results53\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\\r\\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\\r\\nAuditLogs\\r\\n| where OperationName == \\\"Add user\\\"\\r\\n| mv-expand AdditionalDetails\\r\\n| mv-expand TargetResources\\r\\n| where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n| mv-expand TargetResources\\r\\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n| where RoleId in (critical,high)\\r\\n| where isnotempty(RoleId) or isnotempty(RoleName)\\r\\n| extend TargetId = tostring(TargetResources.id)\\r\\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\\r\\n| join kind=inner ( BehaviorAnalytics\\r\\n) on $left._ItemId == $right.SourceRecordId\\r\\n| where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights has \\\"True\\\"\\r\\n| extend UserPrincipalName = iff(UserPrincipalName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName) \\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Account Creation\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results54\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results54\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\\r\\nAuditLogs\\r\\n| where OperationName == \\\"Add member to role\\\"\\r\\n| mv-expand TargetResources\\r\\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n| where RoleId in (critical,high)\\r\\n| extend TargetId = tostring(TargetResources.id)\\r\\n| extend Target = tostring(TargetResources.userPrincipalName)\\r\\n| where isnotempty(RoleId) or isnotempty(RoleName)\\r\\n| join kind=inner ( BehaviorAnalytics\\r\\n) on $left._ItemId == $right.SourceRecordId\\r\\n| where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights has \\\"True\\\"\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Role Assignment\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results55\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results55\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUEBAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Entity Insights\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# 📂 [Microsoft 365 Activity](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender)\\n---\\n\\nThis section monitors **user and administrator activities across Microsoft 365 services** such as Exchange, SharePoint, OneDrive, and Teams. It supports GDPR obligations for **integrity and confidentiality of personal data (Art. 5(1)(f))**, **records of processing activities (Art. 30)**, and **security of processing (Art. 32)** by ensuring that access and modifications to personal data are visible, traceable, and appropriately controlled. \\n\\nKey objectives of this section: \\n- Track **file activity actions** to identify how sensitive data is being accessed, shared, or modified \\n- Detect **risky behaviors** such as external sharing, non-owner mailbox access, or unusual PowerShell sign-ins \\n- Monitor for **policy tampering, malicious inbox rules, and Exchange audit log changes** that could undermine data protection \\n- Identify **unusual user behaviors in Teams and SharePoint**, including mass deletions, uploads, or operations from previously unseen devices or IPs \\n- Provide auditors with detailed evidence of **user actions, administrative changes, and protections applied to personal data** \\n\\nBy analyzing these metrics, analysts can validate that **personal data within Microsoft 365 is accessed and processed lawfully**, and that the organization maintains robust monitoring to detect misuse or unauthorized disclosures.\\n\"},\"customWidth\":\"40\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 56\"},{\"type\":1,\"content\":{\"json\":\"| Microsoft 365 Activity | - | - | \\r\\n|:--| :--| :--|\\r\\n| File Activity Actions | File Activity Actions over Time | Most Frequently Accessed Files |\\r\\n| File Transfer Activity by User Over Time | File activity by external users | Previously Unseen Exchange Admin Operations (Last 1 Day) |\\r\\n| SharePoint File Operations by Users from Previously Unseen IPs | SharePointFileOperation via Devices with Previously Unseen User Agents |Non-Owner Mailbox Login Activity |\\r\\n| PowerShell or Non-Browser Mailbox Sign-In Activity | Multiple Teams Deleted by a Single User | User Added to Team and Immediately Uploads File |\\r\\n|Executable with Double File Extension and Acces Summary |Mail Redirect via Exchange Transport Rules | Email Forwarding|\\r\\n| User Added as Owner of Multiple Teams | Exchange Audit Log Disabled | Malicious Inbox Rule: Removing Helpdesk/Security Warning Emails|\\r\\n|Office Policy Tampering |Windows Reserved Filenames Staged on Office File Services|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown.\\r\\n\"},\"customWidth\":\"50\",\"name\":\"SI OV\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"51f438d6-e64f-4e00-9cb4-a3be91405e38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Classifications\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where Classification != \\\"[]\\\"\\r\\n| mv-expand Classification // expand array if multiple classifications exist\\r\\n| extend Classification = tostring(Classification)\\r\\n| summarize by Classification\\r\\n| order by Classification asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"parameters - 41\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c4a56865-2460-45f6-b264-a1040b7b3818\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitivityLabels\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where SensitivityLabel != \\\"[]\\\"\\r\\n| mv-expand SensitivityLabel // expand array if multiple classifications exist\\r\\n| extend SensitivityLabel = tostring(SensitivityLabel)\\r\\n| summarize by SensitivityLabel\\r\\n| order by SensitivityLabel asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"parameters - 41 - Copy\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"80\",\"name\":\"text - 43\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"2a891328-fdea-48e1-9363-99fc0ac0468c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results80\",\"type\":1,\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where Operation contains \\\"file\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results80\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"3a9f9b6b-8bd2-462a-840f-58d00dc9a937\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results81\",\"type\":1,\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\n//let startTime = {TimeRange:grain}; // Adjust as needed\\r\\nOfficeActivity\\r\\n//| where TimeGenerated >= startTime\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where EventSource == \\\"SharePoint\\\" and OfficeWorkload has_any(\\\"SharePoint\\\", \\\"OneDrive\\\") and Operation has_any (\\\"FileDownloaded\\\", \\\"FileSyncDownloadedFull\\\", \\\"FileSyncUploadedFull\\\", \\\"FileUploaded\\\")\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results81\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"ebc6e154-835c-4dc9-9142-e84e21a723e3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results83\",\"type\":1,\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where ExternalAccess == \\\"True\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results83\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"0d5b45d1-3217-43e6-affd-56b73e7d3560\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results85\",\"type\":1,\"query\":\"let starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nlet historicalActivity=\\r\\n OfficeActivity\\r\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\r\\n | where RecordType == \\\"ExchangeAdmin\\\" and UserType in (\\\"Admin\\\", \\\"DcAdmin\\\")\\r\\n | summarize historicalCount=count() by UserId;\\r\\nlet recentActivity = OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where TimeGenerated > ago(endtime)\\r\\n | where UserType in (\\\"Admin\\\", \\\"DcAdmin\\\")\\r\\n | summarize recentCount=count() by UserId;\\r\\nrecentActivity\\r\\n| join kind = leftanti (\\r\\n historicalActivity\\r\\n )\\r\\n on UserId\\r\\n| project UserId, recentCount\\r\\n| order by recentCount asc, UserId\\r\\n| join kind = rightsemi \\r\\n (OfficeActivity \\r\\n | where TimeGenerated >= ago(endtime) \\r\\n | where RecordType == \\\"ExchangeAdmin\\\"\\r\\n | where UserType in (\\\"Admin\\\", \\\"DcAdmin\\\")) \\r\\n on UserId\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results85\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"fd74a8c1-4044-49f4-82de-b2653dc51d7c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results86\",\"type\":1,\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nlet starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nlet historicalActivity=\\r\\n OfficeActivity\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\r\\n | summarize historicalCount=count() by ClientIP;\\r\\nlet recentActivity = OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated > ago(endtime);\\r\\nrecentActivity\\r\\n| join kind= leftanti (\\r\\n historicalActivity \\r\\n )\\r\\n on ClientIP\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results86\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b5149369-531f-4db9-b16d-ae6af2af2ce6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results87\",\"type\":1,\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nlet starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nlet historicalActivity=\\r\\n OfficeActivity\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\r\\n | summarize historicalCount=count() by UserAgent, RecordType;\\r\\nlet recentActivity = OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated > ago(endtime);\\r\\nrecentActivity\\r\\n| join kind = leftanti (\\r\\n historicalActivity \\r\\n )\\r\\n on UserAgent, RecordType\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results87\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"64a696b7-19fc-4cd6-a0fb-6b8d943868dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results88\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where Operation == \\\"MailboxLogin\\\" and Logon_Type != \\\"Owner\\\" \\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results88\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"57c00f66-6a47-4179-be44-c07b1f0f7ff1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results89\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where Operation == \\\"MailboxLogin\\\"\\r\\n| where ClientInfoString == \\\"Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results89\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"a6eb5e71-9e0f-46f7-891c-11ac8b8f03cd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results90\",\"type\":1,\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\r\\nlet max_delete = 3;\\r\\nlet deleting_users = (\\r\\n OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n | where Operation =~ \\\"TeamDeleted\\\"\\r\\n | summarize count() by UserId\\r\\n | where count_ > max_delete\\r\\n | project UserId);\\r\\nOfficeActivity\\r\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n| where Operation =~ \\\"TeamDeleted\\\"\\r\\n| where UserId in (deleting_users)\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results90\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"c9283cec-012f-4e89-917b-4ebfea0d4c9c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results91\",\"type\":1,\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nlet threshold = 1m;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n| where Operation == \\\"MemberAdded\\\"\\r\\n| extend TeamName = iff(isempty(TeamName), Members[0].UPN, TeamName)\\r\\n| project TimeGenerated, UserId, UploaderID=UserId, TeamName\\r\\n| join (\\r\\n OfficeActivity\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\r\\n | where Operation == \\\"FileUploaded\\\"\\r\\n | where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n | project UserId, UploadTime=TimeGenerated, UploaderID=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName\\r\\n )\\r\\n on UploaderID\\r\\n| where UploadTime > TimeGenerated and UploadTime < TimeGenerated + threshold\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results91\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"045e5099-2b58-4af1-8525-5620752bed66\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results92\",\"type\":1,\"query\":\"let known_ext = dynamic([\\\"lnk\\\", \\\"log\\\", \\\"option\\\", \\\"config\\\", \\\"manifest\\\", \\\"partial\\\"]);\\r\\nlet excluded_users = dynamic([\\\"app@sharepoint\\\"]);\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and isnotempty(SourceFileName)\\r\\n| where OfficeObjectId has \\\".exe.\\\" and SourceFileExtension !in~ (known_ext)\\r\\n| extend Extension = extract(\\\"[^.]*.[^.]*$\\\", 0, OfficeObjectId)\\r\\n| join kind= leftouter ( \\r\\n OfficeActivity\\r\\n | where RecordType =~ \\\"SharePointFileOperation\\\" and (Operation =~ \\\"FileDownloaded\\\" or Operation =~ \\\"FileAccessed\\\") \\r\\n | where SourceFileExtension !in~ (known_ext)\\r\\n )\\r\\n on OfficeObjectId \\r\\n| where UserId1 !in~ (excluded_users)\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results92\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"fb33950d-7f2b-4304-b688-9cb0e103f6dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results93\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where OfficeWorkload == \\\"Exchange\\\"\\r\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\r\\n| extend p = parse_json(Parameters)\\r\\n| extend RuleName = case(\\r\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\r\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\r\\n \\\"Unknown\\\"\\r\\n ) \\r\\n| mvexpand p\\r\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\r\\n| extend RedirectTo = p.Value\\r\\n| extend ClientIPOnly = case( \\r\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP, \\\":\\\")[0]), \\r\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP, \\\"-\\\")[0]), \\r\\n ClientIP has \\\"[\\\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \\\"]\\\")[0]))),\\r\\n ClientIP\\r\\n ) \\r\\n| extend Port = case(\\r\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP, \\\":\\\")[1]),\\r\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP, \\\"-\\\")[1]),\\r\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP, \\\"]:\\\")[1]),\\r\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP, \\\"]-\\\")[1]),\\r\\n ClientIP\\r\\n )\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results93\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"dc33037c-0615-4f66-98b8-35e450068f1e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results94\",\"type\":1,\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\r\\nlet threshold = 1;\\r\\n// Reserved FileNames/Extension for Windows\\r\\nlet Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']);\\r\\nlet starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where TimeGenerated >= ago(endtime)\\r\\n| where isnotempty(SourceFileExtension)\\r\\n| where SourceFileName !~ SourceFileExtension\\r\\n| where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\\r\\n| where UserAgent !has \\\"Mac OS\\\" \\r\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName, SourceFileExtension \\r\\n| join kind= leftanti (\\r\\n OfficeActivity\\r\\n | where TimeGenerated between (ago(starttime)..ago(endtime))\\r\\n | where isnotempty(SourceFileExtension)\\r\\n | where SourceFileName !~ SourceFileExtension\\r\\n | where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\\r\\n | where UserAgent !has \\\"Mac OS\\\" \\r\\n | summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId), SourceFileName = make_set(SourceFileName), PrevSeenCount = count() by SourceFileExtension\\r\\n // To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\r\\n //| where PrevSeenCount > threshold\\r\\n | mvexpand SourceRelativeUrl, UserId, SourceFileName\\r\\n | extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId), SourceFileName = tostring(SourceFileName)\\r\\n )\\r\\n on SourceFileExtension\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results94\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"3d9de6bf-6bf9-42dd-9ed5-9e03ee5e48af\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results95\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where (Operation =~ \\\"Set-Mailbox\\\" and Parameters contains 'ForwardingSmtpAddress') \\r\\n or (Operation =~ 'New-InboxRule' and Parameters contains 'ForwardTo')\\r\\n| extend parsed=parse_json(Parameters)\\r\\n| extend fwdingDestination_initial = (iif(Operation =~ \\\"Set-Mailbox\\\", tostring(parsed[1].Value), tostring(parsed[2].Value)))\\r\\n| where isnotempty(fwdingDestination_initial)\\r\\n| extend fwdingDestination = iff(fwdingDestination_initial has \\\"smtp\\\", (split(fwdingDestination_initial, \\\":\\\")[1]), fwdingDestination_initial)\\r\\n| parse fwdingDestination with * '@' ForwardedtoDomain \\r\\n| parse UserId with *'@' UserDomain\\r\\n| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.')[0]))\\r\\n| where ForwardedtoDomain !contains subDomain\\r\\n| extend Result = iff(ForwardedtoDomain != UserDomain, \\\"Mailbox rule created to forward to External Domain\\\", \\\"Forward rule for Internal domain\\\")\\r\\n| extend ClientIPAddress = case(ClientIP has \\\".\\\", tostring(split(ClientIP, \\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \\\"]\\\")[0]))), ClientIP)\\r\\n| extend Port = case(\\r\\n ClientIP has \\\".\\\", (split(ClientIP, \\\":\\\")[1]),\\r\\n ClientIP has \\\"[\\\", tostring(split(ClientIP, \\\"]:\\\")[1]),\\r\\n ClientIP\\r\\n )\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"Results95\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"e3a6793b-d24b-4e69-922a-6bce21138d10\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results98\",\"type\":1,\"query\":\"// Adjust this value to change how many teams a user is made owner of before detecting\\r\\nlet max_owner_count = 3;\\r\\n// Change this value to adjust how larger timeframe the query is run over.\\r\\nlet high_owner_count = (OfficeActivity\\r\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n | where Operation =~ \\\"MemberRoleChanged\\\"\\r\\n | extend Member = tostring(parse_json(Members)[0].UPN) \\r\\n | extend NewRole = toint(parse_json(Members)[0].Role) \\r\\n | where NewRole == 2\\r\\n | summarize dcount(TeamName) by Member\\r\\n | where dcount_TeamName > max_owner_count\\r\\n | project Member);\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n| where Operation =~ \\\"MemberRoleChanged\\\"\\r\\n| extend Member = tostring(parse_json(Members)[0].UPN) \\r\\n| extend NewRole = toint(parse_json(Members)[0].Role) \\r\\n| where NewRole == 2\\r\\n| where Member in (high_owner_count)\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results98\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"982af542-16a2-429f-9414-2de706b1daf8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results99\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\r\\n// Only admin or global-admin can disable audit logging\\r\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\r\\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\r\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\r\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Results99\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"c385b319-e2bb-48de-ac7b-2456aa884b60\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results100\",\"type\":1,\"query\":\"//Add Keywords for Emails as needed\\r\\nlet Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where Operation =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\n or BodyContainsWords has_any (Keywords)\\r\\n or SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Results100\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"776847fb-789e-45e6-a314-7cfed84e4f03\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results101\",\"type\":1,\"query\":\"let opList = OfficeActivity \\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| summarize by Operation\\r\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\r\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\r\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\r\\n| summarize make_set(Operation);\\r\\nOfficeActivity\\r\\n// Only admin or global-admin can disable/remove policy\\r\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\r\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\r\\n// Pass in interesting Operation list\\r\\n| where Operation in~ (opList)\\r\\n| extend ClientIPOnly = case( \\r\\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\r\\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\r\\nClientIP\\r\\n) \\r\\n| extend Port = case(\\r\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\r\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\r\\nClientIP\\r\\n)\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"Results101\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where Operation contains \\\"file\\\"\\r\\n| extend Path = OfficeObjectId\\r\\n| summarize count() by UserId, Operation\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"File Activity Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results80\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results80\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where Operation contains \\\"file\\\"\\r\\n| extend Path = OfficeObjectId\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Operation\\r\\n| render timechart\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"File Activity Actions over Time\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results80\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results80b\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where Operation contains \\\"file\\\"\\r\\n| summarize count() by UserId, SourceFileName, SourceFileExtension, OfficeObjectId \\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":1,\"showAnalytics\":true,\"title\":\"Most Frequently Accessed Files\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SourceFileName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeObjectId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results80\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results80d\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\n//let startTime = {TimeRange:grain}; // Adjust as needed\\r\\nOfficeActivity\\r\\n//| where TimeGenerated >= startTime\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where EventSource == \\\"SharePoint\\\" and OfficeWorkload has_any(\\\"SharePoint\\\", \\\"OneDrive\\\") and Operation has_any (\\\"FileDownloaded\\\", \\\"FileSyncDownloadedFull\\\", \\\"FileSyncUploadedFull\\\", \\\"FileUploaded\\\")\\r\\n| summarize UploadedFiles = count() by bin(TimeGenerated, 1h), UserId\\r\\n| order by TimeGenerated asc\\r\\n| render timechart\\r\\n\",\"size\":0,\"title\":\"File Transfer Activity by User Over Time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results81\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 47\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where ExternalAccess == \\\"True\\\"\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"File activity by external users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results83\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results83\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nlet historicalActivity=\\r\\n OfficeActivity\\r\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\r\\n | where RecordType == \\\"ExchangeAdmin\\\" \\r\\n | summarize historicalCount=count() by UserId;\\r\\nlet recentActivity = OfficeActivity\\r\\n | where UserId in ({UserPrincipalName})\\r\\n | where TimeGenerated > ago(endtime)\\r\\n | summarize recentCount=count() by UserId;\\r\\nrecentActivity\\r\\n| join kind = leftanti (\\r\\n historicalActivity\\r\\n )\\r\\n on UserId\\r\\n| project UserId, recentCount\\r\\n| order by recentCount asc, UserId\\r\\n| join kind = rightsemi \\r\\n (OfficeActivity \\r\\n | where TimeGenerated >= ago(endtime) \\r\\n | where RecordType == \\\"ExchangeAdmin\\\")\\r\\n on UserId\\r\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by RecordType, Operation, UserType, UserId, OriginatingServer, ResultStatus\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Previously Unseen Exchange Admin Operations (Last 1 Day)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results85\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results85\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nlet starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nlet historicalActivity=\\r\\n OfficeActivity\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\r\\n | summarize historicalCount=count() by ClientIP;\\r\\nlet recentActivity = OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated > ago(endtime);\\r\\nrecentActivity\\r\\n| join kind= leftanti (\\r\\n historicalActivity \\r\\n )\\r\\n on ClientIP\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| summarize count() by UserId, ClientIP\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"SharePoint File Operations by Users from Previously Unseen IPs\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results86\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results86\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nlet starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nlet historicalActivity=\\r\\n OfficeActivity\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\r\\n | summarize historicalCount=count() by UserAgent, RecordType;\\r\\nlet recentActivity = OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated > ago(endtime);\\r\\nrecentActivity\\r\\n| join kind = leftanti (\\r\\n historicalActivity \\r\\n )\\r\\n on UserAgent, RecordType\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| summarize count() by UserId, UserAgent, RecordType\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"SharePointFileOperation via Devices with Previously Unseen User Agents\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results87\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results87\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where Operation == \\\"MailboxLogin\\\" and Logon_Type != \\\"Owner\\\" \\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Non-Owner Mailbox Login Activity\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results88\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results88\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where Operation == \\\"MailboxLogin\\\"\\r\\n| where ClientInfoString == \\\"Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client\\\"\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"PowerShell or Non-Browser Mailbox Sign-In Activity\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results89\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results89\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\r\\nlet max_delete = 3;\\r\\nlet deleting_users = (\\r\\n OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n | where Operation =~ \\\"TeamDeleted\\\"\\r\\n | summarize count() by UserId\\r\\n | where count_ > max_delete\\r\\n | project UserId);\\r\\nOfficeActivity\\r\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n| where Operation =~ \\\"TeamDeleted\\\"\\r\\n| where UserId in (deleting_users)\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Multiple Teams Deleted by a Single User\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results90\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results90\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nlet threshold = 1m;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n| where Operation == \\\"MemberAdded\\\"\\r\\n| extend TeamName = iff(isempty(TeamName), Members[0].UPN, TeamName)\\r\\n| project TimeGenerated, UserId, UploaderID=UserId, TeamName\\r\\n| join (\\r\\n OfficeActivity\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\r\\n | where Operation == \\\"FileUploaded\\\"\\r\\n | where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n | project UserId, UploadTime=TimeGenerated, UploaderID=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName\\r\\n )\\r\\n on UploaderID\\r\\n| where UploadTime > TimeGenerated and UploadTime < TimeGenerated + threshold\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Added to Team and Immediately Uploads File\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results91\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results91\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let known_ext = dynamic([\\\"lnk\\\", \\\"log\\\", \\\"option\\\", \\\"config\\\", \\\"manifest\\\", \\\"partial\\\"]);\\r\\nlet excluded_users = dynamic([\\\"app@sharepoint\\\"]);\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and isnotempty(SourceFileName)\\r\\n| where OfficeObjectId has \\\".exe.\\\" and SourceFileExtension !in~ (known_ext)\\r\\n| extend Extension = extract(\\\"[^.]*.[^.]*$\\\", 0, OfficeObjectId)\\r\\n| join kind= leftouter ( \\r\\n OfficeActivity\\r\\n | where RecordType =~ \\\"SharePointFileOperation\\\" and (Operation =~ \\\"FileDownloaded\\\" or Operation =~ \\\"FileAccessed\\\") \\r\\n | where SourceFileExtension !in~ (known_ext)\\r\\n )\\r\\n on OfficeObjectId \\r\\n| where UserId1 !in~ (excluded_users)\\r\\n| extend userBag = pack(UserId1, ClientIP1) \\r\\n| summarize makeset(UserId1), make_bag(userBag), Start=max(TimeGenerated), End=min(TimeGenerated) by UserId, OfficeObjectId, SourceFileName, Extension \\r\\n| extend NumberOfUsers = array_length(bag_keys(bag_userBag))\\r\\n| project UploadTime=Start, Uploader=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, Extension, NumberOfUsers\\r\\n| extend timestamp = UploadTime, Uploader\",\"size\":0,\"showAnalytics\":true,\"title\":\"Executable with Double File Extension and Acces Summary\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results92\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results92\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where OfficeWorkload == \\\"Exchange\\\"\\r\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\r\\n| extend p = parse_json(Parameters)\\r\\n| extend RuleName = case(\\r\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\r\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\r\\n \\\"Unknown\\\"\\r\\n ) \\r\\n| mvexpand p\\r\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\r\\n| extend RedirectTo = p.Value\\r\\n| extend ClientIPOnly = case( \\r\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP, \\\":\\\")[0]), \\r\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP, \\\"-\\\")[0]), \\r\\n ClientIP has \\\"[\\\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \\\"]\\\")[0]))),\\r\\n ClientIP\\r\\n ) \\r\\n| extend Port = case(\\r\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP, \\\":\\\")[1]),\\r\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP, \\\"-\\\")[1]),\\r\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP, \\\"]:\\\")[1]),\\r\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP, \\\"]-\\\")[1]),\\r\\n ClientIP\\r\\n )\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Mail Redirect via Exchange Transport Rules\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results93\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results93\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\r\\nlet threshold = 1;\\r\\n// Reserved FileNames/Extension for Windows\\r\\nlet Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']);\\r\\nlet starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where TimeGenerated >= ago(endtime)\\r\\n| where isnotempty(SourceFileExtension)\\r\\n| where SourceFileName !~ SourceFileExtension\\r\\n| where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\\r\\n| where UserAgent !has \\\"Mac OS\\\" \\r\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName, SourceFileExtension \\r\\n| join kind= leftanti (\\r\\n OfficeActivity\\r\\n | where TimeGenerated between (ago(starttime)..ago(endtime))\\r\\n | where isnotempty(SourceFileExtension)\\r\\n | where SourceFileName !~ SourceFileExtension\\r\\n | where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\\r\\n | where UserAgent !has \\\"Mac OS\\\" \\r\\n | summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId), SourceFileName = make_set(SourceFileName), PrevSeenCount = count() by SourceFileExtension\\r\\n // To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\r\\n //| where PrevSeenCount > threshold\\r\\n | mvexpand SourceRelativeUrl, UserId, SourceFileName\\r\\n | extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId), SourceFileName = tostring(SourceFileName)\\r\\n )\\r\\n on SourceFileExtension\\r\\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\r\\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\\\\\.', '_', UserId))\\r\\n// identify when UserId is not a match to the specific site url personal folder reference\\r\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true, false) \\r\\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation), UserAgents = make_list(UserAgent), \\r\\n OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\r\\n by OfficeWorkload, RecordType, UserType, UserKey, UserId, ClientIP, Site_Url, SourceFileExtension, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\",\"size\":0,\"showAnalytics\":true,\"title\":\"Windows Reserved Filenames Staged on Office File Services\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results94\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results94\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where (Operation contains 'Forward') \\r\\n or (Parameters contains 'ForwardTo')\\r\\n| extend parsed=parse_json(Parameters)\\r\\n| extend fwdingDestination_initial = (iif(Operation =~ \\\"Set-Mailbox\\\", tostring(parsed[1].Value), tostring(parsed[2].Value)))\\r\\n| where isnotempty(fwdingDestination_initial)\\r\\n| extend fwdingDestination = iff(fwdingDestination_initial has \\\"smtp\\\", (split(fwdingDestination_initial, \\\":\\\")[1]), fwdingDestination_initial)\\r\\n| parse fwdingDestination with * '@' ForwardedtoDomain \\r\\n| parse UserId with *'@' UserDomain\\r\\n| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.')[0]))\\r\\n| where ForwardedtoDomain !contains subDomain\\r\\n| extend Result = iff(ForwardedtoDomain != UserDomain, \\\"Mailbox rule created to forward to External Domain\\\", \\\"Forward rule for Internal domain\\\")\\r\\n| extend ClientIPAddress = case(ClientIP has \\\".\\\", tostring(split(ClientIP, \\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \\\"]\\\")[0]))), ClientIP)\\r\\n| extend Port = case(\\r\\n ClientIP has \\\".\\\", (split(ClientIP, \\\":\\\")[1]),\\r\\n ClientIP has \\\"[\\\", tostring(split(ClientIP, \\\"]:\\\")[1]),\\r\\n ClientIP\\r\\n )\\r\\n| summarize count() by UserId, fwdingDestination, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Forwarding\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"fwdingDestination\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results95\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results95\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Adjust this value to change how many teams a user is made owner of before detecting\\r\\nlet max_owner_count = 3;\\r\\n// Change this value to adjust how larger timeframe the query is run over.\\r\\nlet high_owner_count = (OfficeActivity\\r\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n | where Operation =~ \\\"MemberRoleChanged\\\"\\r\\n | extend Member = tostring(parse_json(Members)[0].UPN) \\r\\n | extend NewRole = toint(parse_json(Members)[0].Role) \\r\\n | where NewRole == 2\\r\\n | summarize dcount(TeamName) by Member\\r\\n | where dcount_TeamName > max_owner_count\\r\\n | project Member);\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n| where Operation =~ \\\"MemberRoleChanged\\\"\\r\\n| extend Member = tostring(parse_json(Members)[0].UPN) \\r\\n| extend NewRole = toint(parse_json(Members)[0].Role) \\r\\n| where NewRole == 2\\r\\n| where Member in (high_owner_count)\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Added as Owner of Multiple Teams\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results98\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results98\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\r\\n// Only admin or global-admin can disable audit logging\\r\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\r\\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\r\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\r\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Exchange Audit Log Disabled\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results99\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results99\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add Keywords for Emails as needed\\r\\nlet Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where Operation =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\n or BodyContainsWords has_any (Keywords)\\r\\n or SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malicious Inbox Rule: Removing Helpdesk/Security Warning Emails\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results100\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results100\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let opList = OfficeActivity \\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| summarize by Operation\\r\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\r\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\r\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\r\\n| summarize make_set(Operation);\\r\\nOfficeActivity\\r\\n// Only admin or global-admin can disable/remove policy\\r\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\r\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\r\\n// Pass in interesting Operation list\\r\\n| where Operation in~ (opList)\\r\\n| extend ClientIPOnly = case( \\r\\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\r\\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\r\\nClientIP\\r\\n) \\r\\n| extend Port = case(\\r\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\r\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\r\\nClientIP\\r\\n)\\r\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Office Policy Tampering\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results101\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results101\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isM365ActivityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Office Activity Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"7afa304d-b448-4d6c-8c54-69e51a7249a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results46\",\"type\":1,\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results46\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"e7de4575-c167-4818-8820-ec17513a02b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results47\",\"type\":1,\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where IsInteractive == true\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count()\\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| where SigninStatus <> \\\"All Sign-ins\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results47\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"e62c1567-e61e-4acd-9731-d6a2c59bf3a0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results48\",\"type\":1,\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where ResultType == 0 and AppDisplayName != \\\"\\\"\\r\\n| summarize count() by AppDisplayName\\r\\n| join (\\r\\nSigninLogs\\r\\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \\r\\n) on AppDisplayName\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results48\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"48559d4f-7025-4580-b316-2134c07b7ad7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results49\",\"type\":1,\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where IsInteractive == true\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n| extend state_ = tostring(LocationDetails.state)\\r\\n| where state_ <> \\\"\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results49\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"88a39c54-0e1f-4f7f-b7f7-a3e798a26b4e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results51\",\"type\":1,\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results51\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"08ed6d78-dbc0-4d10-84da-e37fae50ba4e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results52\",\"type\":1,\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend browser_ = tostring(DeviceDetail.browser)\\r\\n| extend operatingSystem_ = tostring(DeviceDetail.operatingSystem)\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results52\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"66899fa7-9a59-4fee-882c-3d182a726a49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results53\",\"type\":1,\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n// Forces Log Analytics to recognize that the query should be run over full time range\\r\\n| extend locationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", \\r\\n tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\r\\n| project TimeGenerated, AppDisplayName, UserPrincipalName, locationString \\r\\n// Create time series \\r\\n| make-series dLocationCount = dcount(locationString)\\r\\n on TimeGenerated\\r\\n step 1d\\r\\n by UserPrincipalName, AppDisplayName \\r\\n// Compute best fit line for each entry \\r\\n| extend (RSquare, Slope, Variance, RVariance, Interception, LineFit) = series_fit_line(dLocationCount) \\r\\n// Chart the 3 most interesting lines \\r\\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results53\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"82dfffd6-7e78-4412-a69b-5d3d096a4e94\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results54\",\"type\":1,\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n// 50126 - Invalid username or password, or invalid on-premises username or password.\\r\\n// 50020? - The user doesn't exist in the tenant.\\r\\n| where ResultType in (\\\"50126\\\", \\\"50020\\\")\\r\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = makeset(IPAddress), DistinctIPCount = dcount(IPAddress), \\r\\n makeset(OS), makeset(Browser), makeset(City), AttemptCount = count() \\r\\n by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results54\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"3b974333-5ea4-4a64-9067-0d206e3d91fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results55\",\"type\":1,\"query\":\"let failureCountThreshold = 5;\\r\\nlet successCountThreshold = 1;\\r\\nlet authenticationWindow = 20m;\\r\\nlet aadFunc = (tableName: string) {\\r\\n table(tableName)\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n | extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\r\\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\r\\n // Split out failure versus non-failure types\\r\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\r\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\r\\n make_set(State), make_set(Region), make_set(ResultType), FailureCount = countif(FailureOrSuccess == \\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess == \\\"Success\\\") \\r\\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\r\\n | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\r\\n | mvexpand IPAddress\\r\\n | extend IPAddress = tostring(IPAddress)\\r\\n };\\r\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\r\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\r\\nunion isfuzzy=true aadSignin, aadNonInt\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results55\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"6ae59cc4-9e9a-4392-b946-89e77025f3b3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results56\",\"type\":1,\"query\":\"let timeFrame = {TimeRange:grain};\\r\\nlet logonDiff = 1m;\\r\\nlet Success = SigninLogs \\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n | where TimeGenerated >= timeFrame \\r\\n | where ResultType == \\\"0\\\" \\r\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\", \\\"Office 365 SharePoint Online\\\")\\r\\n | project SuccessLogonTime = TimeGenerated, UserPrincipalName, IPAddress, SuccessAppDisplayName = AppDisplayName;\\r\\nlet Fail = SigninLogs \\r\\n | where TimeGenerated >= timeFrame \\r\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\r\\n | where ResultDescription !~ \\\"Other\\\" \\r\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\", \\\"Office 365 SharePoint Online\\\")\\r\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, IPAddress, FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription;\\r\\nlet InitialDataSet = \\r\\n Success\\r\\n | join kind= inner (\\r\\n Fail\\r\\n )\\r\\n on UserPrincipalName, IPAddress \\r\\n | where isnotempty(FailedAppDisplayName)\\r\\n | where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and SuccessAppDisplayName != FailedAppDisplayName;\\r\\nlet InitialHits = \\r\\n InitialDataSet\\r\\n | summarize FailedLogonTime = min(FailedLogonTime), SuccessLogonTime = min(SuccessLogonTime) \\r\\n by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName, IPAddress, ResultType, ResultDescription;\\r\\n// Only take hits where there is 5 or less distinct AppDisplayNames on the success side as this limits highly active applications where failures occur more regularly\\r\\nlet Distribution =\\r\\n InitialDataSet\\r\\n | summarize count(SuccessAppDisplayName) by SuccessAppDisplayName, ResultType\\r\\n | where count_SuccessAppDisplayName <= 5;\\r\\nInitialHits\\r\\n| join (\\r\\n Distribution \\r\\n )\\r\\n on SuccessAppDisplayName, ResultType\\r\\n| project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription \\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"Results56\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b297d67a-c87f-469d-b50a-df226179f729\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results57\",\"type\":1,\"query\":\"let signIns = SigninLogs\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n | extend locationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\",\\r\\n tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\r\\n | where locationString != \\\"//\\\" \\r\\n // filter out signins associated with top 100 signin locations \\r\\n | join kind=anti (\\r\\n SigninLogs\\r\\n | extend locationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", \\r\\n tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\r\\n | where locationString != \\\"//\\\"\\r\\n | summarize count() by locationString\\r\\n | order by count_ desc\\r\\n | take 100)\\r\\n on locationString; // TODO - make this threshold percentage-based\\r\\n// We will perform a time window join to identify signins from multiple locations within a 10-minute period\\r\\nlet lookupWindow = 10m;\\r\\nlet lookupBin = lookupWindow / 2.0; // lookup bin = equal to 1/2 of the lookup window\\r\\nsignIns \\r\\n| project-rename Start=TimeGenerated \\r\\n| extend TimeKey = bin(Start, lookupBin)\\r\\n| join kind = inner (\\r\\n signIns \\r\\n | project-rename End=TimeGenerated, EndLocationString=locationString \\r\\n // TimeKey on the right side of the join - emulates this authentication appearing several times\\r\\n | extend TimeKey = range(bin(End - lookupWindow, lookupBin),\\r\\n bin(End, lookupBin), lookupBin)\\r\\n | mvexpand TimeKey to typeof(datetime) // translate TimeKey arrange range to a column\\r\\n )\\r\\n on Identity, TimeKey\\r\\n| where End > Start\\r\\n| project timeSpan = End - Start, Identity, locationString, EndLocationString, tostring(Start), tostring(End), UserPrincipalName\\r\\n| where locationString != EndLocationString\\r\\n| summarize by timeSpan, Identity, locationString, EndLocationString, Start, End, UserPrincipalName\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results57\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"909d0019-23cb-43ad-8285-9f1dca1cd1be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results58\",\"type\":1,\"query\":\"let IP_Data = (externaldata(network: string)\\r\\n [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv\\\"] with (format=\\\"csv\\\"));\\r\\nSigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where ResultType == 0\\r\\n| extend additionalDetails = tostring(Status.additionalDetails)\\r\\n| evaluate ipv4_lookup(IP_Data, IPAddress, network, return_unmatched = false)\\r\\n| summarize make_set(additionalDetails), min(TimeGenerated), max(TimeGenerated) by IPAddress, UserPrincipalName\\r\\n// Uncomment the remaining lines to only see logons from VPS providers with token only logons.\\r\\n//| where array_length(set_additionalDetails) == 2\\r\\n//| where (set_additionalDetails[1] == \\\"MFA requirement satisfied by claim in the token\\\" and set_additionalDetails[0] == \\\"MFA requirement satisfied by claim provided by external provider\\\") or (set_additionalDetails[0] == \\\"MFA requirement satisfied by claim in the token\\\" and set_additionalDetails[1] == \\\"MFA requirement satisfied by claim provided by external provider\\\")\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Results58\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d345cda2-03ae-4e98-a859-60e04b4f3750\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"blankspace\",\"type\":1,\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 27\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Sign-Ins (Entra ID)](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins)\\n---\\n\\nThis section provides visibility into **user authentication events and access patterns**, supporting GDPR requirements for **integrity and confidentiality of personal data (Art. 5(1)(f))** and **security of processing (Art. 32)**. Monitoring sign-ins helps ensure that only authorized individuals access systems processing personal data, and that suspicious authentication activity is detected quickly. \\n\\nKey objectives of this section: \\n- Track **sign-ins by geolocation and over time** to spot unusual or high-risk access locations \\n- Monitor **failed sign-in attempts and brute-force activity** to identify potential account compromise \\n- Detect **anomalous patterns** such as cross-application anomalies, sign-in bursts, or VPN-based logins \\n- Review **application and client usage trends** to confirm that personal data is accessed only through approved channels \\n- Provide auditors with evidence of **access control enforcement and monitoring** \\n\\nBy analyzing these metrics, analysts can verify that **access to personal data is properly secured**, and that the enterprise maintains the ability to **detect, investigate, and remediate suspicious sign-in activity** in line with GDPR obligations.\\n\\n\\n\\n\"},\"name\":\"text - 2\"}]},\"customWidth\":\"40\",\"name\":\"group - 32\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 29\"},{\"type\":1,\"content\":{\"json\":\"| Sign-Ins (Entra ID) | - | - |\\r\\n|:--| :--| :--| \\r\\n| Sign-Ins by Geolocation | Authentication Details | Sign-In Locations Over Time |\\r\\n| Sign-Ins Count By Application Name | Applications Access Count By Users | Client Application Count by Users |\\r\\n| Anomalous Sign-in & App Access | Entra ID Failed Sign-in Attempts | Entra ID Brute Force Sign-in Attempts |\\r\\n|Cross-App Sign-in Anomaly (Success then Failure) | Sign-In Burst From Multiple Locations | Sign-in From VPN |\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown.\"},\"customWidth\":\"40\",\"name\":\"SI OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n| project latitude_,longitude_,city_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sign-Ins by Geolocation\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results46\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results46\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n| extend SigninStatus = case(\\r\\n errorCode == 0, \\\"Success\\\",\\r\\n errorCode in (50055,50058,50072,50074,50125,50127,50129,50140,50143,50144,51006,52004,65001,16000,16001,16003,81010,81012,81014), \\\"Pending user action\\\",\\r\\n \\\"Failure\\\"\\r\\n);\\r\\ndata\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where IsInteractive == true\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count()\\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| where SigninStatus <> \\\"All Sign-ins\\\"\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Authentication Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results47\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results47\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where IsInteractive == true\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n| extend state_ = tostring(LocationDetails.state)\\r\\n| where state_ <> \\\"\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by state_\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-In Locations Over Time\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"Results49\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results49\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where ResultType == 0 and AppDisplayName != \\\"\\\"\\r\\n| summarize count() by AppDisplayName\\r\\n| join (\\r\\nSigninLogs\\r\\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \\r\\n) on AppDisplayName\\r\\n| top 10 by count_ desc\",\"size\":4,\"showAnalytics\":true,\"title\":\"Sign-Ins Count By Application Name\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"AppDisplayName\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"AppDisplayName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"conditionalVisibility\":{\"parameterName\":\"Results48\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results48\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize Count=count() by UserPrincipalName, AppDisplayName\\r\\n| sort by Count desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Applications Access Count By Users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trendup\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results51\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results51\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend Browser = tostring(DeviceDetail.browser)\\r\\n| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)\\r\\n| summarize Count=count() by UserPrincipalName, Browser, OperatingSystem\\r\\n| sort by Count desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Client Application Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserAgent\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"1\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ClientAppUsed\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trendup\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results52\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results52\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n// Forces Log Analytics to recognize that the query should be run over full time range\\r\\n| extend locationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", \\r\\n tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\r\\n| project TimeGenerated, AppDisplayName, UserPrincipalName, locationString \\r\\n// Create time series \\r\\n| make-series dLocationCount = dcount(locationString)\\r\\n on TimeGenerated\\r\\n step 1d\\r\\n by UserPrincipalName, AppDisplayName \\r\\n// Compute best fit line for each entry \\r\\n| extend (RSquare, Slope, Variance, RVariance, Interception, LineFit) = series_fit_line(dLocationCount) \\r\\n// Filter for truly anomalous patterns:\\r\\n// - abs(Slope) > 0.5 → exclude stable users; keeps those with growing/shrinking location diversity\\r\\n// - Variance > 2 → exclude trivial fluctuations; ensures location counts are inconsistent\\r\\n// - RSquare > 0.5 → exclude poor fits; ensures the slope represents a real trend, not random noise\\r\\n| where abs(Slope) > 0.5 and Variance > 2 and RSquare > 0.5\\r\\n| project UserPrincipalName, AppDisplayName, Slope, Variance, RSquare\\r\\n| order by abs(Slope) desc\\r\\n| limit 50\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Sign-in Location by User Account and Authenticating Application\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results53\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results53\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n// 50126 - Invalid username or password, or invalid on-premises username or password.\\r\\n// 50020 - The user doesn't exist in the tenant.\\r\\n// 50076 → MFA required but not satisfied\\r\\n// 50053 → Account locked due to repeated sign-in attempts\\r\\n| where ResultType in (\\\"50126\\\", \\\"50020\\\", \\\"50076\\\", \\\"50053\\\")\\r\\n| summarize Count=count() by UserPrincipalName, AppDisplayName\\r\\n| sort by Count desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Entra ID Failed Sign-in Attempts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results54\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results54\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let failureCountThreshold = 5;\\r\\nlet successCountThreshold = 1;\\r\\nlet authenticationWindow = 20m;\\r\\nlet aadFunc = (tableName: string) {\\r\\n table(tableName)\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n | extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\r\\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\r\\n // Split out failure versus non-failure types\\r\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\"), \\\"Success\\\", \\\"Failure\\\")\\r\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\r\\n make_set(State), make_set(Region), make_set(ResultType), FailureCount = countif(FailureOrSuccess == \\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess == \\\"Success\\\") \\r\\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\r\\n | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\r\\n | mvexpand IPAddress\\r\\n | extend IPAddress = tostring(IPAddress)\\r\\n };\\r\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\r\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\r\\nunion isfuzzy=true aadSignin, aadNonInt\\r\\n| summarize AttemptWindows = count(), TotalFailures = sum(FailureCount), TotalSuccesses = sum(SuccessCount) by UserPrincipalName, AppDisplayName\\r\\n| order by AttemptWindows desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Entra ID Brute Force Sign-in Attempts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results55\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results55\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let timeFrame = {TimeRange:grain};\\r\\nlet logonDiff = 1m;\\r\\nlet Success = SigninLogs \\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n | where TimeGenerated >= timeFrame \\r\\n | where ResultType == \\\"0\\\" \\r\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\", \\\"Office 365 SharePoint Online\\\")\\r\\n | project SuccessLogonTime = TimeGenerated, UserPrincipalName, IPAddress, SuccessAppDisplayName = AppDisplayName;\\r\\nlet Fail = SigninLogs \\r\\n | where TimeGenerated >= timeFrame \\r\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\r\\n | where ResultDescription !~ \\\"Other\\\" \\r\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\", \\\"Office 365 SharePoint Online\\\")\\r\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, IPAddress, FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription;\\r\\nlet InitialDataSet = \\r\\n Success\\r\\n | join kind= inner (\\r\\n Fail\\r\\n )\\r\\n on UserPrincipalName, IPAddress \\r\\n | where isnotempty(FailedAppDisplayName)\\r\\n | where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and SuccessAppDisplayName != FailedAppDisplayName;\\r\\nlet InitialHits = \\r\\n InitialDataSet\\r\\n | summarize FailedLogonTime = min(FailedLogonTime), SuccessLogonTime = min(SuccessLogonTime) \\r\\n by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName, IPAddress, ResultType, ResultDescription;\\r\\n// Only take hits where there is 5 or less distinct AppDisplayNames on the success side as this limits highly active applications where failures occur more regularly\\r\\nlet Distribution =\\r\\n InitialDataSet\\r\\n | summarize count(SuccessAppDisplayName) by SuccessAppDisplayName, ResultType\\r\\n | where count_SuccessAppDisplayName <= 5;\\r\\nInitialHits\\r\\n| join (\\r\\n Distribution \\r\\n )\\r\\n on SuccessAppDisplayName, ResultType\\r\\n| project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription \\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cross-App Sign-in Anomaly (Success then Failure)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SuccessAppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FailedAppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"failed\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results56\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results56\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let signIns = SigninLogs\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n | extend locationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\",\\r\\n tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\r\\n | where locationString != \\\"//\\\" \\r\\n // filter out signins associated with top 100 signin locations \\r\\n | join kind=anti (\\r\\n SigninLogs\\r\\n | extend locationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", \\r\\n tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\r\\n | where locationString != \\\"//\\\"\\r\\n | summarize count() by locationString\\r\\n | order by count_ desc\\r\\n | take 100)\\r\\n on locationString; // TODO - make this threshold percentage-based\\r\\n// We will perform a time window join to identify signins from multiple locations within a 10-minute period\\r\\nlet lookupWindow = 10m;\\r\\nlet lookupBin = lookupWindow / 2.0; // lookup bin = equal to 1/2 of the lookup window\\r\\nsignIns \\r\\n| project-rename Start=TimeGenerated \\r\\n| extend TimeKey = bin(Start, lookupBin)\\r\\n| join kind = inner (\\r\\n signIns \\r\\n | project-rename End=TimeGenerated, EndLocationString=locationString \\r\\n // TimeKey on the right side of the join - emulates this authentication appearing several times\\r\\n | extend TimeKey = range(bin(End - lookupWindow, lookupBin),\\r\\n bin(End, lookupBin), lookupBin)\\r\\n | mvexpand TimeKey to typeof(datetime) // translate TimeKey arrange range to a column\\r\\n )\\r\\n on Identity, TimeKey\\r\\n| where End > Start\\r\\n| project timeSpan = End - Start, Identity, locationString, EndLocationString, tostring(Start), tostring(End), UserPrincipalName\\r\\n| where locationString != EndLocationString\\r\\n| summarize by timeSpan, Identity, locationString, EndLocationString, Start, End, UserPrincipalName\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName, locationString, EndLocationString\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-In Burst From Multiple Locations\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results57\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results57\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = (externaldata(network: string)\\r\\n [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv\\\"] with (format=\\\"csv\\\"));\\r\\nSigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where ResultType == 0\\r\\n| extend additionalDetails = tostring(Status.additionalDetails)\\r\\n| evaluate ipv4_lookup(IP_Data, IPAddress, network, return_unmatched = false)\\r\\n| summarize count() by UserPrincipalName, AppDisplayName, network\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins From VPNs\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results58\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results58\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSignInsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Sign-Ins\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"658caef7-b6e6-4d04-92be-b7ff5cc8910e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results103\",\"type\":1,\"query\":\"let action = dynamic([\\\"change \\\", \\\"changed \\\", \\\"reset \\\"]);\\r\\nlet pWord = dynamic([\\\"password \\\", \\\"credentials \\\"]);\\r\\n(union isfuzzy=true\\r\\n (SecurityEvent\\r\\n | where EventID in (4723, 4724)\\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(Activity), ActionCount = count() by Resource = Computer, OperationName = strcat(\\\"TargetAccount: \\\", TargetUserName), UserId = Account, Type\\r\\n ),\\r\\n (AuditLogs\\r\\n | where OperationName has_any (pWord) and OperationName has_any (action)\\r\\n | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) \\r\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) \\r\\n | where ResultDescription != \\\"None\\\" \\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by OperationName = strcat(Category, \\\" - \\\", OperationName, \\\" - \\\", Result), Resource, UserId = TargetUserPrincipalName, Type\\r\\n | extend ResultDescriptions = tostring(ResultDescriptions)\\r\\n ),\\r\\n (OfficeActivity\\r\\n | where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\r\\n | extend ResultDescriptions = case(\\r\\n OfficeWorkload =~ \\\"AzureActiveDirectory\\\", tostring(ExtendedProperties),\\r\\n OfficeWorkload has_any (\\\"Exchange\\\", \\\"OneDrive\\\"), OfficeObjectId,\\r\\n RecordType) \\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescriptions), ActionCount = count() by Resource = OfficeWorkload, OperationName = strcat(Operation, \\\" - \\\", ResultStatus), IPAddress = ClientIP, UserId, Type\\r\\n ),\\r\\n (Syslog\\r\\n | where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(SyslogMessage), ActionCount = count() by Resource = HostName, OperationName = Facility, IPAddress = HostIP, ProcessName, Type\\r\\n ),\\r\\n (SigninLogs\\r\\n | where OperationName =~ \\\"Sign-in activity\\\" and ResultType has_any (\\\"50125\\\", \\\"50133\\\")\\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, \\\" - \\\", ResultType), IPAddress, UserId = UserPrincipalName, Type\\r\\n )\\r\\n)\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"Results103\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"e3a0cfd9-ab9d-479d-b355-f3db4d09b084\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results104\",\"type\":1,\"query\":\"// Extend this list with items to search for\\r\\nlet keywords = dynamic([\\\"password\\\", \\\"pwd\\\", \\\"creds\\\", \\\"credentials\\\", \\\"secret\\\"]);\\r\\n// To exclude key phrases or tables to exclude add to these lists\\r\\nlet table_exclusions = dynamic([\\\"AuditLogs\\\", \\\"SigninLogs\\\", \\\"LAQueryLogs\\\", \\\"SecurityEvent\\\"]);\\r\\nlet keyword_exclusion = dynamic([\\\"reset user password\\\", \\\"change user password\\\"]);\\r\\nLAQueryLogs\\r\\n| where RequestClientApp != 'Sentinel-General'\\r\\n| extend querytext_lower = tolower(QueryText)\\r\\n| where querytext_lower has_any(keywords)\\r\\n| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget, ResponseCode, ResponseRowCount, ResponseDurationMs, CorrelationId\\r\\n| extend timestamp = TimeGenerated, UserPrincipalName = AADEmail\\r\\n| join kind=leftanti (LAQueryLogs\\r\\n | where RequestClientApp != 'Sentinel-General'\\r\\n | extend querytext_lower = tolower(QueryText)\\r\\n | where QueryText has_any(table_exclusions) or querytext_lower has_any(keyword_exclusion))\\r\\n on CorrelationId\\r\\n | where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"Results104\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4d0cfde6-5b30-4824-97bb-37487f260b0b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results105\",\"type\":1,\"query\":\"let recentWindow = 1d; // Accounts that logged in recently\\r\\nlet historyWindow = 30d; // Look back period for prior logins\\r\\nlet newAccountWindow = 7d; // Exclude accounts created in last 7 days\\r\\n// Step 1: Recent successful logins\\r\\nlet recentLogins = SigninLogs\\r\\n| where TimeGenerated >= ago(recentWindow)\\r\\n| where ResultType == 0\\r\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), loginCountRecent = count() \\r\\n by UserPrincipalName, Identity;\\r\\n// Step 2: Exclude accounts that had successful logins in the historical period\\r\\nlet historicalLogins = SigninLogs\\r\\n| where TimeGenerated between (ago(historyWindow) .. ago(recentWindow))\\r\\n| where ResultType == 0\\r\\n| summarize by UserPrincipalName, Identity;\\r\\nlet dormantLogins = recentLogins\\r\\n| join kind=leftanti (historicalLogins) on UserPrincipalName;\\r\\n// Step 3: Exclude newly created accounts\\r\\nlet newAccounts = AuditLogs\\r\\n| where TimeGenerated >= ago(newAccountWindow)\\r\\n| where OperationName == \\\"Add user\\\"\\r\\n| extend NewUserPrincipalName = tolower(extractjson(\\\"$.userPrincipalName\\\", tostring(TargetResources[0]), typeof(string)));\\r\\ndormantLogins\\r\\n| join kind=leftanti (newAccounts) on $left.UserPrincipalName == $right.NewUserPrincipalName\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"Results105\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4f1e1636-66f4-42ab-ba63-f0046df90e09\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results107\",\"type\":1,\"query\":\"let current = 1d;\\r\\nlet auditLookback = {TimeRange:grain};\\r\\nlet propertyIgnoreList = dynamic([\\\"TargetId.UserType\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"LastDirSyncTime\\\", \\\"DeviceOSVersion\\\", \\\"CloudDeviceOSVersion\\\", \\\"DeviceObjectVersion\\\"]);\\r\\nlet AuditTrail = AuditLogs\\r\\n | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\r\\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\r\\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\r\\n | extend ModProps = TargetResources.[0].modifiedProperties\\r\\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\\r\\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\r\\n | mv-expand ModProps\\r\\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\\r\\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \\\"Action Client Name\\\" and newValue !~ \\\"DirectorySync\\\") and (PropertyName !~ \\\"Included Updated Properties\\\" and newValue !~ \\\"LastDirSyncTime\\\")\\r\\n | summarize count() by OperationName, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, PropertyName, TargetResourceName;\\r\\nlet AccountMods = AuditLogs \\r\\n | where TimeGenerated >= ago(current)\\r\\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\r\\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\r\\n | extend ModProps = TargetResources.[0].modifiedProperties\\r\\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\\r\\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\r\\n | mv-expand ModProps\\r\\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\\r\\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \\\"Action Client Name\\\" and newValue !~ \\\"DirectorySync\\\") and (PropertyName !~ \\\"Included Updated Properties\\\" and newValue !~ \\\"LastDirSyncTime\\\")\\r\\n | extend ModifiedProps = pack(\\\"PropertyName\\\", PropertyName, \\\"newValue\\\", newValue, \\\"Id\\\", Id, \\\"CorrelationId\\\", CorrelationId) \\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Activity = make_bag(ModifiedProps) by Type, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, Category, OperationName, PropertyName, TargetResourceName;\\r\\nlet RareAudits = AccountMods\\r\\n | join kind= leftanti (\\r\\n AuditTrail \\r\\n )\\r\\n on OperationName, InitiatedByUser, InitiatedByIPAddress;//, TargetUserPrincipalName, PropertyName; //uncomment if you want to see Rare Property changes to a given TargetUserPrincipalName.\\r\\nRareAudits \\r\\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), make_set(Activity), make_set(PropertyName) by Type, InitiatedByUser, InitiatedByIPAddress, OperationName, TargetUserPrincipalName, TargetResourceName\\r\\n| extend timestamp = StartTime, UserPrincipalName = InitiatedByUser, HostName = iff(set_PropertyName has_any ('DeviceOSType', 'CloudDeviceOSType'), TargetResourceName, '')\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"Results107\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"75c81ac6-d658-48ee-85b0-8bce3559128a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results108\",\"type\":1,\"query\":\"let auditLookback = {TimeRange:grain};\\r\\n// Setting threshold to 3 as a default, change as needed. Any operation that has been initiated by a user or app more than 3 times in the past 30 days will be exluded\\r\\nlet threshold = 3;\\r\\n// Helper function to extract relevant fields from AuditLog events\\r\\nlet auditLogEvents = view (startTimeSpan: timespan) {\\r\\n AuditLogs\\r\\n | where TimeGenerated >= ago(auditLookback)\\r\\n | extend ModProps = TargetResources.[0].modifiedProperties\\r\\n | extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \\r\\n tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\\r\\n | extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\r\\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\r\\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\r\\n | mvexpand ModProps\\r\\n | extend PropertyName = tostring(ModProps.displayName), newValue = replace('\\\\\\\"', \\\"\\\", tostring(ModProps.newValue));\\r\\n};\\r\\n// Get just the InitiatedBy and CorrleationId so we can look at associated audit activity\\r\\n// 2 other operations that can be part of malicious activity in this situation are \\r\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", replace the below if you are interested in those as starting points for OperationName\\r\\nlet HistoricalConsent = auditLogEvents(auditLookback) \\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() \\r\\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\\r\\n// Remove comment below to only include operations initiated by a user or app that is above the threshold for the last 30 days\\r\\n//| where OperationCount > threshold\\r\\n;\\r\\nlet Correlate = HistoricalConsent \\r\\n | summarize by InitiatedBy, CorrelationId;\\r\\n// 2 other operations that can be part of malicious activity in this situation are \\r\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", replace the below if you changed the starting OperationName above\\r\\nlet allOtherEvents = auditLogEvents(auditLookback) \\r\\n | where OperationName != \\\"Consent to application\\\";\\r\\n// Gather associated activity based on audit activity for \\\"Consent to application\\\" and InitiatedBy and CorrleationId\\r\\nlet CorrelatedEvents = Correlate \\r\\n | join allOtherEvents on InitiatedBy, CorrelationId\\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\r\\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\\r\\n;\\r\\n// Union the results\\r\\nlet Results = union isfuzzy=true HistoricalConsent, CorrelatedEvents;\\r\\n// newValues that are simple semi-colon separated, make those dynamic for easy viewing and Aggregate into the PropertyUpdate set based on CorrelationId and Id(DirectoryId)\\r\\nResults\\r\\n| extend newValue = split(newValue, \\\";\\\")\\r\\n| extend PropertyUpdate = pack(PropertyName, newValue, \\\"Id\\\", Id)\\r\\n// Extract scope requested\\r\\n| extend perms = tostring(parse_json(tostring(PropertyUpdate.[\\\"ConsentAction.Permissions\\\"]))[0])\\r\\n| extend scope = extract('Scope:\\\\\\\\s*([^,\\\\\\\\]]*)', 1, perms)\\r\\n// Filter out some common openid, and low privilege request scopes - uncomment line below to filter out where no scope is requested\\r\\n//| where isnotempty(scope)\\r\\n| where scope !contains 'openid' and scope !in ('user_impersonation', 'User.Read')\\r\\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate), make_set(scope)\\r\\n by InitiatedBy, IpAddress, TargetResourceName, OperationName, CorrelationId\\r\\n| extend timestamp = StartTime, UserPrincipalName = InitiatedBy\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"Results108\",\"styleSettings\":{\"maxWidth\":\"0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"d0f5e554-de83-438a-9c4a-be05649f8d1f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Results112\",\"type\":1,\"isRequired\":true,\"query\":\"(union isfuzzy=true\\r\\n(\\r\\nAuditLogs\\r\\n| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\r\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\r\\n| mv-expand TargetResources\\r\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\r\\n| mv-expand modifiedProperties\\r\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\r\\n| mv-expand AdditionalDetails\\r\\n),\\r\\n(\\r\\nAuditLogs\\r\\n| where OperationName =~ \\\"Set domain authentication\\\"\\r\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\r\\n| mv-expand TargetResources\\r\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\r\\n| mv-expand modifiedProperties\\r\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\r\\n| where NewDomainValue has \\\"Federated\\\"\\r\\n))\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"No\\\", \\\"Yes\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Results112\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# 📝 [Audit Logs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs)\\n---\\n\\nThis section provides accountability and traceability for **administrative and user activities** across cloud services. It directly supports GDPR requirements for **records of processing activities (Art. 30)**, **security of processing (Art. 32)**, and **accountability (Art. 5(2))** by ensuring that all actions related to personal data can be tracked, reviewed, and evidenced. \\n\\nKey objectives of this section: \\n- Detect **risky administrative actions** such as password resets, consent grants, or policy changes \\n- Identify **suspicious logins** from inactive accounts or unusual sources that may indicate misuse of personal data \\n- Monitor for **rare or unexpected audit events** that could signal attempts to bypass controls \\n- Provide a reliable record of **who accessed what, when, and with what privileges** \\n- Supply auditors with verifiable evidence of **control enforcement, activity logging, and retention** \\n\\nBy reviewing these metrics, analysts can confirm that **all processing activities are logged and monitored**, supporting GDPR requirements for transparency, oversight, and demonstrable compliance.\\n\"},\"name\":\"text - 2\"}]},\"customWidth\":\"40\",\"name\":\"group - 27\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 26\"},{\"type\":1,\"content\":{\"json\":\"| Audit Log (Entra ID)) | - | - |\\r\\n|:--| :--| :--|\\r\\n| Changing Passwords Across Multiple Cloud Accounts | Credential & Secret Search Activity by Users | Unexpected Logins From Inactive Accounts |\\r\\n| Rare Audit Activity Initiated |Suspicious Consent to Application Discovery |\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown.\"},\"customWidth\":\"40\",\"name\":\"SI OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let action = dynamic([\\\"change \\\", \\\"changed \\\", \\\"reset \\\"]);\\r\\nlet pWord = dynamic([\\\"password \\\", \\\"credentials \\\"]);\\r\\n(union isfuzzy=true\\r\\n (SecurityEvent\\r\\n | where EventID in (4723, 4724)\\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(Activity),\\r\\n ActionCount = count()\\r\\n by\\r\\n Resource = Computer,\\r\\n OperationName = strcat(\\\"TargetAccount: \\\", TargetUserName),\\r\\n UserId = Account,\\r\\n Type\\r\\n ),\\r\\n (AuditLogs\\r\\n | where OperationName has_any (pWord) and OperationName has_any (action)\\r\\n | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) \\r\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) \\r\\n | where ResultDescription != \\\"None\\\" \\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(ResultDescription),\\r\\n CorrelationIds = makeset(CorrelationId),\\r\\n ActionCount = count()\\r\\n by\\r\\n OperationName = strcat(Category, \\\" - \\\", OperationName, \\\" - \\\", Result),\\r\\n Resource,\\r\\n UserId = TargetUserPrincipalName,\\r\\n Type\\r\\n | extend ResultDescriptions = tostring(ResultDescriptions)\\r\\n ),\\r\\n (OfficeActivity\\r\\n | where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\r\\n | extend ResultDescriptions = case(\\r\\n OfficeWorkload =~ \\\"AzureActiveDirectory\\\",\\r\\n tostring(ExtendedProperties),\\r\\n OfficeWorkload has_any (\\\"Exchange\\\", \\\"OneDrive\\\"),\\r\\n OfficeObjectId,\\r\\n RecordType\\r\\n ) \\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(ResultDescriptions),\\r\\n ActionCount = count()\\r\\n by\\r\\n Resource = OfficeWorkload,\\r\\n OperationName = strcat(Operation, \\\" - \\\", ResultStatus),\\r\\n IPAddress = ClientIP,\\r\\n UserId,\\r\\n Type\\r\\n ),\\r\\n (Syslog\\r\\n | where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(SyslogMessage),\\r\\n ActionCount = count()\\r\\n by\\r\\n Resource = HostName,\\r\\n OperationName = Facility,\\r\\n IPAddress = HostIP,\\r\\n ProcessName,\\r\\n Type\\r\\n ),\\r\\n (SigninLogs\\r\\n | where OperationName =~ \\\"Sign-in activity\\\" and ResultType has_any (\\\"50125\\\", \\\"50133\\\")\\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(ResultDescription),\\r\\n CorrelationIds = makeset(CorrelationId),\\r\\n ActionCount = count()\\r\\n by\\r\\n Resource,\\r\\n OperationName = strcat(OperationName, \\\" - \\\", ResultType),\\r\\n IPAddress,\\r\\n UserId = UserPrincipalName,\\r\\n Type\\r\\n )\\r\\n)\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| summarize LogSource=make_set(Type), ActionCount=sum(ActionCount) by UserId\\r\\n| sort by ActionCount desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Changing Passwords Across Multiple Cloud Accounts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results103\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results103\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Extend this list with items to search for\\r\\nlet keywords = dynamic([\\\"password\\\", \\\"pwd\\\", \\\"creds\\\", \\\"credentials\\\", \\\"secret\\\"]);\\r\\n// To exclude key phrases or tables to exclude add to these lists\\r\\nlet table_exclusions = dynamic([\\\"AuditLogs\\\", \\\"SigninLogs\\\", \\\"LAQueryLogs\\\", \\\"SecurityEvent\\\"]);\\r\\nlet keyword_exclusion = dynamic([\\\"reset user password\\\", \\\"change user password\\\"]);\\r\\nLAQueryLogs\\r\\n| where RequestClientApp != 'Sentinel-General'\\r\\n| extend querytext_lower = tolower(QueryText)\\r\\n| where querytext_lower has_any(keywords)\\r\\n| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget, ResponseCode, ResponseRowCount, ResponseDurationMs, CorrelationId\\r\\n| extend timestamp = TimeGenerated, Username = AADEmail\\r\\n| join kind=leftanti (LAQueryLogs\\r\\n | where RequestClientApp != 'Sentinel-General'\\r\\n | extend querytext_lower = tolower(QueryText)\\r\\n | where QueryText has_any(table_exclusions) or querytext_lower has_any(keyword_exclusion))\\r\\n on CorrelationId\\r\\n| where isnotempty(Username) and ResponseRowCount > 0\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or Username in ({UserPrincipalName})\\r\\n| summarize count() by Username\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Credential & Secret Search Activity by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Username\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results104\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results104\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let recentWindow = 1d; // Accounts that logged in recently\\r\\nlet historyWindow = 30d; // Look back period for prior logins\\r\\nlet newAccountWindow = 7d; // Exclude accounts created in last 7 days\\r\\n// Step 1: Recent successful logins\\r\\nlet recentLogins = SigninLogs\\r\\n| where TimeGenerated >= ago(recentWindow)\\r\\n| where ResultType == 0\\r\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), loginCountRecent = count() \\r\\n by UserPrincipalName, Identity;\\r\\n// Step 2: Exclude accounts that had successful logins in the historical period\\r\\nlet historicalLogins = SigninLogs\\r\\n| where TimeGenerated between (ago(historyWindow) .. ago(recentWindow))\\r\\n| where ResultType == 0\\r\\n| summarize by UserPrincipalName, Identity;\\r\\nlet dormantLogins = recentLogins\\r\\n| join kind=leftanti (historicalLogins) on UserPrincipalName;\\r\\n// Step 3: Exclude newly created accounts\\r\\nlet newAccounts = AuditLogs\\r\\n| where TimeGenerated >= ago(newAccountWindow)\\r\\n| where OperationName == \\\"Add user\\\"\\r\\n| extend NewUserPrincipalName = tolower(extractjson(\\\"$.userPrincipalName\\\", tostring(TargetResources[0]), typeof(string)));\\r\\ndormantLogins\\r\\n| join kind=leftanti (newAccounts) on $left.UserPrincipalName == $right.NewUserPrincipalName\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Unexpected Logins From Inactive Accounts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results105\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results105\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let current = 1d;\\r\\nlet auditLookback = {TimeRange:grain};\\r\\nlet propertyIgnoreList = dynamic([\\\"TargetId.UserType\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"LastDirSyncTime\\\", \\\"DeviceOSVersion\\\", \\\"CloudDeviceOSVersion\\\", \\\"DeviceObjectVersion\\\"]);\\r\\nlet AuditTrail = AuditLogs\\r\\n | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\r\\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\r\\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\r\\n | extend ModProps = TargetResources.[0].modifiedProperties\\r\\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\\r\\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\r\\n | mv-expand ModProps\\r\\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\\r\\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \\\"Action Client Name\\\" and newValue !~ \\\"DirectorySync\\\") and (PropertyName !~ \\\"Included Updated Properties\\\" and newValue !~ \\\"LastDirSyncTime\\\")\\r\\n | summarize count() by OperationName, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, PropertyName, TargetResourceName;\\r\\nlet AccountMods = AuditLogs \\r\\n | where TimeGenerated >= ago(current)\\r\\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\r\\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\r\\n | extend ModProps = TargetResources.[0].modifiedProperties\\r\\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\\r\\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\r\\n | mv-expand ModProps\\r\\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\\r\\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \\\"Action Client Name\\\" and newValue !~ \\\"DirectorySync\\\") and (PropertyName !~ \\\"Included Updated Properties\\\" and newValue !~ \\\"LastDirSyncTime\\\")\\r\\n | extend ModifiedProps = pack(\\\"PropertyName\\\", PropertyName, \\\"newValue\\\", newValue, \\\"Id\\\", Id, \\\"CorrelationId\\\", CorrelationId) \\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Activity = make_bag(ModifiedProps) by Type, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, Category, OperationName, PropertyName, TargetResourceName;\\r\\nlet RareAudits = AccountMods\\r\\n | join kind= leftanti (\\r\\n AuditTrail \\r\\n )\\r\\n on OperationName, InitiatedByUser, InitiatedByIPAddress;//, TargetUserPrincipalName, PropertyName; //uncomment if you want to see Rare Property changes to a given TargetUserPrincipalName.\\r\\nRareAudits \\r\\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), make_set(Activity), make_set(PropertyName) by Type, InitiatedByUser, InitiatedByIPAddress, OperationName, TargetUserPrincipalName, TargetResourceName\\r\\n| extend StartTime, InitiatedByUser, Hostname = iff(set_PropertyName has_any ('DeviceOSType', 'CloudDeviceOSType'), TargetResourceName, ''), InitiatedByIPAddress\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or InitiatedByUser in ({UserPrincipalName})\\r\\n| distinct InitiatedByUser, OperationName, StartTime\\r\\n| sort by StartTime desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Rare Audit Activity Initiated\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InitiatedByUser\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results107\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results107\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let auditLookback = {TimeRange:grain};\\r\\n// Setting threshold to 3 as a default, change as needed. Any operation that has been initiated by a user or app more than 3 times in the past 30 days will be exluded\\r\\nlet threshold = 3;\\r\\n// Helper function to extract relevant fields from AuditLog events\\r\\nlet auditLogEvents = view (startTimeSpan: timespan) {\\r\\n AuditLogs\\r\\n | where TimeGenerated >= ago(auditLookback)\\r\\n | extend ModProps = TargetResources.[0].modifiedProperties\\r\\n | extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \\r\\n tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\\r\\n | extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\r\\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\r\\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\r\\n | mvexpand ModProps\\r\\n | extend PropertyName = tostring(ModProps.displayName), newValue = replace('\\\\\\\"', \\\"\\\", tostring(ModProps.newValue));\\r\\n};\\r\\n// Get just the InitiatedBy and CorrleationId so we can look at associated audit activity\\r\\n// 2 other operations that can be part of malicious activity in this situation are \\r\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", replace the below if you are interested in those as starting points for OperationName\\r\\nlet HistoricalConsent = auditLogEvents(auditLookback) \\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() \\r\\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\\r\\n// Remove comment below to only include operations initiated by a user or app that is above the threshold for the last 30 days\\r\\n//| where OperationCount > threshold\\r\\n;\\r\\nlet Correlate = HistoricalConsent \\r\\n | summarize by InitiatedBy, CorrelationId;\\r\\n// 2 other operations that can be part of malicious activity in this situation are \\r\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", replace the below if you changed the starting OperationName above\\r\\nlet allOtherEvents = auditLogEvents(auditLookback) \\r\\n | where OperationName != \\\"Consent to application\\\";\\r\\n// Gather associated activity based on audit activity for \\\"Consent to application\\\" and InitiatedBy and CorrleationId\\r\\nlet CorrelatedEvents = Correlate \\r\\n | join allOtherEvents on InitiatedBy, CorrelationId\\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\r\\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\\r\\n;\\r\\n// Union the results\\r\\nlet Results = union isfuzzy=true HistoricalConsent, CorrelatedEvents;\\r\\n// newValues that are simple semi-colon separated, make those dynamic for easy viewing and Aggregate into the PropertyUpdate set based on CorrelationId and Id(DirectoryId)\\r\\nResults\\r\\n| extend newValue = split(newValue, \\\";\\\")\\r\\n| extend PropertyUpdate = pack(PropertyName, newValue, \\\"Id\\\", Id)\\r\\n// Extract scope requested\\r\\n| extend perms = tostring(parse_json(tostring(PropertyUpdate.[\\\"ConsentAction.Permissions\\\"]))[0])\\r\\n| extend scope = extract('Scope:\\\\\\\\s*([^,\\\\\\\\]]*)', 1, perms)\\r\\n// Filter out some common openid, and low privilege request scopes - uncomment line below to filter out where no scope is requested\\r\\n//| where isnotempty(scope)\\r\\n| where scope !contains 'openid' and scope !in ('user_impersonation', 'User.Read')\\r\\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate), make_set(scope)\\r\\n by InitiatedBy, IpAddress, TargetResourceName, OperationName, CorrelationId\\r\\n| extend StartTime, InitiatedBy, IpAddress\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or InitiatedBy in ({UserPrincipalName})\\r\\n| summarize count() by InitiatedBy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suspicious Consent to Application Discovery\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Results108\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Results108\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuditLogsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Audit Logs Group\"}],\"fromTemplateId\":\"\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"typeSettings\":{\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\"},\"name\":\"Parameter Selectors\",\"id\":\"d5e93405-23b9-447d-be94-cf2a82e711ce\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [GDPR Compliance & Data Security Workbook for Microsoft Sentinel](https://learn.microsoft.com/en-us/compliance/regulatory/gdpr)\\n---\\n\\nWelcome to the **GDPR(General Data Protection Regulation) Compliance & Data Security Workbook for Microsoft Sentinel**. \\nThis workbook helps you **track, visualize and monitor GDPR related requirements** across your enterprise. \\nIt consolidates data from **Defender XDR, Microsoft Purview, Azure SQL Databases, Microsoft 365, UEBA and Entra ID solution.**\\n\\nUse this workbook to:\\n- 🔍 Monitor **GDPR and data-theft related alerts and incidents** across Microsoft Defender XDR \\n- 🗂 Gain visibility into **data classification and sensitivity labeling coverage** with Microsoft Purview\\n- 🗄 Detect **sensitive data queries, anomalous database activity, and unusual access patterns** in Azure SQL Databases\\n- ⚠ Investigate **identity risks, anomalous sign-ins, and insider behaviors** with Entra ID and UEBA \\n- 📝 Provide **clear audit evidence and compliance reports** across Microsoft 365 and related services\"},\"name\":\"text - 2\",\"id\":\"91af6d50-38e6-4e36-993a-88a2bb90ac4e\"}]},\"customWidth\":\"78\",\"name\":\"group - 5\",\"id\":\"18f9378c-bc7a-4e72-ba09-6ed0eb41d098\"},{\"type\":1,\"content\":{\"json\":\" \"},\"customWidth\":\"21\",\"name\":\"Microsoft Sentinel Logo\",\"id\":\"16eb8261-f3d2-47be-8027-d3c03b0bcba7\"},{\"type\":1,\"content\":{\"json\":\"We’d love to hear your feedback! Share it with us [Here](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5vpbw39GIlPr6oh7FnjxTFUOVhBOFowTFlaT1pOSTAxVDdRT1pIUDlINy4u). \",\"style\":\"upsell\"},\"name\":\"text - 1\",\"id\":\"c369fd4b-c2d5-4d96-96ee-3f54f2487829\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ac6f7462-59ff-4d82-86b0-0a6eccc35a51\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserPrincipalName\",\"label\":\"🔀 User Selector\",\"type\":2,\"description\":\"This filter applies to metrics derived from Microsoft 365, UEBA, and Entra ID data sources.\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize by UserPrincipalName \",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"ac6f7462-59ff-4d82-86b0-0a6eccc35a51\",\"crossComponentResources\":[\"{Workspace}\"]}],\"style\":\"pills\"},\"name\":\"User Selector Parameter - Copy\",\"id\":\"315edf6e-917e-40cb-814a-3a60590685c5\"},{\"type\":1,\"content\":{\"json\":\"✅ **How to use this workbook** \\r\\n\\r\\nSelect one or more checkboxes below to display the GDPR relevant metrics for the corresponding source (e.g., Security Alerts, Purview, SQL, Microsoft 365).\\r\\n\"},\"name\":\"text - 16\",\"id\":\"0eaf3675-1559-40ce-b287-817fe0b7b5a2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Getting Started\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Help\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Security Alerts and Incidents (6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SecurityAlerts\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Data Loss Prevention (7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DLP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Purview Logs (8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PurviewLogs\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Azure SQL Databases (9)\\\\\\\", \\\\\\\"tab\\\\\\\":\\\\\\\"AzureSQLDatabases\\\\\\\"},\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Microsoft 365 Activity (20)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"M365Activity\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"User & Entity Behavior Analytics (12)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"UEBA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Sign-Ins (12)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SignIns\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Data Sources\\\\\\\": \\\\\\\"Audit Logs (5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AuditLogs\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"tab2\"}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family \",\"styleSettings\":{\"showBorder\":true},\"id\":\"b7fc1698-a7e5-44ca-a2ac-aae677786a34\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cbb7a53e-ea3b-44e3-804e-734662e21144\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isHelpVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Help\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSecurityAlertsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SecurityAlerts\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9ade41e9-0382-49a7-847a-472bfb7e284b\"},{\"id\":\"17988544-c3d6-46c0-9645-2d1ce07d8655\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDLPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DLP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"0299a507-8d53-4e80-bc8c-e3aa12522bab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPurviewLogsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PurviewLogs\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}]},{\"id\":\"553d4aff-e76d-418b-9edf-7fdcdacb6e0f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAzureSQLDatabasesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AzureSQLDatabases\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"f145d46a-1e01-49ff-99e7-87f6059ed960\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isM365ActivityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"M365Activity\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUEBAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"UEBA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"70014e2e-d25a-4cca-b78d-b6063795d138\"},{\"id\":\"14403a6f-fb83-492a-bea3-941048e30bb7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSignInsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SignIns\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}]},{\"id\":\"af09b9c4-3218-40de-8a1f-26f4a1c38a19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuditLogsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AuditLogs\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}]}],\"style\":\"pills\",\"doNotRunWhenHidden\":true},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\",\"id\":\"c4d06696-91ee-4436-823b-653fe23fcff4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## 📂 Workbook Structure\\r\\n\\r\\nThis workbook is organized into the following sections:\\r\\n\\r\\n| Section | Description |\\r\\n|---------|-------------|\\r\\n| 🚨 **Security Alerts & Incidents** | Investigate security Alerts & incidents from hosts and resources hosting personal data. |\\r\\n| 🛡 **Data Loss Prevention (DLP)** | Monitor sensitive data access, leaks, and geolocation-based usage. |\\r\\n| 🔍 **Purview Logs** | Discover and classify assets, monitor sensitivity labeling, and track data governance. |\\r\\n| 🗄 **Azure SQL Databases** | Detect anomalies and monitor classified data queries. |\\r\\n| 📂 **Microsoft 365 Activity** | Monitor sensitive document/email activity. |\\r\\n| 📊 **UEBA** | Analyze anomalous user & entity behaviors. |\\r\\n| 👤 **Sign-Ins (Entra ID)** | Track risky sign-ins and monitor identity compliance. |\\r\\n| 📝 **Audit Logs** | Provide accountability and traceability of administrative activities. |\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 2\",\"id\":\"675977e9-69c6-41fb-9e6e-be5427707e91\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 12\",\"id\":\"177f13b3-3953-4067-94d8-6d2054a3e0b0\"},{\"type\":1,\"content\":{\"json\":\"## 🔗 Data Sources & Permissions\\r\\n\\r\\nEnsure the following data connectors are enabled and ingested into Microsoft Sentinel:\\r\\n\\r\\n### 📂 Data Governance\\r\\n- ✅ **Microsoft Purview** (data classification & sensitivity logs. PurviewDataSensitivityLogs table) \\r\\n- ✅ **Microsoft Purview Information Protection** (DLP, labels, document access. MicrosoftPurviewInformationProtection table) \\r\\n- ✅ **Azure SQL Databases** (classification & anomaly scores. AzureDiagnostics table)\\r\\n\\r\\n\\r\\n### 👤 Identity & Access\\r\\n- ✅ **Microsoft Entra ID** (Sign-ins. SigninLogs table) \\r\\n- ✅ **BehaviorAnalytics** (UEBA. BehaviorAnalytics table) \\r\\n\\r\\n### 🛡 Security Monitoring\\r\\n- ✅ **Microsoft 365** (Microsoft 365 activity. OfficeActivity table) \\r\\n- ✅ **SecurityAlert / SecurityIncident** (Microsoft Defender XDR. SecurityAlert and SecurityIncident tables) \\r\\n- ✅ **AuditLogs** (Entra ID administrative traceability. AuditLogs table) \\r\\n\\r\\n📘 [How to configure data connectors in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 3\",\"id\":\"6230ed41-52b4-4edd-bf30-afd06880e9a1\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n\\r\\n### 1. Security Alerts and Incidents\\r\\n\\r\\nFrom the Azure portal, install the **[Microsoft Defender XDR](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-microsoft365defender)** solution via **Content Hub**. \\r\\nThen, enable the **Microsoft Defender XDR** data connector to stream security alerts and incidents from Defender products into Microsoft Sentinel. \\r\\nThese records populate the **`SecurityAlert`** and **`SecurityIncident`** tables. \\r\\n\\r\\n⚠️ **Important:** \\r\\nAll workbook metrics in this section use a **watchlist** to filter only alerts and incidents involving servers that host **personal data**. \\r\\nYou must configure this watchlist in Sentinel and populate it with the names of your personal data hosting servers.\\r\\n\\r\\n#### 📂 Sample Watchlist (GDPR_PersonalData_Assets)\\r\\n\\r\\n| HostName |\\r\\n|------------------------|\\r\\n| server1 |\\r\\n| server2 |\\r\\n| server3 |\\r\\n| server4 |\\r\\n\\r\\n1. Save the watchlist as a CSV or TXT file. \\r\\n2. In Sentinel → **Configuration > Watchlists**, create a new watchlist (e.g., `GDPR_PersonalData_Assets`). \\r\\n3. Upload the file and confirm `HostName` is recognized as the search key.\\r\\n\\r\\nThis allows you to: \\r\\n- Focus alerts and incidents on GDPR-relevant systems \\r\\n- Monitor attack tactics and timelines against personal data servers \\r\\n- Provide auditors with clear evidence of incident detection and response for regulated data \\r\\n\\r\\nAll **Security Alerts & Incidents** visuals in this workbook will only display events related to servers listed in this watchlist.\\r\\n\\r\\n📘 [Setup guide – Microsoft Defender XDR connector](https://learn.microsoft.com/azure/sentinel/connect-microsoft-365-defender) \\r\\n📘 [How to create and use watchlists](https://learn.microsoft.com/azure/sentinel/watchlists)\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 6\",\"id\":\"9e389ac8-6990-426f-aedd-af37461062ea\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 5\",\"id\":\"c7c96c97-b9cc-4cc3-9293-9611fb0d4f02\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n\\r\\n### 2. Data Loss Prevention (Microsoft Purview Information Protection)\\r\\nFrom the Azure portal, install the **[Microsoft Purview Information Protection](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-mip)** solution via **Content Hub**. \\r\\nThen, enable the **Microsoft Purview Information Protection** data connector to ingest **sensitivity labeling and protection events** into the **`MicrosoftPurviewInformationProtection`** table. \\r\\nWith this configuration, you can: \\r\\n- Track **sensitivity label adoption and usage trends** \\r\\n- Monitor **labeled/protected documents and emails** across Microsoft 365 \\r\\n- Detect **label changes, downgrades, and policy enforcement outcomes** \\r\\n- Provide auditors with **evidence of applied protections on personal and sensitive data** \\r\\n\\r\\n📘 [Setup guide – Microsoft Purview Information Protection connector](https://learn.microsoft.com/azure/sentinel/connect-microsoft-purview)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 4\",\"id\":\"cd2c259b-03d2-4bf3-a8a0-a6289dea0fd5\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n\\r\\n### 3. Microsoft Purview (Data Classification & Sensitivity Logs)\\r\\nFrom the Azure portal, install the **[Microsoft Purview](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-azurepurview)** solution via **Content Hub**. \\r\\nThen, configure the **Microsoft Purview** data connector to stream **Data Classification and Sensitivity scan events** into the **`PurviewDataSensitivityLogs`** table. \\r\\n\\r\\nWith this configuration, you can: \\r\\n- Discover **where personal and sensitive data resides** across your cloud resources \\r\\n- Monitor **assets with classifications and sensitivity labels** over time \\r\\n- Track **data types and categories** detected by Purview scans \\r\\n- Provide auditors with **an inventory of sensitive data processing** \\r\\n\\r\\n📘 [Setup guide – Microsoft Purview solution](https://learn.microsoft.com/azure/sentinel/purview-solution)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 3\",\"id\":\"a1ca7950-9c13-48c7-9c78-19946837d5f4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 10\",\"id\":\"db66e986-67be-42d5-a264-9daf26d25eb1\"},{\"type\":1,\"content\":{\"json\":\"\\r\\n### 4. Azure SQL Databases\\r\\nFrom the Azure portal, install the **[Azure SQL Database](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/sentinel4sql.sentinel4sql)** solution via **Content Hub**. \\r\\nThen, connect the **Azure SQL Databases** data connector to stream **audit and diagnostic logs** into Microsoft Sentinel. \\r\\nThese logs populate the **`AzureDiagnostics`** table (and SQL-specific audit tables if enabled). \\r\\n\\r\\nWith this configuration, you can: \\r\\n- Monitor **sensitive queries by label, information type, and principal** \\r\\n- Detect **anomalous activity and anomaly scores** across databases \\r\\n- Track **application and IP access to classified data** \\r\\n- Provide auditors with **evidence of monitoring structured personal data in SQL systems** \\r\\n\\r\\n📘 [Setup guide – Configure Azure SQL logging to Sentinel](https://learn.microsoft.com/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure?view=azuresql&tabs=azure-portal)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 8\",\"id\":\"6125e28b-3e64-4791-a849-6b72bc679ac0\"},{\"type\":1,\"content\":{\"json\":\"### 5. Microsoft 365 Activity\\r\\n\\r\\nFrom the Azure portal, install the **[Microsoft 365](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-office365)** solution via **Content Hub**. \\r\\nThen, enable the **Microsoft 365 (formerly Office 365)** data connector to stream **unified audit logs** into Microsoft Sentinel. \\r\\nThese logs populate the **`OfficeActivity`** table. \\r\\n\\r\\nWith this configuration, you can: \\r\\n- Monitor **user and administrator activity** across Exchange, SharePoint, OneDrive, and Teams \\r\\n- Detect **risky file sharing, mailbox access by non-owners, and suspicious admin operations** \\r\\n- Identify **unusual Teams or SharePoint activity** (e.g., mass deletions, uploads from unseen devices) \\r\\n- Provide auditors with a **comprehensive audit trail of data activity** in Microsoft 365 services\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 9\",\"id\":\"ae0b3116-8c12-4596-a9ba-ea3792d1562a\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 10\",\"id\":\"c1b6a6a4-6005-4d84-ac02-d1eb660d3ec0\"},{\"type\":1,\"content\":{\"json\":\"### 6. User & Entity Behavior Analytics (UEBA)\\r\\n\\r\\nFrom the Azure portal, enable **User and Entity Behavior Analytics (UEBA)** in Microsoft Sentinel settings. \\r\\nUEBA builds baselines of user and entity activities and writes enriched risk insights into the **`BehaviorAnalytics`** table.\\r\\n\\r\\nThis enables you to: \\r\\n- Detect anomalous behaviors across users and entities \\r\\n- Correlate activities across multiple data sources \\r\\n- Identify potential insider threats and compromised accounts \\r\\n\\r\\n📘 [Setup guide](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics?tabs=azure)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 11\",\"id\":\"b88796da-3135-492d-82b2-3840a82b5f10\"},{\"type\":1,\"content\":{\"json\":\"### 7. Sign-ins and Audit (Microsoft Entra ID)\\r\\n\\r\\nFrom the Azure portal, install the **[Microsoft Entra ID](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-azureactivedirectory)** solution via **Content Hub**. \\r\\nThen, enable the **Microsoft Entra ID (Sign-in, Audit Logs)** data connector to stream authentication events into Microsoft Sentinel. \\r\\n\\r\\nThese logs populate the **`SigninLogs`** and **`AuditLogs`** table and allow you to: \\r\\n- Monitor successful vs. failed sign-ins \\r\\n- Detect risky logins, brute-force attempts, and unusual geolocations \\r\\n- Investigate access patterns to applications and resources handling personal data\\r\\n- Monitor changes to users, groups, and applications \\r\\n- Track administrative actions such as role assignments, policy changes, and resource access grants \\r\\n- Provide a traceable record of identity-related activities for GDPR accountability \\r\\n\\r\\n📘 [Setup guide](https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory)\\r\\n\\r\\n---\"},\"customWidth\":\"40\",\"name\":\"text - 12\",\"id\":\"86a55421-827f-4516-8fc9-8a21e0d0d823\"}]},\"conditionalVisibility\":{\"parameterName\":\"isHelpVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Overview Group\",\"id\":\"ec55cc5d-0d5d-42dc-b6e4-27e80d1a761a\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# 🚨 [Security Alerts and Incidents](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)\\n---\\n\\nThis section consolidates security alerts and incidents that may involve systems storing or processing personal data. It supports GDPR obligations for **security of processing (Art. 32)**, **breach notification (Art. 33 & 34)**, and **accountability (Art. 5(2))** by ensuring that organizations can quickly detect, investigate, and respond to threats that impact personal data. \\n\\nKey objectives of this section: \\n- Track **security alerts involving personal data servers** to prioritize investigations of GDPR-relevant risks \\n- Monitor **alerts mapped to MITRE ATT&CK® tactics** to understand adversary techniques targeting personal data \\n- Review **incident counts and timelines** to measure responsiveness and compliance with breach notification requirements \\n- Provide auditors with documented evidence of **security monitoring, incident management, and remediation activities** \\n\\nBy analyzing these metrics, analysts can ensure that **personal data risks are rapidly identified and addressed**, and that the organization maintains the ability to **demonstrate incident response readiness** in alignment with GDPR.\"},\"customWidth\":\"40\",\"name\":\"text - 2\",\"id\":\"e449e876-adf0-4ed8-9b34-990e88d2db27\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 15\",\"id\":\"7a5fbda3-91b3-4caf-b291-f60d420d08f1\"},{\"type\":1,\"content\":{\"json\":\"| Security Alerts And Incidents | | |\\r\\n|:--| - | - |\\r\\n| Alerts Over Time for Personal Data Hosting Systems | Alerts Details | Alerts by MITRE ATT&CK® Tactics|\\r\\n| Security Incidents Over Time for Personal Data Hosting Systems | Security Incidents By Users |Security Incidents Details|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, and Time range. Only panels with data are shown.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"SI OV\",\"id\":\"47a7ebe8-e66b-4907-bd7e-1587df919719\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityAlert\\r\\n| mv-expand Entity = todynamic(Entities)\\r\\n| extend EntityType = tostring(Entity.Type)\\r\\n| extend HostName = iff(EntityType == \\\"host\\\",tolower(tostring(Entity.HostName)), \\\"\\\")\\r\\n| where HostName <> \\\"\\\"\\r\\n// Keep only alerts where HostName is in the watchlist\\r\\n| join kind=inner (PersonalDataServers) on HostName\\r\\n| extend DeviceName = HostName, AlertId = SystemAlertId\\r\\n| summarize by AlertId, AlertName, TimeGenerated\\r\\n| make-series Alerts = count() on TimeGenerated step 1d by AlertName\",\"size\":0,\"title\":\"Alerts Over Time for Personal Data Hosting Systems\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\",\"id\":\"9d62d7c6-10a1-4af0-9979-369d9e33d794\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityAlert\\r\\n| mv-expand Entity = todynamic(Entities)\\r\\n| extend EntityType = tostring(Entity.Type)\\r\\n| extend HostName = iff(EntityType == \\\"host\\\",tolower(tostring(Entity.HostName)), \\\"\\\")\\r\\n| where HostName <> \\\"\\\"\\r\\n// Keep only alerts where HostName is in the watchlist\\r\\n| join kind=inner (PersonalDataServers) on HostName\\r\\n| summarize \\r\\n AlertName = any(AlertName),\\r\\n AlertSeverity = any(AlertSeverity),\\r\\n DeviceNames = make_set(HostName,10),\\r\\n TimeGenerated = any(TimeGenerated)\\r\\n by AlertId = SystemAlertId, AlertLink\\r\\n | project-reorder AlertName, AlertSeverity, AlertLink, DeviceNames, TimeGenerated, AlertId\\r\\n| order by TimeGenerated desc\\r\\n| take 100\",\"size\":0,\"title\":\"Alerts Details\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Alert >>\"}}]},\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\",\"id\":\"eaaeb5d1-7508-487f-bde6-4abac6499f7c\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityAlert\\r\\n| mv-expand Entity = todynamic(Entities)\\r\\n| extend EntityType = tostring(Entity.Type)\\r\\n| extend HostName = iff(EntityType == \\\"host\\\",tolower(tostring(Entity.HostName)), \\\"\\\")\\r\\n| where HostName <> \\\"\\\"\\r\\n// Keep only alerts where HostName is in the watchlist\\r\\n| join kind=inner (PersonalDataServers) on HostName\\r\\n| summarize by Tactics, SystemAlertId\\r\\n| summarize Count=count() by Tactics\\r\\n| sort by Count desc\",\"size\":0,\"title\":\"Alerts by MITRE ATT&CK® Tactics\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Tactics\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},\"showBorder\":false},\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 3\",\"id\":\"27cf741a-a485-4252-b5f8-0f899ce53a71\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"host\\\"\\r\\n | extend HostName = tolower(tostring(Entities.HostName))\\r\\n | where Entities[\\\"HostName\\\"] <> \\\"\\\"\\r\\n // Keep only alerts where HostName is in the watchlist\\r\\n | join kind=inner (PersonalDataServers) on HostName\\r\\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\\r\\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Title\\r\\n| render timechart\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents Over Time for Personal Data Hosting Systems\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"UserPrincipalName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results114e\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"71b6c24e-11e3-44e1-a95d-60e5e9ce2e1d\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | extend EntitiesSet = todynamic(Entities)\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"host\\\"\\r\\n | extend HostName = tolower(tostring(Entities.HostName))\\r\\n | where Entities[\\\"HostName\\\"] <> \\\"\\\"\\r\\n // Keep only alerts where HostName is in the watchlist\\r\\n | join kind=inner (PersonalDataServers) on HostName\\r\\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\\r\\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n | mv-expand todynamic(EntitiesSet)\\r\\n | extend Name = tostring(tolower(EntitiesSet[\\\"Name\\\"])), UPNSuffix = tostring(EntitiesSet[\\\"UPNSuffix\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | where UPN <> \\\"\\\"\\r\\n | summarize count() by UPN\\r\\n | render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results113h\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"275db2b6-c99e-4b7c-b8ec-c98b009242dd\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Load personal data servers from Sentinel watchlist\\r\\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\\r\\n | project HostName = tolower(HostName);\\r\\nSecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"host\\\"\\r\\n | extend HostName = tolower(tostring(Entities.HostName))\\r\\n | where Entities[\\\"HostName\\\"] <> \\\"\\\"\\r\\n // Keep only alerts where HostName is in the watchlist\\r\\n | join kind=inner (PersonalDataServers) on HostName\\r\\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\\r\\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber \\r\\n | sort by TimeGenerated desc\\r\\n | limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Title\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"name\":\"Results153\",\"id\":\"499bd55a-968d-4bb1-8b52-661b99ea2af3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSecurityAlertsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Alerts Group\",\"id\":\"648757c4-0b72-4b21-88f8-b6145c713e1f\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# 🛡 [Data Loss Prevention](https://docs.microsoft.com/microsoft-365/solutions/information-protection-deploy)\\n---\\n\\nThis section helps you monitor and control the **movement of sensitive and personal data**, directly supporting GDPR principles of **data protection by design (Art. 25)** and **security of processing (Art. 32)**. \\n\\nKey objectives of this section: \\n- Track **where sensitive data is accessed** and from which geolocations \\n- Detect and investigate **potential leaks or unauthorized transfers** of personal data \\n- Measure **label-based access patterns** (sensitivity labels applied through Microsoft Information Protection) \\n- Provide evidence of **preventive and detective controls** for GDPR audits \\n\\nBy monitoring these metrics, you can quickly identify risky behaviors such as **unusual data access locations**, **exfiltration attempts**, or **leak alerts**, and take corrective actions to protect personal data.\\n\"},\"customWidth\":\"40\",\"name\":\"text - 2\",\"id\":\"2b9f2765-146e-4b7b-a0ad-e27437dd6e0a\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 12\",\"id\":\"b9a4cebc-f973-4c1b-a146-6f6b099cd2f7\"},{\"type\":1,\"content\":{\"json\":\"| Data Loss Prevention | | |\\r\\n|:--| - | - |\\r\\n| Sensitive Label Access by Geolocations | Sensitive Label Access by Geolocation Details | Sensitive Data Alerts over Time|\\r\\n| Sensitive Data Alert Details | Data Access by Sensitivity Labels Over Time | Data Access by Sensitivity Label |\\r\\n|Sensitive Data Access Details|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, and Time range. Only panels with data are shown. \\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 13\",\"id\":\"055c492b-defb-4483-bd6d-9f960e128008\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| extend UserPrincipalName = UserId\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where LabelName <> \\\"\\\"\\r\\n// 🔎 Filter out common or non-critical labels here (example excludes \\\"General\\\").\\r\\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\\r\\n// | where LabelName !in (\\\"General\\\")\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n| project Location\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Label Access by Geolocations\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"id\":\"fd6660f3-742e-4c91-ae48-c48dc42a67e0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| extend UserPrincipalName = UserId\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where LabelName <> \\\"\\\"\\r\\n// 🔎 Filter out common or non-critical labels here (example excludes \\\"General\\\").\\r\\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\\r\\n// | where LabelName !in (\\\"General\\\")\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n| summarize count() by UserPrincipalName, LabelName, City, State, Country_Region\\r\\n| sort by count_ desc\\r\\n| limit 100\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Label Access by Geolocation Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LabelName_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"City\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Country_Region\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"turquoise\"}]}}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"id\":\"9f11b289-afb2-4707-bf14-b0175f10974e\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"]), UserPrincipalName = tostring(Entities[\\\"UserPrincipalName\\\"])\\r\\n | extend UPN = coalesce (UserPrincipalName, iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\"))\\r\\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n| extend UserPrincipalName = UPN\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\\r\\n| where (AlertName contains \\\"sensitive\\\" or AlertName contains \\\"leak\\\" or AlertName contains \\\"theft\\\" or AlertName contains \\\"steal\\\" or AlertName contains \\\"PII\\\" or AlertName contains \\\"intellectual\\\" or AlertName contains \\\"confidential\\\" or AlertName contains \\\"spill\\\") or (Tactics contains \\\"exfil\\\")\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by AlertName\\r\\n| render timechart\",\"size\":0,\"title\":\"Sensitive Data Alerts over Time\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"name\":\"305\",\"id\":\"d17aebc0-23e9-4449-9b22-22e352e8d6a5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"]), UserPrincipalName = tostring(Entities[\\\"UserPrincipalName\\\"])\\r\\n | extend UPN = coalesce (UserPrincipalName, iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\"))\\r\\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n| extend UserPrincipalName = UPN\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| distinct UserPrincipalName, AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| where (AlertName contains \\\"sensitive\\\" or AlertName contains \\\"leak\\\" or AlertName contains \\\"theft\\\" or AlertName contains \\\"steal\\\" or AlertName contains \\\"PII\\\" or AlertName contains \\\"intellectual\\\" or AlertName contains \\\"confidential\\\" or AlertName contains \\\"spill\\\") or (Tactics contains \\\"exfil\\\")\\r\\n| sort by TimeGenerated desc\\r\\n| limit 100\",\"size\":0,\"title\":\"Sensitive Data Alert Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"name\":\"305b\",\"id\":\"fd8e2b0b-cfe9-4b5f-a8f3-0b62bab32389\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| where LabelName <> \\\"\\\"\\r\\n| extend UserPrincipalName = UserId\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend CommonProperties = parse_json(Common)\\r\\n| extend ApplicationName = tostring(CommonProperties.ApplicationName)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by LabelName, ApplicationName\\r\\n| render timechart\",\"size\":0,\"title\":\"Data Access by Sensitivity Labels Over Time\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"306a\",\"id\":\"f85c6d36-759e-4770-837d-bd9ae4fddd8b\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| where LabelName <> \\\"\\\"\\r\\n| extend UserPrincipalName = UserId\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n// 🔎 Filter out common or non-critical labels here (example excludes \\\"General\\\").\\r\\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\\r\\n// | where LabelName !in (\\\"General\\\")\\r\\n| summarize count() by LabelName\\r\\n| render piechart\",\"size\":0,\"title\":\"Data Access by Sensitivity Label\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"306b\",\"id\":\"6d80e906-b3f3-491a-bff1-05852909a393\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MicrosoftPurviewInformationProtection\\r\\n| where LabelName <> \\\"\\\"\\r\\n| extend UserPrincipalName = UserId\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend CommonProperties = parse_json(Common)\\r\\n| extend ApplicationName = tostring(CommonProperties.ApplicationName)\\r\\n| extend properties = parse_json(ProtectionEventData)\\r\\n| extend ProtectionOwner = tostring(properties.ProtectionOwner)\\r\\n| extend IsProtected = tostring(properties.IsProtected)\\r\\n| distinct UserId, LabelName, ApplicationName, Operation, IsProtected, Platform, ProtectionOwner, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Data Access Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"name\":\"Results306c\",\"id\":\"9919f866-a43e-449e-b8aa-fe91397c95d5\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDLPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DLP\",\"id\":\"c1402010-eaae-40d6-b550-74a4192db2b4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## 🔍 Purview Logs\\r\\n\\r\\nThis section provides visibility into the **classification and labeling of personal and sensitive data** across your Azure and Microsoft 365 environment. It directly supports GDPR principles of **lawfulness, fairness, transparency, and accountability (Art. 5)** as well as requirements for **records of processing activities (Art. 30)** and **data protection by design and by default (Art. 25)**. \\r\\n\\r\\nKey objectives of this section: \\r\\n- Track **classified Azure sources by region** to understand where personal data is stored and processed \\r\\n- Monitor the **volume and types of classified assets** across different resource types \\r\\n- Drill down to the **asset and file level** to validate that personal data is discovered and properly classified \\r\\n- Assess the application of **sensitivity labels** to ensure data is protected according to organizational policy \\r\\n- Provide auditors with clear evidence of **data inventory and classification coverage** \\r\\n\\r\\nBy reviewing these metrics, analysts can verify that **data discovery, classification, and labeling controls** are functioning as required, and quickly spot gaps where sensitive data may not be properly governed.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 12\",\"id\":\"e68610b7-947a-40d7-a979-96d8cb48bba3\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 13\",\"id\":\"694443a2-b1ac-443c-b19f-758195e96019\"},{\"type\":1,\"content\":{\"json\":\"| Purview Logs | | |\\r\\n|:--| - | - |\\r\\n| Classified Azure Sources by Region | Total Classified Assets by Resource Type | Select 'Data Source' below to view Assets Drilldown |\\r\\n| Assets Drilldown | Classifications by Asset Count and File Size |Classifications Drilldown- Asset Level|\\r\\n|Sensitivity Labels by Asset Count and File Size|Sensitivity Labels Drilldown- Asset Level|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range, Purview Account, Source Collectiona and Resource Type. Only panels with data are shown.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 14\",\"id\":\"76aa6d4b-d4ab-4b2a-8267-1886d63cb40b\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"a5b9cb0c-6219-4782-a10d-1370a8a6edb4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PurviewAccount\",\"label\":\"Purview Account\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n|distinct PurviewAccountName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"ea62a59c-3799-400d-a7af-f0ad14cc46c7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Collection\",\"label\":\"Source Collection\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\"\\r\\n| distinct SourceCollectionName \\r\\n| extend Collection = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\", SourceCollectionName)\\r\\n| project Collection\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"817265c3-f308-44e0-a24c-33dac7ee2c91\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DataSource\",\"label\":\"Resource Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\"\\r\\n| distinct SourceType \",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\"},\"name\":\"parameters - 0\",\"id\":\"308895e1-dab9-42fa-8515-b24e7bdf997b\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let NumberofSourcesByRegion = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where SourceType contains \\\"Azure\\\"\\r\\n// GDPR filter: keep only sources with classification or sensitivity label\\r\\n| where array_length(todynamic(Classification)) > 0 or array_length(todynamic(SensitivityLabel)) > 0\\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| distinct SourcePath, SourceRegion\\r\\n| summarize AssetCount = count() by SourceRegion;\\r\\nNumberofSourcesByRegion\",\"size\":0,\"title\":\"Classified Azure Sources by Region\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"AzureLoc\",\"locInfoColumn\":\"SourceRegion\",\"sizeSettings\":\"AssetCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"AssetCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"AssetCount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"id\":\"08c858ab-4c4c-482d-84b8-e915987804a2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where ActivityType == \\\"Classification\\\" \\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\\r\\nlet AllAssets = MostRecentScanLogs\\r\\n | summarize AssetCount = count() by SourceType;\\r\\nlet ClassifiedAssets = MostRecentScanLogs\\r\\n | where Classification != \\\"[]\\\"\\r\\n | summarize AssetClassifiedCount = count() by SourceType;\\r\\nlet ClassifiedAssetsByResourceType = AllAssets\\r\\n | join kind= leftouter ClassifiedAssets on SourceType\\r\\n | extend AssetCount = strcat(AssetCount, \\\" assets found in total\\\")\\r\\n | project SourceType, AssetCount, AssetClassifiedCount;\\r\\nClassifiedAssetsByResourceType\",\"size\":0,\"title\":\"Total Classified Assets by Resource Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceType\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"AssetClassifiedCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"0\"}},\"secondaryContent\":{\"columnMatch\":\"AssetCount\"},\"showBorder\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"AssetClassifiedCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"AssetClassifiedCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"AssetClassifiedCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 25\",\"id\":\"a0ad7be5-354e-4cda-94aa-2f9c1fb7096a\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where ActivityType == \\\"Classification\\\"\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName) \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\\r\\nlet AllAssets = MostRecentScanLogs\\r\\n| summarize AssetCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\\r\\nlet ClassifiedAssets = MostRecentScanLogs\\r\\n| where Classification != \\\"[]\\\"\\r\\n| summarize AssetClassifiedCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\\r\\nlet AssetsDrilldown = AllAssets\\r\\n| join kind= leftouter ClassifiedAssets on DataSource, SourceType\\r\\n| extend PathName = substring(DataSource, 1)\\r\\n| extend ClassifiedPercentage = round((100.0 * AssetClassifiedCount / AssetCount),1)\\r\\n| project DataSource, SourceRegion, SourceType, ClassifiedPercentage, AssetClassifiedCount, AssetCount, PathName;\\r\\nAssetsDrilldown\",\"size\":0,\"showAnalytics\":true,\"title\":\"Select 'Data Source' below to view Assets Drilldown\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"PathName\",\"exportParameterName\":\"UserSelectedDataSource\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSource\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"ClassifiedPercentage\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"},\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":1}}},{\"columnMatch\":\"AssetClassifiedCount\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},{\"columnMatch\":\"AssetCount\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"PathName\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceType\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"DataSource\",\"label\":\"Data Source\"},{\"columnId\":\"SourceRegion\",\"label\":\"Source Region\"},{\"columnId\":\"SourceType\",\"label\":\"Source Type\"},{\"columnId\":\"ClassifiedPercentage\",\"label\":\"% Classified\"},{\"columnId\":\"AssetClassifiedCount\",\"label\":\"Classified Assets\"},{\"columnId\":\"AssetCount\",\"label\":\"Total Assets\"},{\"columnId\":\"PathName\",\"label\":\"Source Path\"}]},\"sortBy\":[{\"itemKey\":\"SourceType\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true},\"id\":\"42ad81e8-292a-485c-87a5-01b7a19b19f9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | where \\\"{UserSelectedDataSource:label}\\\" == \\\"All\\\" or (SourcePath contains \\\"{UserSelectedDataSource:label}\\\")\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\\r\\nlet ClassificationCounts = MostRecentScanLogs\\r\\n | where ActivityType == \\\"Classification\\\"\\r\\n | mv-expand Classification\\r\\n | summarize ClassificationCount= count(todynamic(Classification)) by AssetPath\\r\\n | project ClassificationCount, AssetPath;\\r\\nlet ClassifiedAssetsWithCounts = MostRecentScanLogs\\r\\n | where ActivityType == \\\"Classification\\\"\\r\\n | join kind= leftouter ClassificationCounts on AssetPath\\r\\n | summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId) by AssetPath ;\\r\\nlet LabeledAssets = MostRecentScanLogs\\r\\n | where ActivityType == \\\"Labeling\\\" \\r\\n | mv-expand SensitivityLabel to typeof(string)\\r\\n | where SensitivityLabel != int(null)\\r\\n | mv-expand SensitivityLabelDetails\\r\\n | summarize arg_max(SensitivityLabel, SourceType, SensitivityLabelTrigger, SensitivityLabelDetails) by AssetPath\\r\\n | project AssetPath, SensitivityLabel, SensitivityLabelTrigger, SensitivityLabelDetails;\\r\\nlet ClassificationCountWithSensitivityInformation = ClassifiedAssetsWithCounts\\r\\n | join kind= leftouter LabeledAssets on AssetPath\\r\\n | project\\r\\n TimeGenerated,\\r\\n PurviewTenantId,\\r\\n PurviewAccountName,\\r\\n PurviewRegion,\\r\\n AssetName,\\r\\n AssetPath,\\r\\n AssetType,\\r\\n AssetCreationTime,\\r\\n AssetModifiedTime,\\r\\n AssetLastScanTime,\\r\\n FileExtension,\\r\\n FileSize,\\r\\n ActivityType,\\r\\n ClassificationTrigger,\\r\\n Classification,\\r\\n ClassificationCount,\\r\\n ClassificationDetails,\\r\\n SensitivityLabelTrigger,\\r\\n SensitivityLabel,\\r\\n SensitivityLabelDetails,\\r\\n SourceName,\\r\\n SourceType,\\r\\n SourcePath,\\r\\n SourceSubscriptionId,\\r\\n SourceRegion,\\r\\n SourceCollectionName,\\r\\n SourceScanId\\r\\n | sort by ClassificationCount;\\r\\nClassificationCountWithSensitivityInformation\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets Drilldown\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"AssetLastScanTime\",\"formatter\":5},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"ClassificationCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},{\"columnMatch\":\"ClassificationDetails\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabel\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SensitivityLabelDetails\",\"formatter\":5},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceScanId\",\"formatter\":5},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"ClassificationActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"AssetPath\",\"label\":\"Asset Path\"},{\"columnId\":\"ClassificationCount\",\"label\":\"Classifications\"},{\"columnId\":\"SensitivityLabel\",\"label\":\"Sensitivity Label\"},{\"columnId\":\"SourcePath\",\"label\":\"Data Source\"}]}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true},\"id\":\"38d442dd-603b-4fa2-b740-39f84fd1fef6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Classification\\\" \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\\r\\nlet Classifications = MostRecentScanLogs\\r\\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend Classification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where Classification != \\\"\\\"\\r\\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\\r\\n| project Classification, AssetCount, FileSize;\\r\\nClassifications\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Select 'Classification' below to view Classification Drilldown\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Classification\",\"exportParameterName\":\"UserSelectedClassification\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Classification\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Classifications\"}},{\"columnMatch\":\"AssetCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"FileSize\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_AssetCount_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"AssetCount\",\"label\":\"Classified Asset Count\"},{\"columnId\":\"FileSize\",\"label\":\"Total Size of Files (MB)\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_AssetCount_1\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Size\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\",\"styleSettings\":{\"showBorder\":true},\"id\":\"012f6b86-fa7a-4bd4-be75-09debaeb9824\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Classification\\\" \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\\r\\nlet ClassificationsDrilldown = MostRecentScanLogs\\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend SelectedClassification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where SelectedClassification != \\\"\\\"\\r\\n| where \\\"{UserSelectedClassification:label}\\\" == \\\"All\\\" or (split(\\\"{UserSelectedClassification:label}\\\", \\\", \\\") contains SelectedClassification)\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationDetails, SourceScanId) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\\r\\nClassificationsDrilldown\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Classifications Drilldown- Asset Level\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"AssetLastScanTime\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30ch\"}},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceScanId\",\"formatter\":5},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"AssetPath\",\"label\":\"Asset Path\"},{\"columnId\":\"AssetLastScanTime\",\"label\":\"Asset Last Scan Time\"},{\"columnId\":\"SourcePath\",\"label\":\"Data Source\"}]}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true},\"id\":\"871d8a2f-b10b-41b8-9e6a-7664c4b8a2a5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitivityLabels = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Labeling\\\" \\r\\n | extend SensitivityLabel = iff(SensitivityLabel[0] == \\\"\\\", \\\"No Label\\\", SensitivityLabel[0])\\r\\n | extend Label = replace(@\\\"\\\\\\\\\\\", \\\"/\\\", SensitivityLabel)\\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType\\r\\n | summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by SensitivityLabel, Label\\r\\n | project SensitivityLabel, FileSize, AssetCount, Label\\r\\n | sort by AssetCount;\\r\\nSensitivityLabels\",\"size\":0,\"showAnalytics\":true,\"title\":\"Select 'Sensitivity Label' below to view Sensitivity Labels Drilldown\",\"showRefreshButton\":true,\"exportFieldName\":\"Label\",\"exportParameterName\":\"UserSelectedLabel\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SensitivityLabel\",\"formatter\":1},{\"columnMatch\":\"FileSize\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Label\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"SensitivityLabel\",\"label\":\"Sensitivity Label\"},{\"columnId\":\"FileSize\",\"label\":\"File Size\"},{\"columnId\":\"AssetCount\",\"label\":\"Asset Count\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LabelCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 14 - Copy\",\"styleSettings\":{\"showBorder\":true},\"id\":\"1be9d25c-73ae-405a-b1b1-ab8015acaaa2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MostRecentScanLogs = PurviewDataSensitivityLogs\\r\\n | where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n | where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n | extend CollectionName = iff(SourceCollectionName == \\\"\\\", \\\"No Collection\\\", SourceCollectionName)\\r\\n | where ActivityType == \\\"Labeling\\\" \\r\\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\\r\\nlet LabelDrilldown = MostRecentScanLogs \\r\\n| extend SensitivityLabel = iff(SensitivityLabel[0] == \\\"\\\", \\\"No Label\\\", SensitivityLabel[0])\\r\\n| extend Label = replace(@\\\"\\\\\\\\\\\", \\\"/\\\", SensitivityLabel)\\r\\n| where \\\"{UserSelectedLabel:label}\\\" == \\\"All\\\" or \\\"{UserSelectedLabel:label}\\\" == Label\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceScanId) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\\r\\nLabelDrilldown\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitivity Labels Drilldown- Asset Level\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelTrigger\",\"formatter\":5,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SensitivityLabel\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SensitivityLabelDetails\",\"formatter\":5,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceScanId\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"ClassificationCount\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"AssetPath\",\"label\":\"Asset Path\"},{\"columnId\":\"AssetLastScanTime\",\"label\":\"Asset Last Scan Time\"},{\"columnId\":\"SensitivityLabel\",\"label\":\"Sensitivity Label\"},{\"columnId\":\"SourcePath\",\"label\":\"Source Path\"}]}},\"customWidth\":\"50\",\"name\":\"query - 13\",\"styleSettings\":{\"showBorder\":true},\"id\":\"73f6529f-81d8-4d05-a9ba-33542f45a365\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPurviewLogsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Purview Logs\",\"id\":\"d1e10c67-1a56-4141-8643-b146e2de793c\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## 🗄 Azure SQL Databases\\r\\n\\r\\nThis section helps you monitor **access to classified and sensitive data stored in Azure SQL databases**. It supports GDPR requirements for **security of processing (Art. 32)** and **data protection by design and by default (Art. 25)** by detecting anomalies, tracking access patterns, and providing evidence of safeguards around personal data. \\r\\n\\r\\nKey objectives of this section: \\r\\n- Identify **daily anomaly scores** to highlight unusual database activity that may indicate misuse or data exfiltration \\r\\n- Monitor **queries by sensitivity labels and information types** to ensure personal data is accessed only for legitimate purposes \\r\\n- Track **application and IP access** to classified data for accountability and traceability \\r\\n- Detect potential **privilege misuse or unauthorized access attempts** by reviewing query and principal activity over time \\r\\n- Provide auditors with proof of **continuous monitoring of database activity** against sensitive data assets \\r\\n\\r\\nBy analyzing these metrics, analysts can confirm that **personal data stored in databases is accessed appropriately**, and that monitoring controls are in place to detect and respond to suspicious or non-compliant activity.\\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 4\",\"id\":\"500010a5-5343-4165-928f-d72e02753646\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 5\",\"id\":\"b0f6f314-3466-4cf6-8bd0-08956bfd228a\"},{\"type\":1,\"content\":{\"json\":\"| Azure SQL Databases | | |\\r\\n|:--| - | - |\\r\\n| Daily anomaly scores, by database | Anomaly score over time for the selected database (from the list above) | Daily activity over time for the selected database (from the list above) |\\r\\n| Number of queries, by sensitivity label | Number of queries, by information type | Number of queries, by principal |\\r\\n|Number of queries, Details|Application access to classified data (by information type)|IP access to classified data (by information type)|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range, Servers and Databases. Only panels with data are shown. \\r\\n\"},\"customWidth\":\"40\",\"name\":\"text - 6\",\"id\":\"6f509478-6d84-4c6a-9b4a-376e7c63394e\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"332be9fd-33ad-407e-843e-5f2c49a50b6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Servers\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\\\"\",\"delimiter\":\",\",\"query\":\"where type == \\\"microsoft.sql/servers\\\"\\r\\n| project id=tolower(id)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"b4cc825f-166b-4929-916a-21b8073748c2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Databases\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type == \\\"microsoft.sql/servers/databases\\\"\\r\\n| project id=tolower(id)\\r\\n| extend serverName = split(id,'/databases/')[0]\\r\\n| where serverName in ({Servers})\\r\\n| project id\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]}],\"style\":\"pills\"},\"name\":\"parameters - 1\",\"id\":\"1842d085-362b-4a72-a2bd-0764e673eb71\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n| where ResourceType == \\\"SERVERS/DATABASES\\\"\\r\\n| where Category == \\\"SQLSecurityAuditEvents\\\"\\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| extend Database = strcat(LogicalServerName_s, '/', database_name_s)\\r\\n| summarize DailyCount = count() by ResourceId, Database, bin_at(TimeGenerated, 1d, now())\\r\\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId, Database\\r\\n| extend series_decompose_anomalies(metric) // Anomaly detection\\r\\n| project ResourceId, Database, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\\r\\n| extend MaxAnomalyScore = AnomalyScore, MinAnomalyScore = AnomalyScore, AnomlyScoreTrend = AnomalyScore\\r\\n| mv-apply MaxAnomalyScore to typeof(real) on (top 1 by MaxAnomalyScore desc)\\r\\n| mv-apply MinAnomalyScore to typeof(real) on (top 1 by MinAnomalyScore asc)\\r\\n| mv-expand with_itemindex=Index AnomalyScore\\r\\n| where Index == array_length(DailyCounts)-1\\r\\n| project-away day, Index\\r\\n| extend AnomalyScoreAbs = abs(toreal(AnomalyScore))\\r\\n| extend WasAnomalous = iif(MaxAnomalyScore > 3 or MinAnomalyScore < -3, true, false)\\r\\n| extend Anomalous = iif(AnomalyScoreAbs > 3, true, false)\\r\\n| order by AnomalyScoreAbs desc\\r\\n\",\"size\":0,\"title\":\"Daily anomaly scores, by database\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"ResourceId\",\"exportParameterName\":\"SelectedResource\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DailyCounts\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"AnomalyScore\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"startsWith\",\"thresholdValue\":\"-\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"trendup\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"MaxAnomalyScore\",\"formatter\":1},{\"columnMatch\":\"MinAnomalyScore\",\"formatter\":5},{\"columnMatch\":\"AnomlyScoreTrend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyScoreAbs\",\"formatter\":5},{\"columnMatch\":\"WasAnomalous\",\"formatter\":1},{\"columnMatch\":\"Anomalous\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 1\",\"id\":\"5946edde-e778-4e10-938c-5922224c6395\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n| where ResourceType == \\\"SERVERS/DATABASES\\\"\\r\\n| where Category == \\\"SQLSecurityAuditEvents\\\"\\r\\n| where tolower(ResourceId) == tolower('{SelectedResource}')\\r\\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\\r\\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId\\r\\n| extend series_decompose_anomalies(metric) // Anomaly detection\\r\\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\\r\\n\",\"size\":0,\"title\":\"Anomaly score over time for the selected database (from the list above)\",\"color\":\"orange\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"yAxis\":[\"AnomalyScore\"],\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"id\":\"4385bafc-f482-47ba-9a10-6301972f6d1e\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n| where ResourceType == \\\"SERVERS/DATABASES\\\"\\r\\n| where Category == \\\"SQLSecurityAuditEvents\\\"\\r\\n| where tolower(ResourceId) == tolower('{SelectedResource}')\\r\\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\\r\\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId\\r\\n| extend series_decompose_anomalies(metric) // Anomaly detection\\r\\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\\r\\n\",\"size\":0,\"title\":\"Daily activity over time for the selected database (from the list above)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"yAxis\":[\"DailyCounts\"],\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"id\":\"dafad3e9-f4ad-4643-adc1-d743c55f3f66\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend label = tostring(parsed[\\\"@label\\\"]) \\r\\n| where label != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by label\",\"size\":0,\"title\":\"Number of queries, by sensitivity label\",\"timeContextFromParameter\":\"TimeRange\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"label\",\"parameterName\":\"SelectedLabel\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"label\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"},\"id\":\"47978bbf-40f9-45ea-bfe5-0664f71e8ceb\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend info_type = tostring(parsed[\\\"@information_type\\\"]) \\r\\n| where info_type != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by info_type\",\"size\":0,\"title\":\"Number of queries, by information type\",\"timeContextFromParameter\":\"TimeRange\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"info_type\",\"parameterName\":\"SelectedInformationType\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"info_type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"33\",\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"},\"id\":\"ecd1a5a6-37d8-4967-8923-613975e3c376\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend Principal = server_principal_name_s\\r\\n| summarize dcount = dcount(sequence_group_id_g) by Principal\",\"size\":0,\"title\":\"Number of queries, by principal\",\"timeContextFromParameter\":\"TimeRange\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"Principal\",\"parameterName\":\"SelectedPrincipal\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Principal\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"33\",\"name\":\"query - 3 - Copy - Copy - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"},\"id\":\"351e424a-f002-4040-8fe7-de51c49acbf2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where isempty(data_sensitivity_information_s) == false\\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n//| evaluate bag_unpack(parsed, columnsConflict='keep_source')\\r\\n| mvexpand parsed \\r\\n| project TimeGenerated, ResourceId, Label = tostring(parsed.['@label']), InformationType = tostring(parsed.['@information_type'])\\r\\n , Succeeded = succeeded_s, Principal = server_principal_name_s, ClientIP = client_ip_s, Application = application_name_s, Statement = statement_s, Rows = response_rows_d, Action = action_name_s\\r\\n| where Label != \\\"\\\" or InformationType != \\\"\\\"\\r\\n| where isempty('{SelectedLabel}') or (strcat('\\\"',Label,'\\\"') in (split('{SelectedLabel}',',')))\\r\\n| where isempty('{SelectedInformationType}') or (strcat('\\\"',InformationType,'\\\"') in (split('{SelectedInformationType}',',')))\\r\\n| where isempty('{SelectedPrincipal}') or (strcat('\\\"',Principal,'\\\"') in (split('{SelectedPrincipal}',',')))\",\"size\":0,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 15\",\"id\":\"aaae6307-f6f3-45c3-aeda-2eec81f6fc46\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend label = tostring(parsed[\\\"@label\\\"]) \\r\\n| where label != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by label_and_app = strcat(label, \\\" | \\\", application_name_s)\\r\\n| order by label_and_app asc, dcount desc\",\"size\":0,\"title\":\"Application access to classified data (by sensitivity label)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"40\",\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"},\"id\":\"67f88e5c-2e93-4f34-846f-143dbcac6209\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where tolower(ResourceId) in ({Databases})\\r\\n| where data_sensitivity_information_s != \\\"\\\" \\r\\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \\r\\n| mvexpand parsed \\r\\n| extend label = tostring(parsed[\\\"@label\\\"]) \\r\\n| where label != \\\"\\\" \\r\\n| summarize dcount = dcount(sequence_group_id_g) by label_and_ip = strcat(label, \\\" | \\\", client_ip_s) \\r\\n| order by label_and_ip asc, dcount desc\",\"size\":0,\"title\":\"IP access to classified data (by sensitivity label)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_name_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"action_name_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"40\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"},\"id\":\"c10cb013-1b7c-4014-8f40-9b069aee0771\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAzureSQLDatabasesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Azure SQL Databases\",\"id\":\"b5ddd9df-8a2c-427b-aa5a-97d2c5e81968\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# 📊 [User & Entity Behavior Analytics (UEBA)](https://docs.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)\\n---\\n\\nThis section focuses on detecting **anomalous behaviors by users and entities** that may indicate insider threats, compromised accounts, or attempts to exfiltrate personal data. It supports GDPR obligations around **security of processing (Art. 32)** and **accountability (Art. 5(2))** by helping organizations proactively identify suspicious activity that could put personal data at risk. \\n\\nKey objectives of this section: \\n- Highlight **user anomalies** such as unusual access times, geolocations, or activity volumes \\n- Detect **high-risk behaviors** flagged by Microsoft’s identity protection and analytics models \\n- Monitor **entity risk scores** to prioritize investigations of potentially compromised accounts or devices \\n- Correlate **web session anomalies** to identify potential data exfiltration attempts \\n- Provide auditors with evidence of **continuous monitoring of user activity and proactive risk detection** \\n\\nBy reviewing these metrics, analysts can ensure that **unusual or risky behaviors are identified early**, reducing the likelihood of personal data misuse or unauthorized disclosure, and demonstrating effective monitoring controls under GDPR.\\n\"},\"customWidth\":\"40\",\"name\":\"text - 2\",\"id\":\"974c5eb7-510d-4197-b161-009b709a6e23\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 14\",\"id\":\"fece2da2-007f-4d8b-8db5-33fed138796b\"},{\"type\":1,\"content\":{\"json\":\"| User & Entity Behavior Analytics (UEBA) | - | - |\\r\\n|:--| :--| :--| \\r\\n| Anomalous Activity by Geolocation | Anomalous Activity by User & GeoLocation | Entity Behavior Analytics Alerts |\\r\\n| User Anomalies | User Sign-in Risk Details |ASim WebSession: Detect potential data exfilteration using timeseries anomaly|\\r\\n| Anomalous Password Reset | Anomalous Failed Logon |Anomalous Geolocation Logon|\\r\\n| Anomalous AAD Account Manipulation | Anomalous Account Creation |Anomalous Role Assignment|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User.\"},\"customWidth\":\"40\",\"name\":\"text - 14\",\"id\":\"9205d47c-c3e4-47eb-906a-58d4049ea39a\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalySignIns = BehaviorAnalytics\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\\r\\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\\r\\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\\r\\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\\r\\n| where FirstTimeDeviceLogon == \\\"True\\\" or FirstTimeUserAction == \\\"True\\\" or UncommonAction == \\\"True\\\" or UncommonVolumeOfActions == \\\"True\\\";\\r\\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Anomalous Activity by Geolocation\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\"}]}}},\"customWidth\":\"50\",\"name\":\"Results46\",\"id\":\"e93ddfb8-91b4-4787-9ce6-f13d3d17a034\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalySignIns = BehaviorAnalytics\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\\r\\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\\r\\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\\r\\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\\r\\n| where FirstTimeDeviceLogon == \\\"True\\\" or FirstTimeUserAction == \\\"True\\\" or UncommonAction == \\\"True\\\" or UncommonVolumeOfActions == \\\"True\\\";\\r\\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\\r\\n| where SourceIPLocation <> \\\"\\\"\\r\\n| summarize count() by UserPrincipalName, SourceIPLocation\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Activity by User & GeoLocation\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SourceIPLocation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 14\",\"id\":\"c7c0b7ec-26c2-492a-892a-2f74d46f618c\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n | join (\\r\\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indication from AAD\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//insider\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n | where TimeGenerated > ago(28d)\\r\\n | where OperationName == \\\"Add member to role\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner (\\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Add member to role\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend AnomalyName = \\\"Anomalous Role Assignment\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to privileged role, or ones that add users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n | where ActionType == \\\"ResourceAccess\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n | where ActionType == \\\"InteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n Tactic = \\\"Privilege Escalation\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administrator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n | where ActionType == \\\"Reset user password\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n | join (\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Reset user password\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n Tactic = \\\"Impact\\\",\\r\\n Technique = \\\"Account Access Removal\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n | join (\\r\\n SigninLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Initial Access\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\"\\r\\n | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n | join (\\r\\n SigninLogs \\r\\n | where Status.errorCode == 50126\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n Tactic = \\\"Credential Access\\\",\\r\\n Technique = \\\"Brute Force\\\",\\r\\n SubTechnique = \\\"Password Guessing\\\",\\r\\n Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n | where OperationName == \\\"Update user\\\"\\r\\n | mv-expand AdditionalDetails\\r\\n | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner ( \\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Update user\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to privileged role, or ones that changed users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n | where ActionType == \\\"Add user\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n | join(\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Add user\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Create Account\\\",\\r\\n SubTechnique = \\\"Cloud Account\\\",\\r\\n Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | union TopUsersByAnomalies\\r\\n | extend \\r\\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n UPNExists = iff(isempty(UPN), false, true),\\r\\n NameExists = iff(isempty(Name), false, true),\\r\\n SidExists = iff(isempty(Sid), false, true),\\r\\n AADExists = iff(isempty(AadUserId), false, true)\\r\\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by AlertCount desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Entity Behavior Analytics Alerts\",\"noDataMessage\":\"No results, Confirm Sentinel Entity Behavior is Enabled\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_AlertCount_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_AlertCount_2\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"ff2e4961-6e1b-4492-bf8c-9c1740fc408c\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let UncommonActionVolume = BehaviorAnalytics\\r\\n| extend UncommonActionVolume = tostring(ActivityInsights.UncommonHighVolumeOfActions)\\r\\n| where UncommonActionVolume == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename UncommonActionVolume = count_;\\r\\nlet UncommonAction = BehaviorAnalytics\\r\\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\\r\\n| where UncommonAction == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename UncommonAction = count_;\\r\\nlet Uncommon = UncommonActionVolume | join(UncommonAction) on UserPrincipalName;\\r\\nlet FirstTimeDeviceLogon = BehaviorAnalytics\\r\\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\\r\\n| where FirstTimeDeviceLogon == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename FirstTimeDeviceLogon = count_;\\r\\nlet FirstTimeUserAction = BehaviorAnalytics\\r\\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\\r\\n| where FirstTimeUserAction == \\\"True\\\"\\r\\n| summarize count() by UserPrincipalName\\r\\n| project-rename FirstTimeUserAction = count_;\\r\\nlet FirstTime = FirstTimeUserAction | join(FirstTimeDeviceLogon) on UserPrincipalName;\\r\\nUncommon | join kind=fullouter(FirstTime) on UserPrincipalName\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| project UserPrincipalName, UncommonActionVolume, UncommonAction, FirstTimeUserAction, FirstTimeDeviceLogon\\r\\n| sort by UncommonActionVolume desc \\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Anomalies\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_FirstTimeDeviceLogon_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_FirstTimeDeviceLogon_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"951c5fc4-a44b-408c-b0f6-3f0644d950bb\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADUserRiskEvents\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend UserProfile = strcat(\\\"#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserId)\\r\\n| extend countryOrRegion_ = tostring(Location.countryOrRegion)\\r\\n| extend city_ = tostring(Location.city)\\r\\n| extend state_ = tostring(Location.state)\\r\\n| extend latitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).longitude)\\r\\n| distinct UserPrincipalName, UserProfile, RiskLevel, RiskEventType, city_, state_, countryOrRegion_, UserId\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Sign-in Risk Details\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See How To: Configure and enable Microsoft Entra ID: Identity Protection risk policies (https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"EntraID User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true}},\"name\":\"query - 14\",\"id\":\"ba8fecab-c220-4941-b768-e36aacb8302d\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let start = {TimeRange:grain};\\r\\nlet end = 1d;\\r\\nlet timeframe = 1h;\\r\\nlet scorethreshold = 5;\\r\\nlet bytessentperhourthreshold = 10;\\r\\nlet TimeSeriesData = _Im_WebSession(starttime=start, endtime=now())\\r\\n | where isnotempty(DstIpAddr)\\r\\n and not(ipv4_is_private(DstIpAddr))\\r\\n | summarize SrcBytesSum=tolong(sum(SrcBytes)) by EventProduct, bin(TimeGenerated, 1h)\\r\\n | extend EventTime = TimeGenerated\\r\\n | make-series TotalBytesSent = sum(SrcBytesSum) on EventTime from startofday(ago(start)) to startofday(now()) step timeframe by EventProduct;\\r\\n// TimeSeriesData block ends here\\r\\n//Take only anomalies in TimeSeriesData\\r\\nlet TimeSeriesAnomalies = materialize(TimeSeriesData\\r\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\\r\\n | mv-expand\\r\\n TotalBytesSent to typeof(long),\\r\\n EventTime to typeof(datetime),\\r\\n anomalies to typeof(double),\\r\\n score to typeof(double),\\r\\n baseline to typeof(long)\\r\\n | where anomalies > 0 and baseline > 0\\r\\n | extend AnomalyHour = EventTime\\r\\n | extend\\r\\n TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024) / 1024), 2),\\r\\n BaselineBytesSentinMBperHour = round(((baseline / 1024) / 1024), 2),\\r\\n score = round(score, 2)\\r\\n | project\\r\\n EventProduct,\\r\\n AnomalyHour,\\r\\n TotalBytesSentinMBperHour,\\r\\n BaselineBytesSentinMBperHour,\\r\\n anomalies,\\r\\n score\\r\\n //| where AnomalyHour between (startofday(ago(end)) .. startofday(now())) // Get TimeSeriesAnomalies in previous day\\r\\n );\\r\\n let AnomalyHours = materialize (TimeSeriesAnomalies\\r\\n | project AnomalyHour);\\r\\n //Previous day aggregated per hour\\r\\n let Last14DayLogs = \\r\\n _Im_WebSession(starttime=start, endtime=now())\\r\\n | extend DateHour = bin(TimeGenerated, timeframe) // create a new column and round to hour\\r\\n | where DateHour in (AnomalyHours) // Filter dataset to include only anomaly AnomalyHours\\r\\n | where isnotempty(DstIpAddr) and isnotempty(SrcIpAddr) and isnotempty(SrcBytes)\\r\\n | where not(ipv4_is_private(DstIpAddr))\\r\\n | project\\r\\n TimeGenerated,\\r\\n DateHour,\\r\\n DstIpAddr,\\r\\n SrcIpAddr,\\r\\n SrcBytes,\\r\\n DstBytes,\\r\\n DstPortNumber,\\r\\n EventProduct\\r\\n | summarize\\r\\n HourlyCount = count(),\\r\\n TimeGeneratedMax = arg_max(TimeGenerated, *),\\r\\n DestinationIPList = make_set(DstIpAddr, 100),\\r\\n DestinationPortList = make_set(DstPortNumber, 100),\\r\\n TotalSentBytes = tolong(sum(SrcBytes)),\\r\\n TotalReceivedBytes = tolong(sum(DstBytes))\\r\\n by SrcIpAddr, EventProduct, TimeGeneratedHour = bin(TimeGenerated, timeframe)\\r\\n | extend\\r\\n SentBytesinMB = ((TotalSentBytes / 1024) / 1024),\\r\\n ReceivedBytesinMB = ((TotalReceivedBytes / 1024) / 1024)\\r\\n | where SentBytesinMB > bytessentperhourthreshold\\r\\n | sort by TimeGeneratedHour asc, SentBytesinMB desc\\r\\n | extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\r\\n | where Rank <= 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\r\\n | project\\r\\n EventProduct,\\r\\n TimeGeneratedHour,\\r\\n TimeGeneratedMax,\\r\\n SrcIpAddr,\\r\\n DestinationIPList,\\r\\n DestinationPortList,\\r\\n SentBytesinMB,\\r\\n ReceivedBytesinMB,\\r\\n Rank,\\r\\n HourlyCount;\\r\\n Last14DayLogs\",\"size\":0,\"showAnalytics\":true,\"title\":\"ASim WebSession: Detect potential data exfilteration using timeseries anomaly\",\"noDataMessage\":\"There are no results within the selected thresholds.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"EntraID User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true}},\"name\":\"query - 14\",\"id\":\"fc5230a6-7aca-46f1-bcc5-3c9ea812f322\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where ActionType == \\\"Reset user password\\\"\\r\\n| where ActivityInsights has \\\"True\\\"\\r\\n| join (\\r\\n AuditLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n| mv-expand TargetResources\\r\\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n| extend UserPrincipalName = iff(UserPrincipalName has \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName has \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n| sort by TimeGenerated desc\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Password Reset\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results50\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"c93f91e7-272c-4458-bd02-99e8c69fff8f\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where ActivityType == \\\"LogOn\\\"\\r\\n| where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n| join (\\r\\nSigninLogs | where Status.errorCode == 50126\\r\\n) on $left.SourceRecordId == $right._ItemId\\r\\n| extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName)\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Failed Logon\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results51\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"eeb331e6-f62c-4916-b83d-db3a707542f2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where ActionType == \\\"Sign-in\\\"\\r\\n| where ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True and ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True\\r\\n | join (\\r\\nSigninLogs\\r\\n) on $left.SourceRecordId == $right._ItemId\\r\\n| extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName contains \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName)\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Geolocation Logon\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results52\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"0efbb157-26f6-4649-a044-ff83f4df1c7d\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\\r\\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\\r\\nAuditLogs\\r\\n| where OperationName == \\\"Update user\\\"\\r\\n| mv-expand AdditionalDetails\\r\\n| mv-expand TargetResources\\r\\n| where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n| mv-expand TargetResources\\r\\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n| where RoleId in (critical,high)\\r\\n| where isnotempty(RoleId) or isnotempty(RoleName)\\r\\n| extend TargetId = tostring(TargetResources.id)\\r\\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\\r\\n| join kind=inner ( BehaviorAnalytics\\r\\n) on $left._ItemId == $right.SourceRecordId\\r\\n| where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights has \\\"True\\\"\\r\\n| extend UserPrincipalName = iff(UserPrincipalName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName) \\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous AAD Account Manipulation\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results53\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"507a34c7-a19a-459b-889c-f0aeb675dc6f\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\\r\\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\\r\\nAuditLogs\\r\\n| where OperationName == \\\"Add user\\\"\\r\\n| mv-expand AdditionalDetails\\r\\n| mv-expand TargetResources\\r\\n| where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n| mv-expand TargetResources\\r\\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n| where RoleId in (critical,high)\\r\\n| where isnotempty(RoleId) or isnotempty(RoleName)\\r\\n| extend TargetId = tostring(TargetResources.id)\\r\\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\\r\\n| join kind=inner ( BehaviorAnalytics\\r\\n) on $left._ItemId == $right.SourceRecordId\\r\\n| where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights has \\\"True\\\"\\r\\n| extend UserPrincipalName = iff(UserPrincipalName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserPrincipalName),\\r\\nUserName = iff(UserName has \\\"#EXT#\\\",replace(\\\"_\\\",\\\"@\\\",tostring(split(UserPrincipalName, \\\"#\\\")[0])),UserName) \\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Account Creation\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results54\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"9ce7206a-77de-4e57-91b3-0cf2128d3106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\\r\\nAuditLogs\\r\\n| where OperationName == \\\"Add member to role\\\"\\r\\n| mv-expand TargetResources\\r\\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n| where RoleId in (critical,high)\\r\\n| extend TargetId = tostring(TargetResources.id)\\r\\n| extend Target = tostring(TargetResources.userPrincipalName)\\r\\n| where isnotempty(RoleId) or isnotempty(RoleName)\\r\\n| join kind=inner ( BehaviorAnalytics\\r\\n) on $left._ItemId == $right.SourceRecordId\\r\\n| where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights has \\\"True\\\"\\r\\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Role Assignment\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results55\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"2b2c0989-48e3-40c2-aeec-f472e8ed35e1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUEBAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Entity Insights\",\"id\":\"4fdf82dc-6871-4a32-9e24-231da0f8d0f4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# 📂 [Microsoft 365 Activity](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender)\\n---\\n\\nThis section monitors **user and administrator activities across Microsoft 365 services** such as Exchange, SharePoint, OneDrive, and Teams. It supports GDPR obligations for **integrity and confidentiality of personal data (Art. 5(1)(f))**, **records of processing activities (Art. 30)**, and **security of processing (Art. 32)** by ensuring that access and modifications to personal data are visible, traceable, and appropriately controlled. \\n\\nKey objectives of this section: \\n- Track **file activity actions** to identify how sensitive data is being accessed, shared, or modified \\n- Detect **risky behaviors** such as external sharing, non-owner mailbox access, or unusual PowerShell sign-ins \\n- Monitor for **policy tampering, malicious inbox rules, and Exchange audit log changes** that could undermine data protection \\n- Identify **unusual user behaviors in Teams and SharePoint**, including mass deletions, uploads, or operations from previously unseen devices or IPs \\n- Provide auditors with detailed evidence of **user actions, administrative changes, and protections applied to personal data** \\n\\nBy analyzing these metrics, analysts can validate that **personal data within Microsoft 365 is accessed and processed lawfully**, and that the organization maintains robust monitoring to detect misuse or unauthorized disclosures.\\n\"},\"customWidth\":\"40\",\"name\":\"text - 2\",\"id\":\"57c68865-5820-4227-899e-5ab7145b5897\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 56\",\"id\":\"c5e09a1b-95c1-4d7d-914a-17597d2874c4\"},{\"type\":1,\"content\":{\"json\":\"| Microsoft 365 Activity | - | - | \\r\\n|:--| :--| :--|\\r\\n| File Activity Actions | File Activity Actions over Time | Most Frequently Accessed Files |\\r\\n| File Transfer Activity by User Over Time | File activity by external users | Previously Unseen Exchange Admin Operations (Last 1 Day) |\\r\\n| SharePoint File Operations by Users from Previously Unseen IPs | SharePointFileOperation via Devices with Previously Unseen User Agents |Non-Owner Mailbox Login Activity |\\r\\n| PowerShell or Non-Browser Mailbox Sign-In Activity | Multiple Teams Deleted by a Single User | User Added to Team and Immediately Uploads File |\\r\\n|Executable with Double File Extension and Acces Summary |Mail Redirect via Exchange Transport Rules | Email Forwarding|\\r\\n| User Added as Owner of Multiple Teams | Exchange Audit Log Disabled | Malicious Inbox Rule: Removing Helpdesk/Security Warning Emails|\\r\\n|Office Policy Tampering |Windows Reserved Filenames Staged on Office File Services|\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown.\\r\\n\"},\"customWidth\":\"50\",\"name\":\"SI OV\",\"id\":\"e4f95345-1aa3-4e41-ab91-c7a0b40b0261\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"51f438d6-e64f-4e00-9cb4-a3be91405e38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Classifications\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where Classification != \\\"[]\\\"\\r\\n| mv-expand Classification // expand array if multiple classifications exist\\r\\n| extend Classification = tostring(Classification)\\r\\n| summarize by Classification\\r\\n| order by Classification asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\"},\"customWidth\":\"10\",\"name\":\"parameters - 41\",\"id\":\"207667fc-4156-48aa-9111-61b4b67446ac\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c4a56865-2460-45f6-b264-a1040b7b3818\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitivityLabels\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where SensitivityLabel != \\\"[]\\\"\\r\\n| mv-expand SensitivityLabel // expand array if multiple classifications exist\\r\\n| extend SensitivityLabel = tostring(SensitivityLabel)\\r\\n| summarize by SensitivityLabel\\r\\n| order by SensitivityLabel asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\"},\"customWidth\":\"10\",\"name\":\"parameters - 41 - Copy\",\"id\":\"f1651e12-4a6e-4b02-97d7-3bf750d10cc6\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"80\",\"name\":\"text - 43\",\"id\":\"5c7c0385-6a5c-4af0-9508-e52ee6156221\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where Operation contains \\\"file\\\"\\r\\n| extend Path = OfficeObjectId\\r\\n| summarize count() by UserId, Operation\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"File Activity Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results80\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"73ba9144-a5aa-46f7-8aee-f9e03e2d9a45\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where Operation contains \\\"file\\\"\\r\\n| extend Path = OfficeObjectId\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Operation\\r\\n| render timechart\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"File Activity Actions over Time\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results80b\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"714bf669-7d44-4290-af84-7903d9b29ae1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where Operation contains \\\"file\\\"\\r\\n| summarize count() by UserId, SourceFileName, SourceFileExtension, OfficeObjectId \\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Frequently Accessed Files\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SourceFileName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeObjectId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results80d\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"9556ed93-445e-4db5-966a-daa3565b8172\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\n//let startTime = {TimeRange:grain}; // Adjust as needed\\r\\nOfficeActivity\\r\\n//| where TimeGenerated >= startTime\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where EventSource == \\\"SharePoint\\\" and OfficeWorkload has_any(\\\"SharePoint\\\", \\\"OneDrive\\\") and Operation has_any (\\\"FileDownloaded\\\", \\\"FileSyncDownloadedFull\\\", \\\"FileSyncUploadedFull\\\", \\\"FileUploaded\\\")\\r\\n| summarize UploadedFiles = count() by bin(TimeGenerated, 1h), UserId\\r\\n| order by TimeGenerated asc\\r\\n| render timechart\\r\\n\",\"size\":0,\"title\":\"File Transfer Activity by User Over Time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 47\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"b9fd7530-56ba-4f6c-9b45-8f5a4d6176ff\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| where ExternalAccess == \\\"True\\\"\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"File activity by external users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results83\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"853239f9-e304-48c6-bc26-5678f6bc886e\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nlet historicalActivity=\\r\\n OfficeActivity\\r\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\r\\n | where RecordType == \\\"ExchangeAdmin\\\" \\r\\n | summarize historicalCount=count() by UserId;\\r\\nlet recentActivity = OfficeActivity\\r\\n | where UserId in ({UserPrincipalName})\\r\\n | where TimeGenerated > ago(endtime)\\r\\n | summarize recentCount=count() by UserId;\\r\\nrecentActivity\\r\\n| join kind = leftanti (\\r\\n historicalActivity\\r\\n )\\r\\n on UserId\\r\\n| project UserId, recentCount\\r\\n| order by recentCount asc, UserId\\r\\n| join kind = rightsemi \\r\\n (OfficeActivity \\r\\n | where TimeGenerated >= ago(endtime) \\r\\n | where RecordType == \\\"ExchangeAdmin\\\")\\r\\n on UserId\\r\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by RecordType, Operation, UserType, UserId, OriginatingServer, ResultStatus\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Previously Unseen Exchange Admin Operations (Last 1 Day)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results85\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"334fe5d0-1ab3-41ff-ab61-1988bbe3642b\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nlet starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nlet historicalActivity=\\r\\n OfficeActivity\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\r\\n | summarize historicalCount=count() by ClientIP;\\r\\nlet recentActivity = OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated > ago(endtime);\\r\\nrecentActivity\\r\\n| join kind= leftanti (\\r\\n historicalActivity \\r\\n )\\r\\n on ClientIP\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| summarize count() by UserId, ClientIP\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"SharePoint File Operations by Users from Previously Unseen IPs\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results86\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"ef04cd6e-0de4-4f88-9962-df51f521e546\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nlet starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nlet historicalActivity=\\r\\n OfficeActivity\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\r\\n | summarize historicalCount=count() by UserAgent, RecordType;\\r\\nlet recentActivity = OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where Operation in (\\\"FileDownloaded\\\", \\\"FileUploaded\\\")\\r\\n | where TimeGenerated > ago(endtime);\\r\\nrecentActivity\\r\\n| join kind = leftanti (\\r\\n historicalActivity \\r\\n )\\r\\n on UserAgent, RecordType\\r\\n| where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n| summarize count() by UserId, UserAgent, RecordType\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"SharePointFileOperation via Devices with Previously Unseen User Agents\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results87\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"9a133043-09b4-4c6c-a1c8-253e3ac598d5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where Operation == \\\"MailboxLogin\\\" and Logon_Type != \\\"Owner\\\" \\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Non-Owner Mailbox Login Activity\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results88\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"c9d097ab-e5b3-4357-b67e-88627e47c6a8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where Operation == \\\"MailboxLogin\\\"\\r\\n| where ClientInfoString == \\\"Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client\\\"\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"PowerShell or Non-Browser Mailbox Sign-In Activity\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results89\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"18ee18c0-5a9f-4dd0-bcb6-2b626155c665\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\r\\nlet max_delete = 3;\\r\\nlet deleting_users = (\\r\\n OfficeActivity\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n | where Operation =~ \\\"TeamDeleted\\\"\\r\\n | summarize count() by UserId\\r\\n | where count_ > max_delete\\r\\n | project UserId);\\r\\nOfficeActivity\\r\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n| where Operation =~ \\\"TeamDeleted\\\"\\r\\n| where UserId in (deleting_users)\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Multiple Teams Deleted by a Single User\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results90\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"d85926d5-0a70-4c85-9db7-538765c6bf05\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PurviewClassifiedFiles = \\r\\nPurviewDataSensitivityLogs\\r\\n| where \\\"{Classifications:label}\\\" == \\\"All\\\" or Classification has_any ({Classifications})\\r\\n| where \\\"{SensitivityLabels:label}\\\" == \\\"All\\\" or SensitivityLabel has_any ({SensitivityLabels})\\r\\n| summarize by AssetName;\\r\\nlet threshold = 1m;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n| where Operation == \\\"MemberAdded\\\"\\r\\n| extend TeamName = iff(isempty(TeamName), Members[0].UPN, TeamName)\\r\\n| project TimeGenerated, UserId, UploaderID=UserId, TeamName\\r\\n| join (\\r\\n OfficeActivity\\r\\n | where RecordType == \\\"SharePointFileOperation\\\"\\r\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\r\\n | where Operation == \\\"FileUploaded\\\"\\r\\n | where SourceFileName has_any (PurviewClassifiedFiles)\\r\\n | project UserId, UploadTime=TimeGenerated, UploaderID=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName\\r\\n )\\r\\n on UploaderID\\r\\n| where UploadTime > TimeGenerated and UploadTime < TimeGenerated + threshold\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n| take 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Added to Team and Immediately Uploads File\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results91\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"05b8dbcb-ab11-40ef-99b2-0777fdb077e9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let known_ext = dynamic([\\\"lnk\\\", \\\"log\\\", \\\"option\\\", \\\"config\\\", \\\"manifest\\\", \\\"partial\\\"]);\\r\\nlet excluded_users = dynamic([\\\"app@sharepoint\\\"]);\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and isnotempty(SourceFileName)\\r\\n| where OfficeObjectId has \\\".exe.\\\" and SourceFileExtension !in~ (known_ext)\\r\\n| extend Extension = extract(\\\"[^.]*.[^.]*$\\\", 0, OfficeObjectId)\\r\\n| join kind= leftouter ( \\r\\n OfficeActivity\\r\\n | where RecordType =~ \\\"SharePointFileOperation\\\" and (Operation =~ \\\"FileDownloaded\\\" or Operation =~ \\\"FileAccessed\\\") \\r\\n | where SourceFileExtension !in~ (known_ext)\\r\\n )\\r\\n on OfficeObjectId \\r\\n| where UserId1 !in~ (excluded_users)\\r\\n| extend userBag = pack(UserId1, ClientIP1) \\r\\n| summarize makeset(UserId1), make_bag(userBag), Start=max(TimeGenerated), End=min(TimeGenerated) by UserId, OfficeObjectId, SourceFileName, Extension \\r\\n| extend NumberOfUsers = array_length(bag_keys(bag_userBag))\\r\\n| project UploadTime=Start, Uploader=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, Extension, NumberOfUsers\\r\\n| extend timestamp = UploadTime, Uploader\",\"size\":0,\"showAnalytics\":true,\"title\":\"Executable with Double File Extension and Acces Summary\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results92\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"ffacab43-2c15-40c6-a0fd-5785ad7eb3f3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where OfficeWorkload == \\\"Exchange\\\"\\r\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\r\\n| extend p = parse_json(Parameters)\\r\\n| extend RuleName = case(\\r\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\r\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\r\\n \\\"Unknown\\\"\\r\\n ) \\r\\n| mvexpand p\\r\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\r\\n| extend RedirectTo = p.Value\\r\\n| extend ClientIPOnly = case( \\r\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP, \\\":\\\")[0]), \\r\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP, \\\"-\\\")[0]), \\r\\n ClientIP has \\\"[\\\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \\\"]\\\")[0]))),\\r\\n ClientIP\\r\\n ) \\r\\n| extend Port = case(\\r\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP, \\\":\\\")[1]),\\r\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP, \\\"-\\\")[1]),\\r\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP, \\\"]:\\\")[1]),\\r\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP, \\\"]-\\\")[1]),\\r\\n ClientIP\\r\\n )\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Mail Redirect via Exchange Transport Rules\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results93\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"c968c8ef-e778-409a-aa9d-22a2bbf81623\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\r\\nlet threshold = 1;\\r\\n// Reserved FileNames/Extension for Windows\\r\\nlet Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']);\\r\\nlet starttime = {TimeRange:grain};\\r\\nlet endtime = 1d;\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where TimeGenerated >= ago(endtime)\\r\\n| where isnotempty(SourceFileExtension)\\r\\n| where SourceFileName !~ SourceFileExtension\\r\\n| where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\\r\\n| where UserAgent !has \\\"Mac OS\\\" \\r\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName, SourceFileExtension \\r\\n| join kind= leftanti (\\r\\n OfficeActivity\\r\\n | where TimeGenerated between (ago(starttime)..ago(endtime))\\r\\n | where isnotempty(SourceFileExtension)\\r\\n | where SourceFileName !~ SourceFileExtension\\r\\n | where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\\r\\n | where UserAgent !has \\\"Mac OS\\\" \\r\\n | summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId), SourceFileName = make_set(SourceFileName), PrevSeenCount = count() by SourceFileExtension\\r\\n // To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\r\\n //| where PrevSeenCount > threshold\\r\\n | mvexpand SourceRelativeUrl, UserId, SourceFileName\\r\\n | extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId), SourceFileName = tostring(SourceFileName)\\r\\n )\\r\\n on SourceFileExtension\\r\\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\r\\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\\\\\.', '_', UserId))\\r\\n// identify when UserId is not a match to the specific site url personal folder reference\\r\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true, false) \\r\\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation), UserAgents = make_list(UserAgent), \\r\\n OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\r\\n by OfficeWorkload, RecordType, UserType, UserKey, UserId, ClientIP, Site_Url, SourceFileExtension, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\",\"size\":0,\"showAnalytics\":true,\"title\":\"Windows Reserved Filenames Staged on Office File Services\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results94\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"b9a42483-69a2-42fd-adbf-fffb48b0efb4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where (Operation contains 'Forward') \\r\\n or (Parameters contains 'ForwardTo')\\r\\n| extend parsed=parse_json(Parameters)\\r\\n| extend fwdingDestination_initial = (iif(Operation =~ \\\"Set-Mailbox\\\", tostring(parsed[1].Value), tostring(parsed[2].Value)))\\r\\n| where isnotempty(fwdingDestination_initial)\\r\\n| extend fwdingDestination = iff(fwdingDestination_initial has \\\"smtp\\\", (split(fwdingDestination_initial, \\\":\\\")[1]), fwdingDestination_initial)\\r\\n| parse fwdingDestination with * '@' ForwardedtoDomain \\r\\n| parse UserId with *'@' UserDomain\\r\\n| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.')[0]))\\r\\n| where ForwardedtoDomain !contains subDomain\\r\\n| extend Result = iff(ForwardedtoDomain != UserDomain, \\\"Mailbox rule created to forward to External Domain\\\", \\\"Forward rule for Internal domain\\\")\\r\\n| extend ClientIPAddress = case(ClientIP has \\\".\\\", tostring(split(ClientIP, \\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \\\"]\\\")[0]))), ClientIP)\\r\\n| extend Port = case(\\r\\n ClientIP has \\\".\\\", (split(ClientIP, \\\":\\\")[1]),\\r\\n ClientIP has \\\"[\\\", tostring(split(ClientIP, \\\"]:\\\")[1]),\\r\\n ClientIP\\r\\n )\\r\\n| summarize count() by UserId, fwdingDestination, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Forwarding\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"fwdingDestination\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results95\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"ac7afd7e-bf7b-4189-91f7-d5694bb25219\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Adjust this value to change how many teams a user is made owner of before detecting\\r\\nlet max_owner_count = 3;\\r\\n// Change this value to adjust how larger timeframe the query is run over.\\r\\nlet high_owner_count = (OfficeActivity\\r\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n | where Operation =~ \\\"MemberRoleChanged\\\"\\r\\n | extend Member = tostring(parse_json(Members)[0].UPN) \\r\\n | extend NewRole = toint(parse_json(Members)[0].Role) \\r\\n | where NewRole == 2\\r\\n | summarize dcount(TeamName) by Member\\r\\n | where dcount_TeamName > max_owner_count\\r\\n | project Member);\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\r\\n| where Operation =~ \\\"MemberRoleChanged\\\"\\r\\n| extend Member = tostring(parse_json(Members)[0].UPN) \\r\\n| extend NewRole = toint(parse_json(Members)[0].Role) \\r\\n| where NewRole == 2\\r\\n| where Member in (high_owner_count)\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Added as Owner of Multiple Teams\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results98\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"4e3c2214-7f92-46d7-bd8b-eb218f190ca5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\r\\n// Only admin or global-admin can disable audit logging\\r\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\r\\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\r\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\r\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Exchange Audit Log Disabled\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results99\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"b0e97b8d-a03a-42d8-944e-311268fd6d2f\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add Keywords for Emails as needed\\r\\nlet Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| where Operation =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\n or BodyContainsWords has_any (Keywords)\\r\\n or SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malicious Inbox Rule: Removing Helpdesk/Security Warning Emails\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results100\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"15e6a852-9141-46b4-8ee5-fa662b527662\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let opList = OfficeActivity \\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| summarize by Operation\\r\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\r\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\r\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\r\\n| summarize make_set(Operation);\\r\\nOfficeActivity\\r\\n// Only admin or global-admin can disable/remove policy\\r\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\r\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\r\\n// Pass in interesting Operation list\\r\\n| where Operation in~ (opList)\\r\\n| extend ClientIPOnly = case( \\r\\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\r\\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\r\\nClientIP\\r\\n) \\r\\n| extend Port = case(\\r\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\r\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\r\\nClientIP\\r\\n)\\r\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\r\\n| summarize count() by UserId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Office Policy Tampering\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results101\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"e02a57ea-f4a1-4656-b049-e6213497f737\"}]},\"conditionalVisibility\":{\"parameterName\":\"isM365ActivityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Office Activity Group\",\"id\":\"a5c2b0bf-a5ff-4084-84f6-605c660427bf\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Sign-Ins (Entra ID)](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins)\\n---\\n\\nThis section provides visibility into **user authentication events and access patterns**, supporting GDPR requirements for **integrity and confidentiality of personal data (Art. 5(1)(f))** and **security of processing (Art. 32)**. Monitoring sign-ins helps ensure that only authorized individuals access systems processing personal data, and that suspicious authentication activity is detected quickly. \\n\\nKey objectives of this section: \\n- Track **sign-ins by geolocation and over time** to spot unusual or high-risk access locations \\n- Monitor **failed sign-in attempts and brute-force activity** to identify potential account compromise \\n- Detect **anomalous patterns** such as cross-application anomalies, sign-in bursts, or VPN-based logins \\n- Review **application and client usage trends** to confirm that personal data is accessed only through approved channels \\n- Provide auditors with evidence of **access control enforcement and monitoring** \\n\\nBy analyzing these metrics, analysts can verify that **access to personal data is properly secured**, and that the enterprise maintains the ability to **detect, investigate, and remediate suspicious sign-in activity** in line with GDPR obligations.\\n\\n\\n\\n\"},\"name\":\"text - 2\",\"id\":\"a4d7e8d9-e963-4417-959f-cb9c783ad9a5\"}]},\"customWidth\":\"40\",\"name\":\"group - 32\",\"id\":\"7cd82204-fee8-4b5e-a0ab-8819d2543e11\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 29\",\"id\":\"e69f5d24-5239-4c56-b968-db348535dbe8\"},{\"type\":1,\"content\":{\"json\":\"| Sign-Ins (Entra ID) | - | - |\\r\\n|:--| :--| :--| \\r\\n| Sign-Ins by Geolocation | Authentication Details | Sign-In Locations Over Time |\\r\\n| Sign-Ins Count By Application Name | Applications Access Count By Users | Client Application Count by Users |\\r\\n| Anomalous Sign-in & App Access | Entra ID Failed Sign-in Attempts | Entra ID Brute Force Sign-in Attempts |\\r\\n|Cross-App Sign-in Anomaly (Success then Failure) | Sign-In Burst From Multiple Locations | Sign-in From VPN |\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown.\"},\"customWidth\":\"40\",\"name\":\"SI OV\",\"id\":\"ddcc72b0-f7a3-4eff-a580-ba3773b72685\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n| project latitude_,longitude_,city_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sign-Ins by Geolocation\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"Results46\",\"id\":\"3e27f8e8-6059-4621-9fd9-6840cfa6352d\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n| extend SigninStatus = case(\\r\\n errorCode == 0, \\\"Success\\\",\\r\\n errorCode in (50055,50058,50072,50074,50125,50127,50129,50140,50143,50144,51006,52004,65001,16000,16001,16003,81010,81012,81014), \\\"Pending user action\\\",\\r\\n \\\"Failure\\\"\\r\\n);\\r\\ndata\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where IsInteractive == true\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count()\\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| where SigninStatus <> \\\"All Sign-ins\\\"\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Authentication Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"Results47\",\"id\":\"a04b9f50-45b0-4550-92ef-572347a486e0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where IsInteractive == true\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n| extend state_ = tostring(LocationDetails.state)\\r\\n| where state_ <> \\\"\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by state_\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-In Locations Over Time\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"name\":\"Results49\",\"id\":\"430cad35-c398-45c0-95bc-7e70e51f8283\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where ResultType == 0 and AppDisplayName != \\\"\\\"\\r\\n| summarize count() by AppDisplayName\\r\\n| join (\\r\\nSigninLogs\\r\\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \\r\\n) on AppDisplayName\\r\\n| top 10 by count_ desc\",\"size\":4,\"showAnalytics\":true,\"title\":\"Sign-Ins Count By Application Name\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"AppDisplayName\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"AppDisplayName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"Results48\",\"id\":\"8f026c95-ba0a-4053-98a7-68be6f18f9c6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize Count=count() by UserPrincipalName, AppDisplayName\\r\\n| sort by Count desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Applications Access Count By Users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trendup\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results51\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"9388f83d-5fc3-4611-b1c1-11e9f6f26747\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| extend Browser = tostring(DeviceDetail.browser)\\r\\n| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)\\r\\n| summarize Count=count() by UserPrincipalName, Browser, OperatingSystem\\r\\n| sort by Count desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Client Application Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserAgent\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"1\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ClientAppUsed\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trendup\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IPAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results52\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"41a8d174-2cf8-4573-a4e4-7e043f418048\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n// Forces Log Analytics to recognize that the query should be run over full time range\\r\\n| extend locationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", \\r\\n tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\r\\n| project TimeGenerated, AppDisplayName, UserPrincipalName, locationString \\r\\n// Create time series \\r\\n| make-series dLocationCount = dcount(locationString)\\r\\n on TimeGenerated\\r\\n step 1d\\r\\n by UserPrincipalName, AppDisplayName \\r\\n// Compute best fit line for each entry \\r\\n| extend (RSquare, Slope, Variance, RVariance, Interception, LineFit) = series_fit_line(dLocationCount) \\r\\n// Filter for truly anomalous patterns:\\r\\n// - abs(Slope) > 0.5 → exclude stable users; keeps those with growing/shrinking location diversity\\r\\n// - Variance > 2 → exclude trivial fluctuations; ensures location counts are inconsistent\\r\\n// - RSquare > 0.5 → exclude poor fits; ensures the slope represents a real trend, not random noise\\r\\n| where abs(Slope) > 0.5 and Variance > 2 and RSquare > 0.5\\r\\n| project UserPrincipalName, AppDisplayName, Slope, Variance, RSquare\\r\\n| order by abs(Slope) desc\\r\\n| limit 50\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anomalous Sign-in Location by User Account and Authenticating Application\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results53\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"867a83fa-8a74-4554-b8e9-f89ce802209d\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n// 50126 - Invalid username or password, or invalid on-premises username or password.\\r\\n// 50020 - The user doesn't exist in the tenant.\\r\\n// 50076 → MFA required but not satisfied\\r\\n// 50053 → Account locked due to repeated sign-in attempts\\r\\n| where ResultType in (\\\"50126\\\", \\\"50020\\\", \\\"50076\\\", \\\"50053\\\")\\r\\n| summarize Count=count() by UserPrincipalName, AppDisplayName\\r\\n| sort by Count desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Entra ID Failed Sign-in Attempts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results54\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"f42567b1-0fad-4cf3-b6ac-0f19cba137b1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let failureCountThreshold = 5;\\r\\nlet successCountThreshold = 1;\\r\\nlet authenticationWindow = 20m;\\r\\nlet aadFunc = (tableName: string) {\\r\\n table(tableName)\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n | extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\r\\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\r\\n // Split out failure versus non-failure types\\r\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\"), \\\"Success\\\", \\\"Failure\\\")\\r\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\r\\n make_set(State), make_set(Region), make_set(ResultType), FailureCount = countif(FailureOrSuccess == \\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess == \\\"Success\\\") \\r\\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\r\\n | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\r\\n | mvexpand IPAddress\\r\\n | extend IPAddress = tostring(IPAddress)\\r\\n };\\r\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\r\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\r\\nunion isfuzzy=true aadSignin, aadNonInt\\r\\n| summarize AttemptWindows = count(), TotalFailures = sum(FailureCount), TotalSuccesses = sum(SuccessCount) by UserPrincipalName, AppDisplayName\\r\\n| order by AttemptWindows desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Entra ID Brute Force Sign-in Attempts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results55\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"c80addb4-a836-47fd-a319-0fa64d9bc735\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let timeFrame = {TimeRange:grain};\\r\\nlet logonDiff = 1m;\\r\\nlet Success = SigninLogs \\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n | where TimeGenerated >= timeFrame \\r\\n | where ResultType == \\\"0\\\" \\r\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\", \\\"Office 365 SharePoint Online\\\")\\r\\n | project SuccessLogonTime = TimeGenerated, UserPrincipalName, IPAddress, SuccessAppDisplayName = AppDisplayName;\\r\\nlet Fail = SigninLogs \\r\\n | where TimeGenerated >= timeFrame \\r\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\r\\n | where ResultDescription !~ \\\"Other\\\" \\r\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\", \\\"Office 365 SharePoint Online\\\")\\r\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, IPAddress, FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription;\\r\\nlet InitialDataSet = \\r\\n Success\\r\\n | join kind= inner (\\r\\n Fail\\r\\n )\\r\\n on UserPrincipalName, IPAddress \\r\\n | where isnotempty(FailedAppDisplayName)\\r\\n | where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and SuccessAppDisplayName != FailedAppDisplayName;\\r\\nlet InitialHits = \\r\\n InitialDataSet\\r\\n | summarize FailedLogonTime = min(FailedLogonTime), SuccessLogonTime = min(SuccessLogonTime) \\r\\n by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName, IPAddress, ResultType, ResultDescription;\\r\\n// Only take hits where there is 5 or less distinct AppDisplayNames on the success side as this limits highly active applications where failures occur more regularly\\r\\nlet Distribution =\\r\\n InitialDataSet\\r\\n | summarize count(SuccessAppDisplayName) by SuccessAppDisplayName, ResultType\\r\\n | where count_SuccessAppDisplayName <= 5;\\r\\nInitialHits\\r\\n| join (\\r\\n Distribution \\r\\n )\\r\\n on SuccessAppDisplayName, ResultType\\r\\n| project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription \\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cross-App Sign-in Anomaly (Success then Failure)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SuccessAppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FailedAppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"failed\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results56\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"f9f17c4e-782a-4c10-85af-bbb032c06162\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let signIns = SigninLogs\\r\\n | where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n | extend locationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\",\\r\\n tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\r\\n | where locationString != \\\"//\\\" \\r\\n // filter out signins associated with top 100 signin locations \\r\\n | join kind=anti (\\r\\n SigninLogs\\r\\n | extend locationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", \\r\\n tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\r\\n | where locationString != \\\"//\\\"\\r\\n | summarize count() by locationString\\r\\n | order by count_ desc\\r\\n | take 100)\\r\\n on locationString; // TODO - make this threshold percentage-based\\r\\n// We will perform a time window join to identify signins from multiple locations within a 10-minute period\\r\\nlet lookupWindow = 10m;\\r\\nlet lookupBin = lookupWindow / 2.0; // lookup bin = equal to 1/2 of the lookup window\\r\\nsignIns \\r\\n| project-rename Start=TimeGenerated \\r\\n| extend TimeKey = bin(Start, lookupBin)\\r\\n| join kind = inner (\\r\\n signIns \\r\\n | project-rename End=TimeGenerated, EndLocationString=locationString \\r\\n // TimeKey on the right side of the join - emulates this authentication appearing several times\\r\\n | extend TimeKey = range(bin(End - lookupWindow, lookupBin),\\r\\n bin(End, lookupBin), lookupBin)\\r\\n | mvexpand TimeKey to typeof(datetime) // translate TimeKey arrange range to a column\\r\\n )\\r\\n on Identity, TimeKey\\r\\n| where End > Start\\r\\n| project timeSpan = End - Start, Identity, locationString, EndLocationString, tostring(Start), tostring(End), UserPrincipalName\\r\\n| where locationString != EndLocationString\\r\\n| summarize by timeSpan, Identity, locationString, EndLocationString, Start, End, UserPrincipalName\\r\\n| where UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName, locationString, EndLocationString\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-In Burst From Multiple Locations\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results57\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"dfbddb09-52ab-4313-8975-87760a66417a\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = (externaldata(network: string)\\r\\n [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv\\\"] with (format=\\\"csv\\\"));\\r\\nSigninLogs\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| where ResultType == 0\\r\\n| extend additionalDetails = tostring(Status.additionalDetails)\\r\\n| evaluate ipv4_lookup(IP_Data, IPAddress, network, return_unmatched = false)\\r\\n| summarize count() by UserPrincipalName, AppDisplayName, network\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins From VPNs\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results58\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"d8a944ed-22f3-4cc0-bb6b-962e306a47c9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSignInsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Sign-Ins\",\"id\":\"02595a8f-51f5-4a12-905d-4dec6b629000\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# 📝 [Audit Logs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs)\\n---\\n\\nThis section provides accountability and traceability for **administrative and user activities** across cloud services. It directly supports GDPR requirements for **records of processing activities (Art. 30)**, **security of processing (Art. 32)**, and **accountability (Art. 5(2))** by ensuring that all actions related to personal data can be tracked, reviewed, and evidenced. \\n\\nKey objectives of this section: \\n- Detect **risky administrative actions** such as password resets, consent grants, or policy changes \\n- Identify **suspicious logins** from inactive accounts or unusual sources that may indicate misuse of personal data \\n- Monitor for **rare or unexpected audit events** that could signal attempts to bypass controls \\n- Provide a reliable record of **who accessed what, when, and with what privileges** \\n- Supply auditors with verifiable evidence of **control enforcement, activity logging, and retention** \\n\\nBy reviewing these metrics, analysts can confirm that **all processing activities are logged and monitored**, supporting GDPR requirements for transparency, oversight, and demonstrable compliance.\\n\"},\"name\":\"text - 2\",\"id\":\"f4407721-5db2-4293-aada-4de45c5bd280\"}]},\"customWidth\":\"40\",\"name\":\"group - 27\",\"id\":\"e95a2f10-9cde-4760-85b0-f3801c61e9a1\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 26\",\"id\":\"50c953d9-3525-493b-a41a-dd062d0fbf67\"},{\"type\":1,\"content\":{\"json\":\"| Audit Log (Entra ID)) | - | - |\\r\\n|:--| :--| :--|\\r\\n| Changing Passwords Across Multiple Cloud Accounts | Credential & Secret Search Activity by Users | Unexpected Logins From Inactive Accounts |\\r\\n| Rare Audit Activity Initiated |Suspicious Consent to Application Discovery |\\r\\n\\r\\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown.\"},\"customWidth\":\"40\",\"name\":\"SI OV\",\"id\":\"f072461b-6c31-46f6-a78b-ae158c6dbb46\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let action = dynamic([\\\"change \\\", \\\"changed \\\", \\\"reset \\\"]);\\r\\nlet pWord = dynamic([\\\"password \\\", \\\"credentials \\\"]);\\r\\n(union isfuzzy=true\\r\\n (SecurityEvent\\r\\n | where EventID in (4723, 4724)\\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(Activity),\\r\\n ActionCount = count()\\r\\n by\\r\\n Resource = Computer,\\r\\n OperationName = strcat(\\\"TargetAccount: \\\", TargetUserName),\\r\\n UserId = Account,\\r\\n Type\\r\\n ),\\r\\n (AuditLogs\\r\\n | where OperationName has_any (pWord) and OperationName has_any (action)\\r\\n | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) \\r\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) \\r\\n | where ResultDescription != \\\"None\\\" \\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(ResultDescription),\\r\\n CorrelationIds = makeset(CorrelationId),\\r\\n ActionCount = count()\\r\\n by\\r\\n OperationName = strcat(Category, \\\" - \\\", OperationName, \\\" - \\\", Result),\\r\\n Resource,\\r\\n UserId = TargetUserPrincipalName,\\r\\n Type\\r\\n | extend ResultDescriptions = tostring(ResultDescriptions)\\r\\n ),\\r\\n (OfficeActivity\\r\\n | where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\r\\n | extend ResultDescriptions = case(\\r\\n OfficeWorkload =~ \\\"AzureActiveDirectory\\\",\\r\\n tostring(ExtendedProperties),\\r\\n OfficeWorkload has_any (\\\"Exchange\\\", \\\"OneDrive\\\"),\\r\\n OfficeObjectId,\\r\\n RecordType\\r\\n ) \\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(ResultDescriptions),\\r\\n ActionCount = count()\\r\\n by\\r\\n Resource = OfficeWorkload,\\r\\n OperationName = strcat(Operation, \\\" - \\\", ResultStatus),\\r\\n IPAddress = ClientIP,\\r\\n UserId,\\r\\n Type\\r\\n ),\\r\\n (Syslog\\r\\n | where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(SyslogMessage),\\r\\n ActionCount = count()\\r\\n by\\r\\n Resource = HostName,\\r\\n OperationName = Facility,\\r\\n IPAddress = HostIP,\\r\\n ProcessName,\\r\\n Type\\r\\n ),\\r\\n (SigninLogs\\r\\n | where OperationName =~ \\\"Sign-in activity\\\" and ResultType has_any (\\\"50125\\\", \\\"50133\\\")\\r\\n | summarize\\r\\n StartTimeUtc = min(TimeGenerated),\\r\\n EndTimeUtc = max(TimeGenerated),\\r\\n ResultDescriptions = makeset(ResultDescription),\\r\\n CorrelationIds = makeset(CorrelationId),\\r\\n ActionCount = count()\\r\\n by\\r\\n Resource,\\r\\n OperationName = strcat(OperationName, \\\" - \\\", ResultType),\\r\\n IPAddress,\\r\\n UserId = UserPrincipalName,\\r\\n Type\\r\\n )\\r\\n)\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserId in ({UserPrincipalName})\\r\\n| summarize LogSource=make_set(Type), ActionCount=sum(ActionCount) by UserId\\r\\n| sort by ActionCount desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Changing Passwords Across Multiple Cloud Accounts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Results103\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"fdcd7a0a-0b3d-4e34-af8f-0927c3435c31\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Extend this list with items to search for\\r\\nlet keywords = dynamic([\\\"password\\\", \\\"pwd\\\", \\\"creds\\\", \\\"credentials\\\", \\\"secret\\\"]);\\r\\n// To exclude key phrases or tables to exclude add to these lists\\r\\nlet table_exclusions = dynamic([\\\"AuditLogs\\\", \\\"SigninLogs\\\", \\\"LAQueryLogs\\\", \\\"SecurityEvent\\\"]);\\r\\nlet keyword_exclusion = dynamic([\\\"reset user password\\\", \\\"change user password\\\"]);\\r\\nLAQueryLogs\\r\\n| where RequestClientApp != 'Sentinel-General'\\r\\n| extend querytext_lower = tolower(QueryText)\\r\\n| where querytext_lower has_any(keywords)\\r\\n| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget, ResponseCode, ResponseRowCount, ResponseDurationMs, CorrelationId\\r\\n| extend timestamp = TimeGenerated, Username = AADEmail\\r\\n| join kind=leftanti (LAQueryLogs\\r\\n | where RequestClientApp != 'Sentinel-General'\\r\\n | extend querytext_lower = tolower(QueryText)\\r\\n | where QueryText has_any(table_exclusions) or querytext_lower has_any(keyword_exclusion))\\r\\n on CorrelationId\\r\\n| where isnotempty(Username) and ResponseRowCount > 0\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or Username in ({UserPrincipalName})\\r\\n| summarize count() by Username\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Credential & Secret Search Activity by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Username\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Results104\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"fb49d794-87c9-4893-b14b-6e5c31939cf6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let recentWindow = 1d; // Accounts that logged in recently\\r\\nlet historyWindow = 30d; // Look back period for prior logins\\r\\nlet newAccountWindow = 7d; // Exclude accounts created in last 7 days\\r\\n// Step 1: Recent successful logins\\r\\nlet recentLogins = SigninLogs\\r\\n| where TimeGenerated >= ago(recentWindow)\\r\\n| where ResultType == 0\\r\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), loginCountRecent = count() \\r\\n by UserPrincipalName, Identity;\\r\\n// Step 2: Exclude accounts that had successful logins in the historical period\\r\\nlet historicalLogins = SigninLogs\\r\\n| where TimeGenerated between (ago(historyWindow) .. ago(recentWindow))\\r\\n| where ResultType == 0\\r\\n| summarize by UserPrincipalName, Identity;\\r\\nlet dormantLogins = recentLogins\\r\\n| join kind=leftanti (historicalLogins) on UserPrincipalName;\\r\\n// Step 3: Exclude newly created accounts\\r\\nlet newAccounts = AuditLogs\\r\\n| where TimeGenerated >= ago(newAccountWindow)\\r\\n| where OperationName == \\\"Add user\\\"\\r\\n| extend NewUserPrincipalName = tolower(extractjson(\\\"$.userPrincipalName\\\", tostring(TargetResources[0]), typeof(string)));\\r\\ndormantLogins\\r\\n| join kind=leftanti (newAccounts) on $left.UserPrincipalName == $right.NewUserPrincipalName\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or UserPrincipalName in ({UserPrincipalName})\\r\\n| summarize count() by UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Unexpected Logins From Inactive Accounts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Results105\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"70d3d081-9185-4b44-b7a3-304b41e26f8c\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let current = 1d;\\r\\nlet auditLookback = {TimeRange:grain};\\r\\nlet propertyIgnoreList = dynamic([\\\"TargetId.UserType\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"LastDirSyncTime\\\", \\\"DeviceOSVersion\\\", \\\"CloudDeviceOSVersion\\\", \\\"DeviceObjectVersion\\\"]);\\r\\nlet AuditTrail = AuditLogs\\r\\n | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\r\\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\r\\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\r\\n | extend ModProps = TargetResources.[0].modifiedProperties\\r\\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\\r\\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\r\\n | mv-expand ModProps\\r\\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\\r\\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \\\"Action Client Name\\\" and newValue !~ \\\"DirectorySync\\\") and (PropertyName !~ \\\"Included Updated Properties\\\" and newValue !~ \\\"LastDirSyncTime\\\")\\r\\n | summarize count() by OperationName, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, PropertyName, TargetResourceName;\\r\\nlet AccountMods = AuditLogs \\r\\n | where TimeGenerated >= ago(current)\\r\\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\r\\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\r\\n | extend ModProps = TargetResources.[0].modifiedProperties\\r\\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\\r\\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\r\\n | mv-expand ModProps\\r\\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\\r\\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \\\"Action Client Name\\\" and newValue !~ \\\"DirectorySync\\\") and (PropertyName !~ \\\"Included Updated Properties\\\" and newValue !~ \\\"LastDirSyncTime\\\")\\r\\n | extend ModifiedProps = pack(\\\"PropertyName\\\", PropertyName, \\\"newValue\\\", newValue, \\\"Id\\\", Id, \\\"CorrelationId\\\", CorrelationId) \\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Activity = make_bag(ModifiedProps) by Type, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, Category, OperationName, PropertyName, TargetResourceName;\\r\\nlet RareAudits = AccountMods\\r\\n | join kind= leftanti (\\r\\n AuditTrail \\r\\n )\\r\\n on OperationName, InitiatedByUser, InitiatedByIPAddress;//, TargetUserPrincipalName, PropertyName; //uncomment if you want to see Rare Property changes to a given TargetUserPrincipalName.\\r\\nRareAudits \\r\\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), make_set(Activity), make_set(PropertyName) by Type, InitiatedByUser, InitiatedByIPAddress, OperationName, TargetUserPrincipalName, TargetResourceName\\r\\n| extend StartTime, InitiatedByUser, Hostname = iff(set_PropertyName has_any ('DeviceOSType', 'CloudDeviceOSType'), TargetResourceName, ''), InitiatedByIPAddress\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or InitiatedByUser in ({UserPrincipalName})\\r\\n| distinct InitiatedByUser, OperationName, StartTime\\r\\n| sort by StartTime desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Rare Audit Activity Initiated\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InitiatedByUser\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Results107\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"9859bf72-8015-406e-bc8e-140f395e477d\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let auditLookback = {TimeRange:grain};\\r\\n// Setting threshold to 3 as a default, change as needed. Any operation that has been initiated by a user or app more than 3 times in the past 30 days will be exluded\\r\\nlet threshold = 3;\\r\\n// Helper function to extract relevant fields from AuditLog events\\r\\nlet auditLogEvents = view (startTimeSpan: timespan) {\\r\\n AuditLogs\\r\\n | where TimeGenerated >= ago(auditLookback)\\r\\n | extend ModProps = TargetResources.[0].modifiedProperties\\r\\n | extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \\r\\n tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\\r\\n | extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\r\\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\r\\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\r\\n | mvexpand ModProps\\r\\n | extend PropertyName = tostring(ModProps.displayName), newValue = replace('\\\\\\\"', \\\"\\\", tostring(ModProps.newValue));\\r\\n};\\r\\n// Get just the InitiatedBy and CorrleationId so we can look at associated audit activity\\r\\n// 2 other operations that can be part of malicious activity in this situation are \\r\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", replace the below if you are interested in those as starting points for OperationName\\r\\nlet HistoricalConsent = auditLogEvents(auditLookback) \\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() \\r\\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\\r\\n// Remove comment below to only include operations initiated by a user or app that is above the threshold for the last 30 days\\r\\n//| where OperationCount > threshold\\r\\n;\\r\\nlet Correlate = HistoricalConsent \\r\\n | summarize by InitiatedBy, CorrelationId;\\r\\n// 2 other operations that can be part of malicious activity in this situation are \\r\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", replace the below if you changed the starting OperationName above\\r\\nlet allOtherEvents = auditLogEvents(auditLookback) \\r\\n | where OperationName != \\\"Consent to application\\\";\\r\\n// Gather associated activity based on audit activity for \\\"Consent to application\\\" and InitiatedBy and CorrleationId\\r\\nlet CorrelatedEvents = Correlate \\r\\n | join allOtherEvents on InitiatedBy, CorrelationId\\r\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\r\\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\\r\\n;\\r\\n// Union the results\\r\\nlet Results = union isfuzzy=true HistoricalConsent, CorrelatedEvents;\\r\\n// newValues that are simple semi-colon separated, make those dynamic for easy viewing and Aggregate into the PropertyUpdate set based on CorrelationId and Id(DirectoryId)\\r\\nResults\\r\\n| extend newValue = split(newValue, \\\";\\\")\\r\\n| extend PropertyUpdate = pack(PropertyName, newValue, \\\"Id\\\", Id)\\r\\n// Extract scope requested\\r\\n| extend perms = tostring(parse_json(tostring(PropertyUpdate.[\\\"ConsentAction.Permissions\\\"]))[0])\\r\\n| extend scope = extract('Scope:\\\\\\\\s*([^,\\\\\\\\]]*)', 1, perms)\\r\\n// Filter out some common openid, and low privilege request scopes - uncomment line below to filter out where no scope is requested\\r\\n//| where isnotempty(scope)\\r\\n| where scope !contains 'openid' and scope !in ('user_impersonation', 'User.Read')\\r\\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate), make_set(scope)\\r\\n by InitiatedBy, IpAddress, TargetResourceName, OperationName, CorrelationId\\r\\n| extend StartTime, InitiatedBy, IpAddress\\r\\n| where \\\"{UserPrincipalName:label}\\\" == \\\"All\\\" or InitiatedBy in ({UserPrincipalName})\\r\\n| summarize count() by InitiatedBy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suspicious Consent to Application Discovery\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OfficeWorkload\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Results108\",\"styleSettings\":{\"maxWidth\":\"50\"},\"id\":\"276f4e0a-d0e7-4ce2-99d8-b37c3e86dfc7\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAuditLogsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Audit Logs Group\",\"id\":\"b1147b29-3f12-46fc-a7b6-db44288a5990\"}],\"isLocked\":true,\"fromTemplateId\":\"sentinel-UserWorkbook\",\"context\":{\"ownerId\":\"\"}}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -203,7 +203,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "GDPR Compliance & Data Security",
diff --git a/Solutions/GDPR Compliance & Data Security/ReleaseNotes.md b/Solutions/GDPR Compliance & Data Security/ReleaseNotes.md
index 2eee5690c9c..02745a5349c 100644
--- a/Solutions/GDPR Compliance & Data Security/ReleaseNotes.md
+++ b/Solutions/GDPR Compliance & Data Security/ReleaseNotes.md
@@ -1,3 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------------------------------------------------------|
+| 3.0.1 | 18-11-2025 | Fixing Issue with Defender Portal |
| 3.0.0 | 08-10-2025 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/GDPR Compliance & Data Security/Workbooks/GDPRComplianceAndDataSecurity.json b/Solutions/GDPR Compliance & Data Security/Workbooks/GDPRComplianceAndDataSecurity.json
index 29907edeeca..e2d91bd122a 100644
--- a/Solutions/GDPR Compliance & Data Security/Workbooks/GDPRComplianceAndDataSecurity.json
+++ b/Solutions/GDPR Compliance & Data Security/Workbooks/GDPRComplianceAndDataSecurity.json
@@ -1,12904 +1,10325 @@
{
- "version": "Notebook/1.0",
- "items": [
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "version": "KqlParameterItem/1.0",
- "name": "DefaultSubscription_Internal",
- "type": 1,
- "isRequired": true,
- "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
- "crossComponentResources": [
- "value::selected"
- ],
- "isHiddenWhenLocked": true,
- "queryType": 1,
- "resourceType": "microsoft.resourcegraph/resources",
- "id": "314d02bf-4691-43fa-af59-d67073c8b8fa"
- },
- {
- "id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38",
- "version": "KqlParameterItem/1.0",
- "name": "Subscription",
- "type": 6,
- "isRequired": true,
- "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
- "typeSettings": {
- "showDefault": false
- },
- "queryType": 1,
- "resourceType": "microsoft.resourcegraph/resources"
- },
- {
- "id": "e3225ed0-6210-40a1-b2d0-66e42ffa71d6",
- "version": "KqlParameterItem/1.0",
- "name": "Workspace",
- "type": 5,
- "isRequired": true,
- "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)",
- "crossComponentResources": [
- "{Subscription}"
- ],
- "typeSettings": {
- "showDefault": false
- },
- "queryType": 1,
- "resourceType": "microsoft.resourcegraph/resources"
- },
- {
- "id": "15b2c181-7397-43c1-900a-28e175ae8a6f",
- "version": "KqlParameterItem/1.0",
- "name": "TimeRange",
- "type": 4,
- "isRequired": true,
- "typeSettings": {
- "selectableValues": [
- {
- "durationMs": 86400000
- },
- {
- "durationMs": 172800000
- },
- {
- "durationMs": 259200000
- },
- {
- "durationMs": 604800000
- },
- {
- "durationMs": 1209600000
- },
- {
- "durationMs": 2592000000
- },
- {
- "durationMs": 5184000000
- },
- {
- "durationMs": 7776000000
- }
- ],
- "allowCustom": true
- },
- "value": {
- "durationMs": 1209600000
- }
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "Parameter Selectors"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 1,
- "content": {
- "json": "# [GDPR Compliance & Data Security Workbook for Microsoft Sentinel](https://learn.microsoft.com/en-us/compliance/regulatory/gdpr)\n---\n\nWelcome to the **GDPR(General Data Protection Regulation) Compliance & Data Security Workbook for Microsoft Sentinel**. \nThis workbook helps you **track, visualize and monitor GDPR related requirements** across your enterprise. \nIt consolidates data from **Defender XDR, Microsoft Purview, Azure SQL Databases, Microsoft 365, UEBA and Entra ID solution.**\n\nUse this workbook to:\n- 🔍 Monitor **GDPR and data-theft related alerts and incidents** across Microsoft Defender XDR \n- 🗂 Gain visibility into **data classification and sensitivity labeling coverage** with Microsoft Purview\n- 🗄 Detect **sensitive data queries, anomalous database activity, and unusual access patterns** in Azure SQL Databases\n- ⚠ Investigate **identity risks, anomalous sign-ins, and insider behaviors** with Entra ID and UEBA \n- 📝 Provide **clear audit evidence and compliance reports** across Microsoft 365 and related services"
- },
- "name": "text - 2"
- }
- ]
- },
- "customWidth": "78",
- "name": "group - 5"
- },
- {
- "type": 1,
- "content": {
- "json": " "
- },
- "customWidth": "21",
- "name": "Microsoft Sentinel Logo"
- },
- {
- "type": 1,
- "content": {
- "json": "We’d love to hear your feedback! Share it with us [Here](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5vpbw39GIlPr6oh7FnjxTFUOVhBOFowTFlaT1pOSTAxVDdRT1pIUDlINy4u). ",
- "style": "upsell"
- },
- "name": "text - 1"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "ac6f7462-59ff-4d82-86b0-0a6eccc35a51",
- "version": "KqlParameterItem/1.0",
- "name": "UserPrincipalName",
- "label": "🔀 User Selector",
- "type": 2,
- "description": "This filter applies to metrics derived from Microsoft 365, UEBA, and Entra ID data sources.",
- "isRequired": true,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "query": "SigninLogs\r\n| summarize by UserPrincipalName ",
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "showDefault": false
- },
- "timeContext": {
- "durationMs": 2592000000
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": [
- "value::all"
- ]
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "User Selector Parameter - Copy"
- },
- {
- "type": 1,
- "content": {
- "json": "✅ **How to use this workbook** \r\n\r\nSelect one or more checkboxes below to display the GDPR relevant metrics for the corresponding source (e.g., Security Alerts, Purview, SQL, Microsoft 365).\r\n"
- },
- "name": "text - 16"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t{ \\\"Data Sources\\\": \\\"Getting Started\\\", \\\"tab\\\": \\\"Help\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Security Alerts and Incidents (6)\\\", \\\"tab\\\": \\\"SecurityAlerts\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Data Loss Prevention (7)\\\", \\\"tab\\\": \\\"DLP\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Purview Logs (8)\\\", \\\"tab\\\": \\\"PurviewLogs\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Azure SQL Databases (9)\\\", \\\"tab\\\":\\\"AzureSQLDatabases\\\"},\\r\\n\\t{ \\\"Data Sources\\\": \\\"Microsoft 365 Activity (20)\\\", \\\"tab\\\": \\\"M365Activity\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"User & Entity Behavior Analytics (12)\\\", \\\"tab\\\": \\\"UEBA\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Sign-Ins (12)\\\", \\\"tab\\\": \\\"SignIns\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Audit Logs (5)\\\", \\\"tab\\\": \\\"AuditLogs\\\" }\\r\\n]\",\"transformers\":null}",
- "size": 3,
- "exportMultipleValues": true,
- "exportedParameters": [
- {
- "fieldName": "tab",
- "parameterName": "tab2"
- }
- ],
- "queryType": 8,
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "tab",
- "formatter": 5
- }
- ]
- }
- },
- "customWidth": "40",
- "name": "Control Family ",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "cbb7a53e-ea3b-44e3-804e-734662e21144",
- "version": "KqlParameterItem/1.0",
- "name": "isHelpVisible",
- "type": 1,
- "isHiddenWhenLocked": true,
- "criteriaData": [
- {
- "criteriaContext": {
- "leftOperand": "tab2",
- "operator": "contains",
- "rightValType": "static",
- "rightVal": "Help",
- "resultValType": "static",
- "resultVal": "true"
- }
- },
- {
- "criteriaContext": {
- "operator": "Default",
- "rightValType": "param",
- "resultValType": "static",
- "resultVal": "false"
- }
- }
- ],
- "timeContext": {
- "durationMs": 86400000
- }
- },
- {
- "version": "KqlParameterItem/1.0",
- "name": "isSecurityAlertsVisible",
- "type": 1,
- "isHiddenWhenLocked": true,
- "criteriaData": [
- {
- "criteriaContext": {
- "leftOperand": "tab2",
- "operator": "contains",
- "rightValType": "static",
- "rightVal": "SecurityAlerts",
- "resultValType": "static",
- "resultVal": "true"
- }
- },
- {
- "criteriaContext": {
- "operator": "Default",
- "rightValType": "param",
- "resultValType": "static",
- "resultVal": "false"
- }
- }
- ],
- "timeContext": {
- "durationMs": 86400000
- },
- "id": "9ade41e9-0382-49a7-847a-472bfb7e284b"
- },
- {
- "id": "17988544-c3d6-46c0-9645-2d1ce07d8655",
- "version": "KqlParameterItem/1.0",
- "name": "isDLPVisible",
- "type": 1,
- "isHiddenWhenLocked": true,
- "criteriaData": [
- {
- "criteriaContext": {
- "leftOperand": "tab2",
- "operator": "contains",
- "rightValType": "static",
- "rightVal": "DLP",
- "resultValType": "static",
- "resultVal": "true"
- }
- },
- {
- "criteriaContext": {
- "operator": "Default",
- "resultValType": "static",
- "resultVal": "false"
- }
- }
- ],
- "timeContext": {
- "durationMs": 86400000
- }
- },
- {
- "id": "0299a507-8d53-4e80-bc8c-e3aa12522bab",
- "version": "KqlParameterItem/1.0",
- "name": "isPurviewLogsVisible",
- "type": 1,
- "isHiddenWhenLocked": true,
- "criteriaData": [
- {
- "criteriaContext": {
- "leftOperand": "tab2",
- "operator": "contains",
- "rightValType": "static",
- "rightVal": "PurviewLogs",
- "resultValType": "static",
- "resultVal": "true"
- }
- },
- {
- "criteriaContext": {
- "operator": "Default",
- "resultValType": "static",
- "resultVal": "false"
- }
- }
- ]
- },
- {
- "id": "553d4aff-e76d-418b-9edf-7fdcdacb6e0f",
- "version": "KqlParameterItem/1.0",
- "name": "isAzureSQLDatabasesVisible",
- "type": 1,
- "isHiddenWhenLocked": true,
- "criteriaData": [
- {
- "criteriaContext": {
- "leftOperand": "tab2",
- "operator": "contains",
- "rightValType": "static",
- "rightVal": "AzureSQLDatabases",
- "resultValType": "static",
- "resultVal": "true"
- }
- },
- {
- "criteriaContext": {
- "operator": "Default",
- "resultValType": "static",
- "resultVal": "false"
- }
- }
- ],
- "timeContext": {
- "durationMs": 86400000
- }
- },
- {
- "id": "f145d46a-1e01-49ff-99e7-87f6059ed960",
- "version": "KqlParameterItem/1.0",
- "name": "isM365ActivityVisible",
- "type": 1,
- "isHiddenWhenLocked": true,
- "criteriaData": [
- {
- "criteriaContext": {
- "leftOperand": "tab2",
- "operator": "contains",
- "rightValType": "static",
- "rightVal": "M365Activity",
- "resultValType": "static",
- "resultVal": "true"
- }
- },
- {
- "criteriaContext": {
- "operator": "Default",
- "resultValType": "static",
- "resultVal": "false"
- }
- }
- ]
- },
- {
- "version": "KqlParameterItem/1.0",
- "name": "isUEBAVisible",
- "type": 1,
- "isHiddenWhenLocked": true,
- "criteriaData": [
- {
- "criteriaContext": {
- "leftOperand": "tab2",
- "operator": "contains",
- "rightValType": "static",
- "rightVal": "UEBA",
- "resultValType": "static",
- "resultVal": "true"
- }
- },
- {
- "criteriaContext": {
- "operator": "Default",
- "rightValType": "param",
- "resultValType": "static",
- "resultVal": "false"
- }
- }
- ],
- "timeContext": {
- "durationMs": 86400000
- },
- "id": "70014e2e-d25a-4cca-b78d-b6063795d138"
- },
- {
- "id": "14403a6f-fb83-492a-bea3-941048e30bb7",
- "version": "KqlParameterItem/1.0",
- "name": "isSignInsVisible",
- "type": 1,
- "isHiddenWhenLocked": true,
- "criteriaData": [
- {
- "criteriaContext": {
- "leftOperand": "tab2",
- "operator": "contains",
- "rightValType": "static",
- "rightVal": "SignIns",
- "resultValType": "static",
- "resultVal": "true"
- }
- },
- {
- "criteriaContext": {
- "operator": "Default",
- "resultValType": "static",
- "resultVal": "false"
- }
- }
- ]
- },
- {
- "id": "af09b9c4-3218-40de-8a1f-26f4a1c38a19",
- "version": "KqlParameterItem/1.0",
- "name": "isAuditLogsVisible",
- "type": 1,
- "isHiddenWhenLocked": true,
- "criteriaData": [
- {
- "criteriaContext": {
- "leftOperand": "tab2",
- "operator": "contains",
- "rightValType": "static",
- "rightVal": "AuditLogs",
- "resultValType": "static",
- "resultVal": "true"
- }
- },
- {
- "criteriaContext": {
- "operator": "Default",
- "resultValType": "static",
- "resultVal": "false"
- }
- }
- ]
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Hidden Parameters Selectors"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 1,
- "content": {
- "json": "## 📂 Workbook Structure\r\n\r\nThis workbook is organized into the following sections:\r\n\r\n| Section | Description |\r\n|---------|-------------|\r\n| 🚨 **Security Alerts & Incidents** | Investigate security Alerts & incidents from hosts and resources hosting personal data. |\r\n| 🛡 **Data Loss Prevention (DLP)** | Monitor sensitive data access, leaks, and geolocation-based usage. |\r\n| 🔍 **Purview Logs** | Discover and classify assets, monitor sensitivity labeling, and track data governance. |\r\n| 🗄 **Azure SQL Databases** | Detect anomalies and monitor classified data queries. |\r\n| 📂 **Microsoft 365 Activity** | Monitor sensitive document/email activity. |\r\n| 📊 **UEBA** | Analyze anomalous user & entity behaviors. |\r\n| 👤 **Sign-Ins (Entra ID)** | Track risky sign-ins and monitor identity compliance. |\r\n| 📝 **Audit Logs** | Provide accountability and traceability of administrative activities. |\r\n"
- },
- "customWidth": "40",
- "name": "text - 2"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "10",
- "name": "text - 12"
- },
- {
- "type": 1,
- "content": {
- "json": "## 🔗 Data Sources & Permissions\r\n\r\nEnsure the following data connectors are enabled and ingested into Microsoft Sentinel:\r\n\r\n### 📂 Data Governance\r\n- ✅ **Microsoft Purview** (data classification & sensitivity logs. PurviewDataSensitivityLogs table) \r\n- ✅ **Microsoft Purview Information Protection** (DLP, labels, document access. MicrosoftPurviewInformationProtection table) \r\n- ✅ **Azure SQL Databases** (classification & anomaly scores. AzureDiagnostics table)\r\n\r\n\r\n### 👤 Identity & Access\r\n- ✅ **Microsoft Entra ID** (Sign-ins. SigninLogs table) \r\n- ✅ **BehaviorAnalytics** (UEBA. BehaviorAnalytics table) \r\n\r\n### 🛡 Security Monitoring\r\n- ✅ **Microsoft 365** (Microsoft 365 activity. OfficeActivity table) \r\n- ✅ **SecurityAlert / SecurityIncident** (Microsoft Defender XDR. SecurityAlert and SecurityIncident tables) \r\n- ✅ **AuditLogs** (Entra ID administrative traceability. AuditLogs table) \r\n\r\n📘 [How to configure data connectors in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/connect-data-sources)\r\n"
- },
- "customWidth": "40",
- "name": "text - 3"
- },
- {
- "type": 1,
- "content": {
- "json": "---\r\n\r\n### 1. Security Alerts and Incidents\r\n\r\nFrom the Azure portal, install the **[Microsoft Defender XDR](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-microsoft365defender)** solution via **Content Hub**. \r\nThen, enable the **Microsoft Defender XDR** data connector to stream security alerts and incidents from Defender products into Microsoft Sentinel. \r\nThese records populate the **`SecurityAlert`** and **`SecurityIncident`** tables. \r\n\r\n⚠️ **Important:** \r\nAll workbook metrics in this section use a **watchlist** to filter only alerts and incidents involving servers that host **personal data**. \r\nYou must configure this watchlist in Sentinel and populate it with the names of your personal data hosting servers.\r\n\r\n#### 📂 Sample Watchlist (GDPR_PersonalData_Assets)\r\n\r\n| HostName |\r\n|------------------------|\r\n| server1 |\r\n| server2 |\r\n| server3 |\r\n| server4 |\r\n\r\n1. Save the watchlist as a CSV or TXT file. \r\n2. In Sentinel → **Configuration > Watchlists**, create a new watchlist (e.g., `GDPR_PersonalData_Assets`). \r\n3. Upload the file and confirm `HostName` is recognized as the search key.\r\n\r\nThis allows you to: \r\n- Focus alerts and incidents on GDPR-relevant systems \r\n- Monitor attack tactics and timelines against personal data servers \r\n- Provide auditors with clear evidence of incident detection and response for regulated data \r\n\r\nAll **Security Alerts & Incidents** visuals in this workbook will only display events related to servers listed in this watchlist.\r\n\r\n📘 [Setup guide – Microsoft Defender XDR connector](https://learn.microsoft.com/azure/sentinel/connect-microsoft-365-defender) \r\n📘 [How to create and use watchlists](https://learn.microsoft.com/azure/sentinel/watchlists)\r\n"
- },
- "customWidth": "40",
- "name": "text - 6"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "10",
- "name": "text - 5"
- },
- {
- "type": 1,
- "content": {
- "json": "---\r\n\r\n### 2. Data Loss Prevention (Microsoft Purview Information Protection)\r\nFrom the Azure portal, install the **[Microsoft Purview Information Protection](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-mip)** solution via **Content Hub**. \r\nThen, enable the **Microsoft Purview Information Protection** data connector to ingest **sensitivity labeling and protection events** into the **`MicrosoftPurviewInformationProtection`** table. \r\nWith this configuration, you can: \r\n- Track **sensitivity label adoption and usage trends** \r\n- Monitor **labeled/protected documents and emails** across Microsoft 365 \r\n- Detect **label changes, downgrades, and policy enforcement outcomes** \r\n- Provide auditors with **evidence of applied protections on personal and sensitive data** \r\n\r\n📘 [Setup guide – Microsoft Purview Information Protection connector](https://learn.microsoft.com/azure/sentinel/connect-microsoft-purview)\r\n\r\n---"
- },
- "customWidth": "40",
- "name": "text - 4"
- },
- {
- "type": 1,
- "content": {
- "json": "---\r\n\r\n### 3. Microsoft Purview (Data Classification & Sensitivity Logs)\r\nFrom the Azure portal, install the **[Microsoft Purview](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-azurepurview)** solution via **Content Hub**. \r\nThen, configure the **Microsoft Purview** data connector to stream **Data Classification and Sensitivity scan events** into the **`PurviewDataSensitivityLogs`** table. \r\n\r\nWith this configuration, you can: \r\n- Discover **where personal and sensitive data resides** across your cloud resources \r\n- Monitor **assets with classifications and sensitivity labels** over time \r\n- Track **data types and categories** detected by Purview scans \r\n- Provide auditors with **an inventory of sensitive data processing** \r\n\r\n📘 [Setup guide – Microsoft Purview solution](https://learn.microsoft.com/azure/sentinel/purview-solution)\r\n\r\n---"
- },
- "customWidth": "40",
- "name": "text - 3"
- },
- {
- "type": 1,
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 9,
"content": {
- "json": ""
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "version": "KqlParameterItem/1.0",
+ "name": "DefaultSubscription_Internal",
+ "type": 1,
+ "isRequired": true,
+ "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
+ "crossComponentResources": [
+ "value::selected"
+ ],
+ "isHiddenWhenLocked": true,
+ "queryType": 1,
+ "resourceType": "microsoft.resourcegraph/resources",
+ "id": "314d02bf-4691-43fa-af59-d67073c8b8fa"
+ },
+ {
+ "id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38",
+ "version": "KqlParameterItem/1.0",
+ "name": "Subscription",
+ "type": 6,
+ "isRequired": true,
+ "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
+ "typeSettings": {
+ "showDefault": false
+ },
+ "queryType": 1,
+ "resourceType": "microsoft.resourcegraph/resources"
+ },
+ {
+ "id": "e3225ed0-6210-40a1-b2d0-66e42ffa71d6",
+ "version": "KqlParameterItem/1.0",
+ "name": "Workspace",
+ "type": 5,
+ "isRequired": true,
+ "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)",
+ "crossComponentResources": [
+ "{Subscription}"
+ ],
+ "typeSettings": {
+ "showDefault": false
+ },
+ "queryType": 1,
+ "resourceType": "microsoft.resourcegraph/resources"
+ },
+ {
+ "id": "15b2c181-7397-43c1-900a-28e175ae8a6f",
+ "version": "KqlParameterItem/1.0",
+ "name": "TimeRange",
+ "type": 4,
+ "isRequired": true,
+ "typeSettings": {
+ "selectableValues": [
+ {
+ "durationMs": 86400000
+ },
+ {
+ "durationMs": 172800000
+ },
+ {
+ "durationMs": 259200000
+ },
+ {
+ "durationMs": 604800000
+ },
+ {
+ "durationMs": 1209600000
+ },
+ {
+ "durationMs": 2592000000
+ },
+ {
+ "durationMs": 5184000000
+ },
+ {
+ "durationMs": 7776000000
+ }
+ ],
+ "allowCustom": true
+ },
+ "value": {
+ "durationMs": 1209600000
+ }
+ }
+ ],
+ "style": "pills"
},
- "customWidth": "10",
- "name": "text - 10"
- },
- {
- "type": 1,
+ "name": "Parameter Selectors",
+ "id": "d5e93405-23b9-447d-be94-cf2a82e711ce"
+ },
+ {
+ "type": 12,
"content": {
- "json": "\r\n### 4. Azure SQL Databases\r\nFrom the Azure portal, install the **[Azure SQL Database](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/sentinel4sql.sentinel4sql)** solution via **Content Hub**. \r\nThen, connect the **Azure SQL Databases** data connector to stream **audit and diagnostic logs** into Microsoft Sentinel. \r\nThese logs populate the **`AzureDiagnostics`** table (and SQL-specific audit tables if enabled). \r\n\r\nWith this configuration, you can: \r\n- Monitor **sensitive queries by label, information type, and principal** \r\n- Detect **anomalous activity and anomaly scores** across databases \r\n- Track **application and IP access to classified data** \r\n- Provide auditors with **evidence of monitoring structured personal data in SQL systems** \r\n\r\n📘 [Setup guide – Configure Azure SQL logging to Sentinel](https://learn.microsoft.com/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure?view=azuresql&tabs=azure-portal)\r\n\r\n---"
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "# [GDPR Compliance & Data Security Workbook for Microsoft Sentinel](https://learn.microsoft.com/en-us/compliance/regulatory/gdpr)\n---\n\nWelcome to the **GDPR(General Data Protection Regulation) Compliance & Data Security Workbook for Microsoft Sentinel**. \nThis workbook helps you **track, visualize and monitor GDPR related requirements** across your enterprise. \nIt consolidates data from **Defender XDR, Microsoft Purview, Azure SQL Databases, Microsoft 365, UEBA and Entra ID solution.**\n\nUse this workbook to:\n- 🔍 Monitor **GDPR and data-theft related alerts and incidents** across Microsoft Defender XDR \n- 🗂 Gain visibility into **data classification and sensitivity labeling coverage** with Microsoft Purview\n- 🗄 Detect **sensitive data queries, anomalous database activity, and unusual access patterns** in Azure SQL Databases\n- ⚠ Investigate **identity risks, anomalous sign-ins, and insider behaviors** with Entra ID and UEBA \n- 📝 Provide **clear audit evidence and compliance reports** across Microsoft 365 and related services"
+ },
+ "name": "text - 2",
+ "id": "91af6d50-38e6-4e36-993a-88a2bb90ac4e"
+ }
+ ]
},
- "customWidth": "40",
- "name": "text - 8"
- },
- {
+ "customWidth": "78",
+ "name": "group - 5",
+ "id": "18f9378c-bc7a-4e72-ba09-6ed0eb41d098"
+ },
+ {
"type": 1,
"content": {
- "json": "### 5. Microsoft 365 Activity\r\n\r\nFrom the Azure portal, install the **[Microsoft 365](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-office365)** solution via **Content Hub**. \r\nThen, enable the **Microsoft 365 (formerly Office 365)** data connector to stream **unified audit logs** into Microsoft Sentinel. \r\nThese logs populate the **`OfficeActivity`** table. \r\n\r\nWith this configuration, you can: \r\n- Monitor **user and administrator activity** across Exchange, SharePoint, OneDrive, and Teams \r\n- Detect **risky file sharing, mailbox access by non-owners, and suspicious admin operations** \r\n- Identify **unusual Teams or SharePoint activity** (e.g., mass deletions, uploads from unseen devices) \r\n- Provide auditors with a **comprehensive audit trail of data activity** in Microsoft 365 services\r\n\r\n---"
+ "json": " "
},
- "customWidth": "40",
- "name": "text - 9"
- },
- {
+ "customWidth": "21",
+ "name": "Microsoft Sentinel Logo",
+ "id": "16eb8261-f3d2-47be-8027-d3c03b0bcba7"
+ },
+ {
"type": 1,
"content": {
- "json": ""
+ "json": "We’d love to hear your feedback! Share it with us [Here](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5vpbw39GIlPr6oh7FnjxTFUOVhBOFowTFlaT1pOSTAxVDdRT1pIUDlINy4u). ",
+ "style": "upsell"
},
- "customWidth": "10",
- "name": "text - 10"
- },
- {
- "type": 1,
+ "name": "text - 1",
+ "id": "c369fd4b-c2d5-4d96-96ee-3f54f2487829"
+ },
+ {
+ "type": 9,
"content": {
- "json": "### 6. User & Entity Behavior Analytics (UEBA)\r\n\r\nFrom the Azure portal, enable **User and Entity Behavior Analytics (UEBA)** in Microsoft Sentinel settings. \r\nUEBA builds baselines of user and entity activities and writes enriched risk insights into the **`BehaviorAnalytics`** table.\r\n\r\nThis enables you to: \r\n- Detect anomalous behaviors across users and entities \r\n- Correlate activities across multiple data sources \r\n- Identify potential insider threats and compromised accounts \r\n\r\n📘 [Setup guide](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics?tabs=azure)\r\n\r\n---"
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "ac6f7462-59ff-4d82-86b0-0a6eccc35a51",
+ "version": "KqlParameterItem/1.0",
+ "name": "UserPrincipalName",
+ "label": "🔀 User Selector",
+ "type": 2,
+ "description": "This filter applies to metrics derived from Microsoft 365, UEBA, and Entra ID data sources.",
+ "isRequired": true,
+ "multiSelect": true,
+ "quote": "'",
+ "delimiter": ",",
+ "query": "SigninLogs\r\n| summarize by UserPrincipalName ",
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "showDefault": false
+ },
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "value": [
+ "value::all"
+ ],
+ "key": "ac6f7462-59ff-4d82-86b0-0a6eccc35a51",
+ "crossComponentResources": [
+ "{Workspace}"
+ ]
+ }
+ ],
+ "style": "pills"
},
- "customWidth": "40",
- "name": "text - 11"
- },
- {
+ "name": "User Selector Parameter - Copy",
+ "id": "315edf6e-917e-40cb-814a-3a60590685c5"
+ },
+ {
"type": 1,
"content": {
- "json": "### 7. Sign-ins and Audit (Microsoft Entra ID)\r\n\r\nFrom the Azure portal, install the **[Microsoft Entra ID](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-azureactivedirectory)** solution via **Content Hub**. \r\nThen, enable the **Microsoft Entra ID (Sign-in, Audit Logs)** data connector to stream authentication events into Microsoft Sentinel. \r\n\r\nThese logs populate the **`SigninLogs`** and **`AuditLogs`** table and allow you to: \r\n- Monitor successful vs. failed sign-ins \r\n- Detect risky logins, brute-force attempts, and unusual geolocations \r\n- Investigate access patterns to applications and resources handling personal data\r\n- Monitor changes to users, groups, and applications \r\n- Track administrative actions such as role assignments, policy changes, and resource access grants \r\n- Provide a traceable record of identity-related activities for GDPR accountability \r\n\r\n📘 [Setup guide](https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory)\r\n\r\n---"
+ "json": "✅ **How to use this workbook** \r\n\r\nSelect one or more checkboxes below to display the GDPR relevant metrics for the corresponding source (e.g., Security Alerts, Purview, SQL, Microsoft 365).\r\n"
},
- "customWidth": "40",
- "name": "text - 12"
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "isHelpVisible",
- "comparison": "isEqualTo",
- "value": "true"
- },
- "name": "Overview Group"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 9,
+ "name": "text - 16",
+ "id": "0eaf3675-1559-40ce-b287-817fe0b7b5a2"
+ },
+ {
+ "type": 3,
"content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "7afa304d-b448-4d6c-8c54-69e51a7249a9",
- "version": "KqlParameterItem/1.0",
- "name": "Results113",
- "type": 1,
- "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityAlert\r\n| mv-expand Entity = todynamic(Entities)\r\n| extend EntityType = tostring(Entity.Type)\r\n| extend HostName = iff(EntityType == \"host\",tolower(tostring(Entity.HostName)), \"\")\r\n| where HostName <> \"\"\r\n// Keep only alerts where HostName is in the watchlist\r\n| join kind=inner (PersonalDataServers) on HostName\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
+ "version": "KqlItem/1.0",
+ "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t{ \\\"Data Sources\\\": \\\"Getting Started\\\", \\\"tab\\\": \\\"Help\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Security Alerts and Incidents (6)\\\", \\\"tab\\\": \\\"SecurityAlerts\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Data Loss Prevention (7)\\\", \\\"tab\\\": \\\"DLP\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Purview Logs (8)\\\", \\\"tab\\\": \\\"PurviewLogs\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Azure SQL Databases (9)\\\", \\\"tab\\\":\\\"AzureSQLDatabases\\\"},\\r\\n\\t{ \\\"Data Sources\\\": \\\"Microsoft 365 Activity (20)\\\", \\\"tab\\\": \\\"M365Activity\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"User & Entity Behavior Analytics (12)\\\", \\\"tab\\\": \\\"UEBA\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Sign-Ins (12)\\\", \\\"tab\\\": \\\"SignIns\\\" },\\r\\n\\t{ \\\"Data Sources\\\": \\\"Audit Logs (5)\\\", \\\"tab\\\": \\\"AuditLogs\\\" }\\r\\n]\",\"transformers\":null}",
+ "size": 3,
+ "exportMultipleValues": true,
+ "exportedParameters": [
+ {
+ "fieldName": "tab",
+ "parameterName": "tab2"
+ }
+ ],
+ "queryType": 8,
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "tab",
+ "formatter": 5
+ }
+ ]
}
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
},
- "customWidth": "33",
- "name": "Results113",
+ "customWidth": "40",
+ "name": "Control Family ",
"styleSettings": {
- "maxWidth": "33"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "9b6b6d2b-a6d9-46c6-882d-722c0c9d455f",
- "version": "KqlParameterItem/1.0",
- "name": "Results114",
- "type": 1,
- "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n| project HostName = tolower(HostName);\r\nSecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"host\"\r\n | extend HostName = tolower(tostring(Entities.HostName))\r\n | where Entities[\"HostName\"] <> \"\"\r\n // Keep only alerts where HostName is in the watchlist\r\n | join kind=inner (PersonalDataServers) on HostName\r\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\r\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
+ "showBorder": true
},
- "customWidth": "33",
- "name": "Results114"
- },
- {
+ "id": "b7fc1698-a7e5-44ca-a2ac-aae677786a34"
+ },
+ {
"type": 9,
"content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "572e4329-8e88-4492-972a-86267f66f8a2",
- "version": "KqlParameterItem/1.0",
- "name": "Results115",
- "type": 1,
- "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | extend EntitiesSet = todynamic(Entities)\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"host\"\r\n | extend HostName = tolower(tostring(Entities.HostName))\r\n | where Entities[\"HostName\"] <> \"\"\r\n // Keep only alerts where HostName is in the watchlist\r\n | join kind=inner (PersonalDataServers) on HostName\r\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\r\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n | mv-expand todynamic(EntitiesSet)\r\n | extend Name = tostring(tolower(EntitiesSet[\"Name\"])), UPNSuffix = tostring(EntitiesSet[\"UPNSuffix\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n | where UPN <> \"\"\r\n | summarize count() by UPN\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "33",
- "name": "Results115"
- },
- {
- "type": 1,
- "content": {
- "json": "# 🚨 [Security Alerts and Incidents](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)\n---\n\nThis section consolidates security alerts and incidents that may involve systems storing or processing personal data. It supports GDPR obligations for **security of processing (Art. 32)**, **breach notification (Art. 33 & 34)**, and **accountability (Art. 5(2))** by ensuring that organizations can quickly detect, investigate, and respond to threats that impact personal data. \n\nKey objectives of this section: \n- Track **security alerts involving personal data servers** to prioritize investigations of GDPR-relevant risks \n- Monitor **alerts mapped to MITRE ATT&CK® tactics** to understand adversary techniques targeting personal data \n- Review **incident counts and timelines** to measure responsiveness and compliance with breach notification requirements \n- Provide auditors with documented evidence of **security monitoring, incident management, and remediation activities** \n\nBy analyzing these metrics, analysts can ensure that **personal data risks are rapidly identified and addressed**, and that the organization maintains the ability to **demonstrate incident response readiness** in alignment with GDPR."
- },
- "customWidth": "40",
- "name": "text - 2"
- },
- {
- "type": 1,
- "content": {
- "json": ""
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "cbb7a53e-ea3b-44e3-804e-734662e21144",
+ "version": "KqlParameterItem/1.0",
+ "name": "isHelpVisible",
+ "type": 1,
+ "isHiddenWhenLocked": true,
+ "criteriaData": [
+ {
+ "criteriaContext": {
+ "leftOperand": "tab2",
+ "operator": "contains",
+ "rightValType": "static",
+ "rightVal": "Help",
+ "resultValType": "static",
+ "resultVal": "true"
+ }
+ },
+ {
+ "criteriaContext": {
+ "operator": "Default",
+ "rightValType": "param",
+ "resultValType": "static",
+ "resultVal": "false"
+ }
+ }
+ ],
+ "timeContext": {
+ "durationMs": 86400000
+ }
+ },
+ {
+ "version": "KqlParameterItem/1.0",
+ "name": "isSecurityAlertsVisible",
+ "type": 1,
+ "isHiddenWhenLocked": true,
+ "criteriaData": [
+ {
+ "criteriaContext": {
+ "leftOperand": "tab2",
+ "operator": "contains",
+ "rightValType": "static",
+ "rightVal": "SecurityAlerts",
+ "resultValType": "static",
+ "resultVal": "true"
+ }
+ },
+ {
+ "criteriaContext": {
+ "operator": "Default",
+ "rightValType": "param",
+ "resultValType": "static",
+ "resultVal": "false"
+ }
+ }
+ ],
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "id": "9ade41e9-0382-49a7-847a-472bfb7e284b"
+ },
+ {
+ "id": "17988544-c3d6-46c0-9645-2d1ce07d8655",
+ "version": "KqlParameterItem/1.0",
+ "name": "isDLPVisible",
+ "type": 1,
+ "isHiddenWhenLocked": true,
+ "criteriaData": [
+ {
+ "criteriaContext": {
+ "leftOperand": "tab2",
+ "operator": "contains",
+ "rightValType": "static",
+ "rightVal": "DLP",
+ "resultValType": "static",
+ "resultVal": "true"
+ }
+ },
+ {
+ "criteriaContext": {
+ "operator": "Default",
+ "resultValType": "static",
+ "resultVal": "false"
+ }
+ }
+ ],
+ "timeContext": {
+ "durationMs": 86400000
+ }
+ },
+ {
+ "id": "0299a507-8d53-4e80-bc8c-e3aa12522bab",
+ "version": "KqlParameterItem/1.0",
+ "name": "isPurviewLogsVisible",
+ "type": 1,
+ "isHiddenWhenLocked": true,
+ "criteriaData": [
+ {
+ "criteriaContext": {
+ "leftOperand": "tab2",
+ "operator": "contains",
+ "rightValType": "static",
+ "rightVal": "PurviewLogs",
+ "resultValType": "static",
+ "resultVal": "true"
+ }
+ },
+ {
+ "criteriaContext": {
+ "operator": "Default",
+ "resultValType": "static",
+ "resultVal": "false"
+ }
+ }
+ ]
+ },
+ {
+ "id": "553d4aff-e76d-418b-9edf-7fdcdacb6e0f",
+ "version": "KqlParameterItem/1.0",
+ "name": "isAzureSQLDatabasesVisible",
+ "type": 1,
+ "isHiddenWhenLocked": true,
+ "criteriaData": [
+ {
+ "criteriaContext": {
+ "leftOperand": "tab2",
+ "operator": "contains",
+ "rightValType": "static",
+ "rightVal": "AzureSQLDatabases",
+ "resultValType": "static",
+ "resultVal": "true"
+ }
+ },
+ {
+ "criteriaContext": {
+ "operator": "Default",
+ "resultValType": "static",
+ "resultVal": "false"
+ }
+ }
+ ],
+ "timeContext": {
+ "durationMs": 86400000
+ }
+ },
+ {
+ "id": "f145d46a-1e01-49ff-99e7-87f6059ed960",
+ "version": "KqlParameterItem/1.0",
+ "name": "isM365ActivityVisible",
+ "type": 1,
+ "isHiddenWhenLocked": true,
+ "criteriaData": [
+ {
+ "criteriaContext": {
+ "leftOperand": "tab2",
+ "operator": "contains",
+ "rightValType": "static",
+ "rightVal": "M365Activity",
+ "resultValType": "static",
+ "resultVal": "true"
+ }
+ },
+ {
+ "criteriaContext": {
+ "operator": "Default",
+ "resultValType": "static",
+ "resultVal": "false"
+ }
+ }
+ ]
+ },
+ {
+ "version": "KqlParameterItem/1.0",
+ "name": "isUEBAVisible",
+ "type": 1,
+ "isHiddenWhenLocked": true,
+ "criteriaData": [
+ {
+ "criteriaContext": {
+ "leftOperand": "tab2",
+ "operator": "contains",
+ "rightValType": "static",
+ "rightVal": "UEBA",
+ "resultValType": "static",
+ "resultVal": "true"
+ }
+ },
+ {
+ "criteriaContext": {
+ "operator": "Default",
+ "rightValType": "param",
+ "resultValType": "static",
+ "resultVal": "false"
+ }
+ }
+ ],
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "id": "70014e2e-d25a-4cca-b78d-b6063795d138"
+ },
+ {
+ "id": "14403a6f-fb83-492a-bea3-941048e30bb7",
+ "version": "KqlParameterItem/1.0",
+ "name": "isSignInsVisible",
+ "type": 1,
+ "isHiddenWhenLocked": true,
+ "criteriaData": [
+ {
+ "criteriaContext": {
+ "leftOperand": "tab2",
+ "operator": "contains",
+ "rightValType": "static",
+ "rightVal": "SignIns",
+ "resultValType": "static",
+ "resultVal": "true"
+ }
+ },
+ {
+ "criteriaContext": {
+ "operator": "Default",
+ "resultValType": "static",
+ "resultVal": "false"
+ }
+ }
+ ]
+ },
+ {
+ "id": "af09b9c4-3218-40de-8a1f-26f4a1c38a19",
+ "version": "KqlParameterItem/1.0",
+ "name": "isAuditLogsVisible",
+ "type": 1,
+ "isHiddenWhenLocked": true,
+ "criteriaData": [
+ {
+ "criteriaContext": {
+ "leftOperand": "tab2",
+ "operator": "contains",
+ "rightValType": "static",
+ "rightVal": "AuditLogs",
+ "resultValType": "static",
+ "resultVal": "true"
+ }
+ },
+ {
+ "criteriaContext": {
+ "operator": "Default",
+ "resultValType": "static",
+ "resultVal": "false"
+ }
+ }
+ ]
+ }
+ ],
+ "style": "pills",
+ "doNotRunWhenHidden": true
},
"customWidth": "10",
- "name": "text - 15"
- },
- {
- "type": 1,
- "content": {
- "json": "| Security Alerts And Incidents | | |\r\n|:--| - | - |\r\n| Alerts Over Time for Personal Data Hosting Systems | Alerts Details | Alerts by MITRE ATT&CK® Tactics|\r\n| Security Incidents Over Time for Personal Data Hosting Systems | Security Incidents By Users |Security Incidents Details|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, and Time range. Only panels with data are shown.\r\n"
- },
- "customWidth": "40",
- "name": "SI OV"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityAlert\r\n| mv-expand Entity = todynamic(Entities)\r\n| extend EntityType = tostring(Entity.Type)\r\n| extend HostName = iff(EntityType == \"host\",tolower(tostring(Entity.HostName)), \"\")\r\n| where HostName <> \"\"\r\n// Keep only alerts where HostName is in the watchlist\r\n| join kind=inner (PersonalDataServers) on HostName\r\n| extend DeviceName = HostName, AlertId = SystemAlertId\r\n| summarize by AlertId, AlertName, TimeGenerated\r\n| make-series Alerts = count() on TimeGenerated step 1d by AlertName",
- "size": 0,
- "title": "Alerts Over Time for Personal Data Hosting Systems",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "timechart"
- },
- "conditionalVisibility": {
- "parameterName": "Results113",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 1"
- },
- {
- "type": 3,
+ "name": "Hidden Parameters Selectors",
+ "id": "c4d06696-91ee-4436-823b-653fe23fcff4"
+ },
+ {
+ "type": 12,
"content": {
- "version": "KqlItem/1.0",
- "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityAlert\r\n| mv-expand Entity = todynamic(Entities)\r\n| extend EntityType = tostring(Entity.Type)\r\n| extend HostName = iff(EntityType == \"host\",tolower(tostring(Entity.HostName)), \"\")\r\n| where HostName <> \"\"\r\n// Keep only alerts where HostName is in the watchlist\r\n| join kind=inner (PersonalDataServers) on HostName\r\n| summarize \r\n AlertName = any(AlertName),\r\n AlertSeverity = any(AlertSeverity),\r\n DeviceNames = make_set(HostName,10),\r\n TimeGenerated = any(TimeGenerated)\r\n by AlertId = SystemAlertId, AlertLink\r\n | project-reorder AlertName, AlertSeverity, AlertLink, DeviceNames, TimeGenerated, AlertId\r\n| order by TimeGenerated desc\r\n| take 100",
- "size": 0,
- "title": "Alerts Details",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "AlertLink",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Alert >>"
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## 📂 Workbook Structure\r\n\r\nThis workbook is organized into the following sections:\r\n\r\n| Section | Description |\r\n|---------|-------------|\r\n| 🚨 **Security Alerts & Incidents** | Investigate security Alerts & incidents from hosts and resources hosting personal data. |\r\n| 🛡 **Data Loss Prevention (DLP)** | Monitor sensitive data access, leaks, and geolocation-based usage. |\r\n| 🔍 **Purview Logs** | Discover and classify assets, monitor sensitivity labeling, and track data governance. |\r\n| 🗄 **Azure SQL Databases** | Detect anomalies and monitor classified data queries. |\r\n| 📂 **Microsoft 365 Activity** | Monitor sensitive document/email activity. |\r\n| 📊 **UEBA** | Analyze anomalous user & entity behaviors. |\r\n| 👤 **Sign-Ins (Entra ID)** | Track risky sign-ins and monitor identity compliance. |\r\n| 📝 **Audit Logs** | Provide accountability and traceability of administrative activities. |\r\n"
+ },
+ "customWidth": "40",
+ "name": "text - 2",
+ "id": "675977e9-69c6-41fb-9e6e-be5427707e91"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
+ },
+ "customWidth": "10",
+ "name": "text - 12",
+ "id": "177f13b3-3953-4067-94d8-6d2054a3e0b0"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## 🔗 Data Sources & Permissions\r\n\r\nEnsure the following data connectors are enabled and ingested into Microsoft Sentinel:\r\n\r\n### 📂 Data Governance\r\n- ✅ **Microsoft Purview** (data classification & sensitivity logs. PurviewDataSensitivityLogs table) \r\n- ✅ **Microsoft Purview Information Protection** (DLP, labels, document access. MicrosoftPurviewInformationProtection table) \r\n- ✅ **Azure SQL Databases** (classification & anomaly scores. AzureDiagnostics table)\r\n\r\n\r\n### 👤 Identity & Access\r\n- ✅ **Microsoft Entra ID** (Sign-ins. SigninLogs table) \r\n- ✅ **BehaviorAnalytics** (UEBA. BehaviorAnalytics table) \r\n\r\n### 🛡 Security Monitoring\r\n- ✅ **Microsoft 365** (Microsoft 365 activity. OfficeActivity table) \r\n- ✅ **SecurityAlert / SecurityIncident** (Microsoft Defender XDR. SecurityAlert and SecurityIncident tables) \r\n- ✅ **AuditLogs** (Entra ID administrative traceability. AuditLogs table) \r\n\r\n📘 [How to configure data connectors in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/connect-data-sources)\r\n"
+ },
+ "customWidth": "40",
+ "name": "text - 3",
+ "id": "6230ed41-52b4-4edd-bf30-afd06880e9a1"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "---\r\n\r\n### 1. Security Alerts and Incidents\r\n\r\nFrom the Azure portal, install the **[Microsoft Defender XDR](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-microsoft365defender)** solution via **Content Hub**. \r\nThen, enable the **Microsoft Defender XDR** data connector to stream security alerts and incidents from Defender products into Microsoft Sentinel. \r\nThese records populate the **`SecurityAlert`** and **`SecurityIncident`** tables. \r\n\r\n⚠️ **Important:** \r\nAll workbook metrics in this section use a **watchlist** to filter only alerts and incidents involving servers that host **personal data**. \r\nYou must configure this watchlist in Sentinel and populate it with the names of your personal data hosting servers.\r\n\r\n#### 📂 Sample Watchlist (GDPR_PersonalData_Assets)\r\n\r\n| HostName |\r\n|------------------------|\r\n| server1 |\r\n| server2 |\r\n| server3 |\r\n| server4 |\r\n\r\n1. Save the watchlist as a CSV or TXT file. \r\n2. In Sentinel → **Configuration > Watchlists**, create a new watchlist (e.g., `GDPR_PersonalData_Assets`). \r\n3. Upload the file and confirm `HostName` is recognized as the search key.\r\n\r\nThis allows you to: \r\n- Focus alerts and incidents on GDPR-relevant systems \r\n- Monitor attack tactics and timelines against personal data servers \r\n- Provide auditors with clear evidence of incident detection and response for regulated data \r\n\r\nAll **Security Alerts & Incidents** visuals in this workbook will only display events related to servers listed in this watchlist.\r\n\r\n📘 [Setup guide – Microsoft Defender XDR connector](https://learn.microsoft.com/azure/sentinel/connect-microsoft-365-defender) \r\n📘 [How to create and use watchlists](https://learn.microsoft.com/azure/sentinel/watchlists)\r\n"
+ },
+ "customWidth": "40",
+ "name": "text - 6",
+ "id": "9e389ac8-6990-426f-aedd-af37461062ea"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
+ },
+ "customWidth": "10",
+ "name": "text - 5",
+ "id": "c7c96c97-b9cc-4cc3-9293-9611fb0d4f02"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "---\r\n\r\n### 2. Data Loss Prevention (Microsoft Purview Information Protection)\r\nFrom the Azure portal, install the **[Microsoft Purview Information Protection](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-mip)** solution via **Content Hub**. \r\nThen, enable the **Microsoft Purview Information Protection** data connector to ingest **sensitivity labeling and protection events** into the **`MicrosoftPurviewInformationProtection`** table. \r\nWith this configuration, you can: \r\n- Track **sensitivity label adoption and usage trends** \r\n- Monitor **labeled/protected documents and emails** across Microsoft 365 \r\n- Detect **label changes, downgrades, and policy enforcement outcomes** \r\n- Provide auditors with **evidence of applied protections on personal and sensitive data** \r\n\r\n📘 [Setup guide – Microsoft Purview Information Protection connector](https://learn.microsoft.com/azure/sentinel/connect-microsoft-purview)\r\n\r\n---"
+ },
+ "customWidth": "40",
+ "name": "text - 4",
+ "id": "cd2c259b-03d2-4bf3-a8a0-a6289dea0fd5"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "---\r\n\r\n### 3. Microsoft Purview (Data Classification & Sensitivity Logs)\r\nFrom the Azure portal, install the **[Microsoft Purview](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-azurepurview)** solution via **Content Hub**. \r\nThen, configure the **Microsoft Purview** data connector to stream **Data Classification and Sensitivity scan events** into the **`PurviewDataSensitivityLogs`** table. \r\n\r\nWith this configuration, you can: \r\n- Discover **where personal and sensitive data resides** across your cloud resources \r\n- Monitor **assets with classifications and sensitivity labels** over time \r\n- Track **data types and categories** detected by Purview scans \r\n- Provide auditors with **an inventory of sensitive data processing** \r\n\r\n📘 [Setup guide – Microsoft Purview solution](https://learn.microsoft.com/azure/sentinel/purview-solution)\r\n\r\n---"
+ },
+ "customWidth": "40",
+ "name": "text - 3",
+ "id": "a1ca7950-9c13-48c7-9c78-19946837d5f4"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
+ },
+ "customWidth": "10",
+ "name": "text - 10",
+ "id": "db66e986-67be-42d5-a264-9daf26d25eb1"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "\r\n### 4. Azure SQL Databases\r\nFrom the Azure portal, install the **[Azure SQL Database](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/sentinel4sql.sentinel4sql)** solution via **Content Hub**. \r\nThen, connect the **Azure SQL Databases** data connector to stream **audit and diagnostic logs** into Microsoft Sentinel. \r\nThese logs populate the **`AzureDiagnostics`** table (and SQL-specific audit tables if enabled). \r\n\r\nWith this configuration, you can: \r\n- Monitor **sensitive queries by label, information type, and principal** \r\n- Detect **anomalous activity and anomaly scores** across databases \r\n- Track **application and IP access to classified data** \r\n- Provide auditors with **evidence of monitoring structured personal data in SQL systems** \r\n\r\n📘 [Setup guide – Configure Azure SQL logging to Sentinel](https://learn.microsoft.com/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure?view=azuresql&tabs=azure-portal)\r\n\r\n---"
+ },
+ "customWidth": "40",
+ "name": "text - 8",
+ "id": "6125e28b-3e64-4791-a849-6b72bc679ac0"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "### 5. Microsoft 365 Activity\r\n\r\nFrom the Azure portal, install the **[Microsoft 365](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-office365)** solution via **Content Hub**. \r\nThen, enable the **Microsoft 365 (formerly Office 365)** data connector to stream **unified audit logs** into Microsoft Sentinel. \r\nThese logs populate the **`OfficeActivity`** table. \r\n\r\nWith this configuration, you can: \r\n- Monitor **user and administrator activity** across Exchange, SharePoint, OneDrive, and Teams \r\n- Detect **risky file sharing, mailbox access by non-owners, and suspicious admin operations** \r\n- Identify **unusual Teams or SharePoint activity** (e.g., mass deletions, uploads from unseen devices) \r\n- Provide auditors with a **comprehensive audit trail of data activity** in Microsoft 365 services\r\n\r\n---"
+ },
+ "customWidth": "40",
+ "name": "text - 9",
+ "id": "ae0b3116-8c12-4596-a9ba-ea3792d1562a"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
+ },
+ "customWidth": "10",
+ "name": "text - 10",
+ "id": "c1b6a6a4-6005-4d84-ac02-d1eb660d3ec0"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "### 6. User & Entity Behavior Analytics (UEBA)\r\n\r\nFrom the Azure portal, enable **User and Entity Behavior Analytics (UEBA)** in Microsoft Sentinel settings. \r\nUEBA builds baselines of user and entity activities and writes enriched risk insights into the **`BehaviorAnalytics`** table.\r\n\r\nThis enables you to: \r\n- Detect anomalous behaviors across users and entities \r\n- Correlate activities across multiple data sources \r\n- Identify potential insider threats and compromised accounts \r\n\r\n📘 [Setup guide](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics?tabs=azure)\r\n\r\n---"
+ },
+ "customWidth": "40",
+ "name": "text - 11",
+ "id": "b88796da-3135-492d-82b2-3840a82b5f10"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "### 7. Sign-ins and Audit (Microsoft Entra ID)\r\n\r\nFrom the Azure portal, install the **[Microsoft Entra ID](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/azuresentinel.azure-sentinel-solution-azureactivedirectory)** solution via **Content Hub**. \r\nThen, enable the **Microsoft Entra ID (Sign-in, Audit Logs)** data connector to stream authentication events into Microsoft Sentinel. \r\n\r\nThese logs populate the **`SigninLogs`** and **`AuditLogs`** table and allow you to: \r\n- Monitor successful vs. failed sign-ins \r\n- Detect risky logins, brute-force attempts, and unusual geolocations \r\n- Investigate access patterns to applications and resources handling personal data\r\n- Monitor changes to users, groups, and applications \r\n- Track administrative actions such as role assignments, policy changes, and resource access grants \r\n- Provide a traceable record of identity-related activities for GDPR accountability \r\n\r\n📘 [Setup guide](https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory)\r\n\r\n---"
+ },
+ "customWidth": "40",
+ "name": "text - 12",
+ "id": "86a55421-827f-4516-8fc9-8a21e0d0d823"
}
- }
]
- }
},
"conditionalVisibility": {
- "parameterName": "Results113",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 2"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityAlert\r\n| mv-expand Entity = todynamic(Entities)\r\n| extend EntityType = tostring(Entity.Type)\r\n| extend HostName = iff(EntityType == \"host\",tolower(tostring(Entity.HostName)), \"\")\r\n| where HostName <> \"\"\r\n// Keep only alerts where HostName is in the watchlist\r\n| join kind=inner (PersonalDataServers) on HostName\r\n| summarize by Tactics, SystemAlertId\r\n| summarize Count=count() by Tactics\r\n| sort by Count desc",
- "size": 0,
- "title": "Alerts by MITRE ATT&CK® Tactics",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "Tactics"
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "yellowOrangeRed"
- }
- },
- "showBorder": false
- }
- },
- "conditionalVisibility": {
- "parameterName": "Results113",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 3"
- },
- {
- "type": 3,
+ "parameterName": "isHelpVisible",
+ "comparison": "isEqualTo",
+ "value": "true"
+ },
+ "name": "Overview Group",
+ "id": "ec55cc5d-0d5d-42dc-b6e4-27e80d1a761a"
+ },
+ {
+ "type": 12,
"content": {
- "version": "KqlItem/1.0",
- "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"host\"\r\n | extend HostName = tolower(tostring(Entities.HostName))\r\n | where Entities[\"HostName\"] <> \"\"\r\n // Keep only alerts where HostName is in the watchlist\r\n | join kind=inner (PersonalDataServers) on HostName\r\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\r\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Title\r\n| render timechart\r\n\r\n\r\n\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "Security Incidents Over Time for Personal Data Hosting Systems",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "High",
- "representation": "redBright",
- "text": "{0}{1}"
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "# 🚨 [Security Alerts and Incidents](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)\n---\n\nThis section consolidates security alerts and incidents that may involve systems storing or processing personal data. It supports GDPR obligations for **security of processing (Art. 32)**, **breach notification (Art. 33 & 34)**, and **accountability (Art. 5(2))** by ensuring that organizations can quickly detect, investigate, and respond to threats that impact personal data. \n\nKey objectives of this section: \n- Track **security alerts involving personal data servers** to prioritize investigations of GDPR-relevant risks \n- Monitor **alerts mapped to MITRE ATT&CK® tactics** to understand adversary techniques targeting personal data \n- Review **incident counts and timelines** to measure responsiveness and compliance with breach notification requirements \n- Provide auditors with documented evidence of **security monitoring, incident management, and remediation activities** \n\nBy analyzing these metrics, analysts can ensure that **personal data risks are rapidly identified and addressed**, and that the organization maintains the ability to **demonstrate incident response readiness** in alignment with GDPR."
},
- {
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
- "text": "{0}{1}"
+ "customWidth": "40",
+ "name": "text - 2",
+ "id": "e449e876-adf0-4ed8-9b34-990e88d2db27"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
},
- {
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
- "text": "{0}{1}"
+ "customWidth": "10",
+ "name": "text - 15",
+ "id": "7a5fbda3-91b3-4caf-b291-f60d420d08f1"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "| Security Alerts And Incidents | | |\r\n|:--| - | - |\r\n| Alerts Over Time for Personal Data Hosting Systems | Alerts Details | Alerts by MITRE ATT&CK® Tactics|\r\n| Security Incidents Over Time for Personal Data Hosting Systems | Security Incidents By Users |Security Incidents Details|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, and Time range. Only panels with data are shown.\r\n"
},
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
+ "customWidth": "40",
+ "name": "SI OV",
+ "id": "47a7ebe8-e66b-4907-bd7e-1587df919719"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityAlert\r\n| mv-expand Entity = todynamic(Entities)\r\n| extend EntityType = tostring(Entity.Type)\r\n| extend HostName = iff(EntityType == \"host\",tolower(tostring(Entity.HostName)), \"\")\r\n| where HostName <> \"\"\r\n// Keep only alerts where HostName is in the watchlist\r\n| join kind=inner (PersonalDataServers) on HostName\r\n| extend DeviceName = HostName, AlertId = SystemAlertId\r\n| summarize by AlertId, AlertName, TimeGenerated\r\n| make-series Alerts = count() on TimeGenerated step 1d by AlertName",
+ "size": 0,
+ "title": "Alerts Over Time for Personal Data Hosting Systems",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "timechart",
+ "crossComponentResources": [
+ "{Workspace}"
+ ]
+ },
+ "name": "query - 1",
+ "id": "9d62d7c6-10a1-4af0-9979-369d9e33d794"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityAlert\r\n| mv-expand Entity = todynamic(Entities)\r\n| extend EntityType = tostring(Entity.Type)\r\n| extend HostName = iff(EntityType == \"host\",tolower(tostring(Entity.HostName)), \"\")\r\n| where HostName <> \"\"\r\n// Keep only alerts where HostName is in the watchlist\r\n| join kind=inner (PersonalDataServers) on HostName\r\n| summarize \r\n AlertName = any(AlertName),\r\n AlertSeverity = any(AlertSeverity),\r\n DeviceNames = make_set(HostName,10),\r\n TimeGenerated = any(TimeGenerated)\r\n by AlertId = SystemAlertId, AlertLink\r\n | project-reorder AlertName, AlertSeverity, AlertLink, DeviceNames, TimeGenerated, AlertId\r\n| order by TimeGenerated desc\r\n| take 100",
+ "size": 0,
+ "title": "Alerts Details",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "AlertLink",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Alert >>"
+ }
+ }
+ ]
+ },
+ "crossComponentResources": [
+ "{Workspace}"
+ ]
+ },
+ "name": "query - 2",
+ "id": "eaaeb5d1-7508-487f-bde6-4abac6499f7c"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityAlert\r\n| mv-expand Entity = todynamic(Entities)\r\n| extend EntityType = tostring(Entity.Type)\r\n| extend HostName = iff(EntityType == \"host\",tolower(tostring(Entity.HostName)), \"\")\r\n| where HostName <> \"\"\r\n// Keep only alerts where HostName is in the watchlist\r\n| join kind=inner (PersonalDataServers) on HostName\r\n| summarize by Tactics, SystemAlertId\r\n| summarize Count=count() by Tactics\r\n| sort by Count desc",
+ "size": 0,
+ "title": "Alerts by MITRE ATT&CK® Tactics",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "Tactics"
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "yellowOrangeRed"
+ }
+ },
+ "showBorder": false
+ },
+ "crossComponentResources": [
+ "{Workspace}"
+ ]
+ },
+ "name": "query - 3",
+ "id": "27cf741a-a485-4252-b5f8-0f899ce53a71"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"host\"\r\n | extend HostName = tolower(tostring(Entities.HostName))\r\n | where Entities[\"HostName\"] <> \"\"\r\n // Keep only alerts where HostName is in the watchlist\r\n | join kind=inner (PersonalDataServers) on HostName\r\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\r\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Title\r\n| render timechart\r\n\r\n\r\n\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Security Incidents Over Time for Personal Data Hosting Systems",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "redBright",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "count_",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "redBright"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results114e",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "71b6c24e-11e3-44e1-a95d-60e5e9ce2e1d"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | extend EntitiesSet = todynamic(Entities)\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"host\"\r\n | extend HostName = tolower(tostring(Entities.HostName))\r\n | where Entities[\"HostName\"] <> \"\"\r\n // Keep only alerts where HostName is in the watchlist\r\n | join kind=inner (PersonalDataServers) on HostName\r\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\r\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n | mv-expand todynamic(EntitiesSet)\r\n | extend Name = tostring(tolower(EntitiesSet[\"Name\"])), UPNSuffix = tostring(EntitiesSet[\"UPNSuffix\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n | where UPN <> \"\"\r\n | summarize count() by UPN\r\n | render piechart",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Security Incidents by Users",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UPN",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "redBright",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "AlertName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "3",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "ProductName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "yellowOrangeRed"
+ }
+ },
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "sortBy": [],
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results113h",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "275db2b6-c99e-4b7c-b8ec-c98b009242dd"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"host\"\r\n | extend HostName = tolower(tostring(Entities.HostName))\r\n | where Entities[\"HostName\"] <> \"\"\r\n // Keep only alerts where HostName is in the watchlist\r\n | join kind=inner (PersonalDataServers) on HostName\r\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\r\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber \r\n | sort by TimeGenerated desc\r\n | limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Security Incidents Details",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Title",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Alert",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "Sev0",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "Sev1",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "Sev2",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Sev3",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IncidentBlade",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "OpenBlade",
+ "linkLabel": "Incident >>",
+ "bladeOpenContext": {
+ "bladeName": "CaseBlade",
+ "extensionName": "Microsoft_Azure_Security_Insights",
+ "bladeParameters": [
+ {
+ "name": "id",
+ "source": "column",
+ "value": "IncidentBlade"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "columnMatch": "UPN",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "ProductName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true,
+ "sortBy": [
+ {
+ "itemKey": "IncidentNumber",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "IncidentNumber",
+ "sortOrder": 2
+ }
+ ],
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "name": "Results153",
+ "id": "499bd55a-968d-4bb1-8b52-661b99ea2af3"
}
- }
]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "UserPrincipalName",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "count_",
- "formatter": 12,
- "formatOptions": {
- "palette": "redBright"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
},
- "customWidth": "50",
"conditionalVisibility": {
- "parameterName": "Results114",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results114e",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
+ "parameterName": "isSecurityAlertsVisible",
+ "comparison": "isEqualTo",
+ "value": "true"
+ },
+ "name": "Security Alerts Group",
+ "id": "648757c4-0b72-4b21-88f8-b6145c713e1f"
+ },
+ {
+ "type": 12,
"content": {
- "version": "KqlItem/1.0",
- "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | extend EntitiesSet = todynamic(Entities)\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"host\"\r\n | extend HostName = tolower(tostring(Entities.HostName))\r\n | where Entities[\"HostName\"] <> \"\"\r\n // Keep only alerts where HostName is in the watchlist\r\n | join kind=inner (PersonalDataServers) on HostName\r\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\r\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n | mv-expand todynamic(EntitiesSet)\r\n | extend Name = tostring(tolower(EntitiesSet[\"Name\"])), UPNSuffix = tostring(EntitiesSet[\"UPNSuffix\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n | where UPN <> \"\"\r\n | summarize count() by UPN\r\n | render piechart",
- "size": 0,
- "showAnalytics": true,
- "title": "Security Incidents by Users",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UPN",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "High",
- "representation": "redBright",
- "text": "{0}{1}"
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "# 🛡 [Data Loss Prevention](https://docs.microsoft.com/microsoft-365/solutions/information-protection-deploy)\n---\n\nThis section helps you monitor and control the **movement of sensitive and personal data**, directly supporting GDPR principles of **data protection by design (Art. 25)** and **security of processing (Art. 32)**. \n\nKey objectives of this section: \n- Track **where sensitive data is accessed** and from which geolocations \n- Detect and investigate **potential leaks or unauthorized transfers** of personal data \n- Measure **label-based access patterns** (sensitivity labels applied through Microsoft Information Protection) \n- Provide evidence of **preventive and detective controls** for GDPR audits \n\nBy monitoring these metrics, you can quickly identify risky behaviors such as **unusual data access locations**, **exfiltration attempts**, or **leak alerts**, and take corrective actions to protect personal data.\n"
},
- {
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
- "text": "{0}{1}"
+ "customWidth": "40",
+ "name": "text - 2",
+ "id": "2b9f2765-146e-4b7b-a0ad-e27437dd6e0a"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
},
- {
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
- "text": "{0}{1}"
+ "customWidth": "10",
+ "name": "text - 12",
+ "id": "b9a4cebc-f973-4c1b-a146-6f6b099cd2f7"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "| Data Loss Prevention | | |\r\n|:--| - | - |\r\n| Sensitive Label Access by Geolocations | Sensitive Label Access by Geolocation Details | Sensitive Data Alerts over Time|\r\n| Sensitive Data Alert Details | Data Access by Sensitivity Labels Over Time | Data Access by Sensitivity Label |\r\n|Sensitive Data Access Details|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, and Time range. Only panels with data are shown. \r\n"
},
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "AlertName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "3",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "ProductName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "yellowOrangeRed"
- }
- },
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "sortBy": [],
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results115",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results113h",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "// Load personal data servers from Sentinel watchlist\r\nlet PersonalDataServers = _GetWatchlist('GDPR_PersonalData_Assets')\r\n | project HostName = tolower(HostName);\r\nSecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"host\"\r\n | extend HostName = tolower(tostring(Entities.HostName))\r\n | where Entities[\"HostName\"] <> \"\"\r\n // Keep only alerts where HostName is in the watchlist\r\n | join kind=inner (PersonalDataServers) on HostName\r\n | extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n | summarize DeviceNames = make_set(HostName,10), arg_max(TimeGenerated, *) by IncidentNumber\r\n | parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n | distinct Title, Severity, IncidentBlade, tostring(DeviceNames), TimeGenerated, IncidentNumber \r\n | sort by TimeGenerated desc\r\n | limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Security Incidents Details",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Title",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Alert",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "High",
- "representation": "Sev0",
- "text": "{0}{1}"
+ "customWidth": "50",
+ "name": "text - 13",
+ "id": "055c492b-defb-4483-bd6d-9f960e128008"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MicrosoftPurviewInformationProtection\r\n| extend UserPrincipalName = UserId\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where LabelName <> \"\"\r\n// 🔎 Filter out common or non-critical labels here (example excludes \"General\").\r\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\r\n// | where LabelName !in (\"General\")\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n| project Location",
+ "size": 3,
+ "showAnalytics": true,
+ "title": "Sensitive Label Access by Geolocations",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "map",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "warning",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "UncommonActionVolume",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "UncommonAction",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ {
+ "columnMatch": "FirstTimeUserAction",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "FirstTimeDeviceLogon",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ },
+ {
+ "columnMatch": "IncidentCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "AnomalyCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ }
+ ]
+ },
+ "sortBy": [],
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "latitude_",
+ "longitude": "longitude_",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "labelSettings": "city_",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "yellow"
+ }
+ ]
+ }
+ }
},
- {
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "Sev1",
- "text": "{0}{1}"
+ "customWidth": "60",
+ "name": "query - 12",
+ "id": "fd6660f3-742e-4c91-ae48-c48dc42a67e0"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MicrosoftPurviewInformationProtection\r\n| extend UserPrincipalName = UserId\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where LabelName <> \"\"\r\n// 🔎 Filter out common or non-critical labels here (example excludes \"General\").\r\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\r\n// | where LabelName !in (\"General\")\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n| summarize count() by UserPrincipalName, LabelName, City, State, Country_Region\r\n| sort by count_ desc\r\n| limit 100\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Sensitive Label Access by Geolocation Details",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "LabelName_s",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Sev2",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "City",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Globe",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "State",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Globe",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Country_Region",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Globe",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ },
+ {
+ "columnMatch": "UncommonActionVolume",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "UncommonAction",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ {
+ "columnMatch": "FirstTimeUserAction",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "FirstTimeDeviceLogon",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ },
+ {
+ "columnMatch": "IncidentCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "AnomalyCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ }
+ ],
+ "filter": true
+ },
+ "sortBy": [],
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "latitude_",
+ "longitude": "longitude_",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "labelSettings": "city_",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "turquoise"
+ }
+ ]
+ }
+ }
},
- {
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "Sev2",
- "text": "{0}{1}"
+ "customWidth": "40",
+ "name": "query - 12",
+ "id": "9f11b289-afb2-4707-bf14-b0175f10974e"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"]), UserPrincipalName = tostring(Entities[\"UserPrincipalName\"])\r\n | extend UPN = coalesce (UserPrincipalName, iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\"))\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\r\n| where (AlertName contains \"sensitive\" or AlertName contains \"leak\" or AlertName contains \"theft\" or AlertName contains \"steal\" or AlertName contains \"PII\" or AlertName contains \"intellectual\" or AlertName contains \"confidential\" or AlertName contains \"spill\") or (Tactics contains \"exfil\")\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by AlertName\r\n| render timechart",
+ "size": 0,
+ "title": "Sensitive Data Alerts over Time",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "AlertName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "3",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "ProductName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "AlertLink",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Alert >"
+ }
+ },
+ {
+ "columnMatch": "UPN",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "2",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IncidentUrl",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Incident >"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
},
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Sev3",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IncidentBlade",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "OpenBlade",
- "linkLabel": "Incident >>",
- "bladeOpenContext": {
- "bladeName": "CaseBlade",
- "extensionName": "Microsoft_Azure_Security_Insights",
- "bladeParameters": [
- {
- "name": "id",
- "source": "column",
- "value": "IncidentBlade"
- }
- ]
- }
- }
- },
- {
- "columnMatch": "UPN",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "ProductName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true,
- "sortBy": [
- {
- "itemKey": "IncidentNumber",
- "sortOrder": 2
- }
- ]
- },
- "sortBy": [
- {
- "itemKey": "IncidentNumber",
- "sortOrder": 2
- }
- ],
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "conditionalVisibility": {
- "parameterName": "Results114",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results153"
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "isSecurityAlertsVisible",
- "comparison": "isEqualTo",
- "value": "true"
- },
- "name": "Security Alerts Group"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 1,
- "content": {
- "json": "# 🛡 [Data Loss Prevention](https://docs.microsoft.com/microsoft-365/solutions/information-protection-deploy)\n---\n\nThis section helps you monitor and control the **movement of sensitive and personal data**, directly supporting GDPR principles of **data protection by design (Art. 25)** and **security of processing (Art. 32)**. \n\nKey objectives of this section: \n- Track **where sensitive data is accessed** and from which geolocations \n- Detect and investigate **potential leaks or unauthorized transfers** of personal data \n- Measure **label-based access patterns** (sensitivity labels applied through Microsoft Information Protection) \n- Provide evidence of **preventive and detective controls** for GDPR audits \n\nBy monitoring these metrics, you can quickly identify risky behaviors such as **unusual data access locations**, **exfiltration attempts**, or **leak alerts**, and take corrective actions to protect personal data.\n"
- },
- "customWidth": "40",
- "name": "text - 2"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "10",
- "name": "text - 12"
- },
- {
- "type": 1,
- "content": {
- "json": "| Data Loss Prevention | | |\r\n|:--| - | - |\r\n| Sensitive Label Access by Geolocations | Sensitive Label Access by Geolocation Details | Sensitive Data Alerts over Time|\r\n| Sensitive Data Alert Details | Data Access by Sensitivity Labels Over Time | Data Access by Sensitivity Label |\r\n|Sensitive Data Access Details|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, and Time range. Only panels with data are shown. \r\n"
- },
- "customWidth": "50",
- "name": "text - 13"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "7afa304d-b448-4d6c-8c54-69e51a7249a9",
- "version": "KqlParameterItem/1.0",
- "name": "Results305",
- "type": 1,
- "query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\r\n| where AlertName contains \"sensitive\" or AlertName contains \"data\" or AlertName contains \"leak\" or Tactics contains \"exfil\" or AlertName contains \"theft\" or AlertName contains \"steal\" or AlertName contains \"PII\" or AlertName contains \"intellectual\" or AlertName contains \"confidential\" or AlertName contains \"spill\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results305",
- "styleSettings": {
- "maxWidth": "10"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "04a06f0b-7190-4af9-9d04-473d54a3f923",
- "version": "KqlParameterItem/1.0",
- "name": "Results306",
- "type": 1,
- "query": "MicrosoftPurviewInformationProtection\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results306",
- "styleSettings": {
- "maxWidth": "10"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "84d1a90a-923f-4fe1-88a0-b5603f0530b6",
- "version": "KqlParameterItem/1.0",
- "name": "Results307",
- "type": 1,
- "query": "MicrosoftPurviewInformationProtection\r\n| extend UserPrincipalName = UserId\r\n| where LabelName <> \"\"\r\n| join (SigninLogs) on UserPrincipalName\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "50",
- "name": "Results307"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "MicrosoftPurviewInformationProtection\r\n| extend UserPrincipalName = UserId\r\n| where LabelName <> \"\"\r\n// 🔎 Filter out common or non-critical labels here (example excludes \"General\").\r\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\r\n// | where LabelName !in (\"General\")\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n| project Location",
- "size": 3,
- "showAnalytics": true,
- "title": "Sensitive Label Access by Geolocations",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "map",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "warning",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "UncommonActionVolume",
- "formatter": 4,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "UncommonAction",
- "formatter": 4,
- "formatOptions": {
- "palette": "green"
- }
- },
- {
- "columnMatch": "FirstTimeUserAction",
- "formatter": 4,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "FirstTimeDeviceLogon",
- "formatter": 4,
- "formatOptions": {
- "palette": "yellow"
- }
- },
- {
- "columnMatch": "IncidentCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "AlertCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "AnomalyCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "yellow"
+ "name": "305",
+ "id": "d17aebc0-23e9-4449-9b22-22e352e8d6a5"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"]), UserPrincipalName = tostring(Entities[\"UserPrincipalName\"])\r\n | extend UPN = coalesce (UserPrincipalName, iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\"))\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| distinct UserPrincipalName, AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\r\n| where (AlertName contains \"sensitive\" or AlertName contains \"leak\" or AlertName contains \"theft\" or AlertName contains \"steal\" or AlertName contains \"PII\" or AlertName contains \"intellectual\" or AlertName contains \"confidential\" or AlertName contains \"spill\") or (Tactics contains \"exfil\")\r\n| sort by TimeGenerated desc\r\n| limit 100",
+ "size": 0,
+ "title": "Sensitive Data Alert Details",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "AlertName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "3",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "ProductName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "AlertLink",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Alert >"
+ }
+ },
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "UPN",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "2",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IncidentUrl",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Incident >"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "name": "305b",
+ "id": "fd8e2b0b-cfe9-4b5f-a8f3-0b62bab32389"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MicrosoftPurviewInformationProtection\r\n| where LabelName <> \"\"\r\n| extend UserPrincipalName = UserId\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend CommonProperties = parse_json(Common)\r\n| extend ApplicationName = tostring(CommonProperties.ApplicationName)\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by LabelName, ApplicationName\r\n| render timechart",
+ "size": 0,
+ "title": "Data Access by Sensitivity Labels Over Time",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "AlertName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "3",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "ProductName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "AlertLink",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Alert >"
+ }
+ },
+ {
+ "columnMatch": "UPN",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "2",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IncidentUrl",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Incident >"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "306a",
+ "id": "f85c6d36-759e-4770-837d-bd9ae4fddd8b"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MicrosoftPurviewInformationProtection\r\n| where LabelName <> \"\"\r\n| extend UserPrincipalName = UserId\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n// 🔎 Filter out common or non-critical labels here (example excludes \"General\").\r\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\r\n// | where LabelName !in (\"General\")\r\n| summarize count() by LabelName\r\n| render piechart",
+ "size": 0,
+ "title": "Data Access by Sensitivity Label",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "AlertName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "3",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "ProductName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "AlertLink",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Alert >"
+ }
+ },
+ {
+ "columnMatch": "UPN",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "2",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IncidentUrl",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Incident >"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "306b",
+ "id": "6d80e906-b3f3-491a-bff1-05852909a393"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MicrosoftPurviewInformationProtection\r\n| where LabelName <> \"\"\r\n| extend UserPrincipalName = UserId\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend CommonProperties = parse_json(Common)\r\n| extend ApplicationName = tostring(CommonProperties.ApplicationName)\r\n| extend properties = parse_json(ProtectionEventData)\r\n| extend ProtectionOwner = tostring(properties.ProtectionOwner)\r\n| extend IsProtected = tostring(properties.IsProtected)\r\n| distinct UserId, LabelName, ApplicationName, Operation, IsProtected, Platform, ProtectionOwner, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 100\r\n\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Sensitive Data Access Details",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId_s",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "AlertName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "3",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "ProductName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "AlertLink",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Alert >"
+ }
+ },
+ {
+ "columnMatch": "UPN",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "2",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IncidentUrl",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url",
+ "linkLabel": "Go to Incident >"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "name": "Results306c",
+ "id": "9919f866-a43e-449e-b8aa-fe91397c95d5"
}
- }
]
- },
- "sortBy": [],
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "latitude_",
- "longitude": "longitude_",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "labelSettings": "city_",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "yellow"
- }
- ]
- }
- }
- },
- "customWidth": "60",
- "conditionalVisibility": {
- "parameterName": "Results307",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 12"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "MicrosoftPurviewInformationProtection\r\n| extend UserPrincipalName = UserId\r\n| where LabelName <> \"\"\r\n// 🔎 Filter out common or non-critical labels here (example excludes \"General\").\r\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\r\n// | where LabelName !in (\"General\")\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n| summarize count() by UserPrincipalName, LabelName, City, State, Country_Region\r\n| sort by count_ desc\r\n| limit 100\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "Sensitive Label Access by Geolocation Details",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "LabelName_s",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Sev2",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "City",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Globe",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "State",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Globe",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Country_Region",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Globe",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 4,
- "formatOptions": {
- "palette": "yellow"
- }
- },
- {
- "columnMatch": "UncommonActionVolume",
- "formatter": 4,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "UncommonAction",
- "formatter": 4,
- "formatOptions": {
- "palette": "green"
- }
- },
- {
- "columnMatch": "FirstTimeUserAction",
- "formatter": 4,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "FirstTimeDeviceLogon",
- "formatter": 4,
- "formatOptions": {
- "palette": "yellow"
- }
- },
- {
- "columnMatch": "IncidentCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "AlertCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "AnomalyCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "yellow"
- }
- }
- ],
- "filter": true
- },
- "sortBy": [],
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "latitude_",
- "longitude": "longitude_",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "labelSettings": "city_",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "turquoise"
- }
- ]
- }
- }
},
- "customWidth": "40",
"conditionalVisibility": {
- "parameterName": "Results307",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 12"
- },
- {
- "type": 3,
+ "parameterName": "isDLPVisible",
+ "comparison": "isEqualTo",
+ "value": "true"
+ },
+ "name": "DLP",
+ "id": "c1402010-eaae-40d6-b550-74a4192db2b4"
+ },
+ {
+ "type": 12,
"content": {
- "version": "KqlItem/1.0",
- "query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"]), UserPrincipalName = tostring(Entities[\"UserPrincipalName\"])\r\n | extend UPN = coalesce (UserPrincipalName, iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\"))\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\r\n| where (AlertName contains \"sensitive\" or AlertName contains \"leak\" or AlertName contains \"theft\" or AlertName contains \"steal\" or AlertName contains \"PII\" or AlertName contains \"intellectual\" or AlertName contains \"confidential\" or AlertName contains \"spill\") or (Tactics contains \"exfil\")\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by AlertName\r\n| render timechart",
- "size": 0,
- "title": "Sensitive Data Alerts over Time",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "AlertName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "3",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "High",
- "representation": "red",
- "text": "{0}{1}"
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## 🔍 Purview Logs\r\n\r\nThis section provides visibility into the **classification and labeling of personal and sensitive data** across your Azure and Microsoft 365 environment. It directly supports GDPR principles of **lawfulness, fairness, transparency, and accountability (Art. 5)** as well as requirements for **records of processing activities (Art. 30)** and **data protection by design and by default (Art. 25)**. \r\n\r\nKey objectives of this section: \r\n- Track **classified Azure sources by region** to understand where personal data is stored and processed \r\n- Monitor the **volume and types of classified assets** across different resource types \r\n- Drill down to the **asset and file level** to validate that personal data is discovered and properly classified \r\n- Assess the application of **sensitivity labels** to ensure data is protected according to organizational policy \r\n- Provide auditors with clear evidence of **data inventory and classification coverage** \r\n\r\nBy reviewing these metrics, analysts can verify that **data discovery, classification, and labeling controls** are functioning as required, and quickly spot gaps where sensitive data may not be properly governed.\r\n"
},
- {
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
- "text": "{0}{1}"
+ "customWidth": "40",
+ "name": "text - 12",
+ "id": "e68610b7-947a-40d7-a979-96d8cb48bba3"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
},
- {
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
- "text": "{0}{1}"
+ "customWidth": "10",
+ "name": "text - 13",
+ "id": "694443a2-b1ac-443c-b19f-758195e96019"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "| Purview Logs | | |\r\n|:--| - | - |\r\n| Classified Azure Sources by Region | Total Classified Assets by Resource Type | Select 'Data Source' below to view Assets Drilldown |\r\n| Assets Drilldown | Classifications by Asset Count and File Size |Classifications Drilldown- Asset Level|\r\n|Sensitivity Labels by Asset Count and File Size|Sensitivity Labels Drilldown- Asset Level|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range, Purview Account, Source Collectiona and Resource Type. Only panels with data are shown.\r\n"
},
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "ProductName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "AlertLink",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Alert >"
- }
- },
- {
- "columnMatch": "UPN",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "2",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IncidentUrl",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Incident >"
+ "customWidth": "40",
+ "name": "text - 14",
+ "id": "76aa6d4b-d4ab-4b2a-8267-1886d63cb40b"
},
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- }
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "parameters": [
+ {
+ "id": "a5b9cb0c-6219-4782-a10d-1370a8a6edb4",
+ "version": "KqlParameterItem/1.0",
+ "name": "PurviewAccount",
+ "label": "Purview Account",
+ "type": 2,
+ "isRequired": true,
+ "multiSelect": true,
+ "quote": "'",
+ "delimiter": ",",
+ "query": "PurviewDataSensitivityLogs\r\n|distinct PurviewAccountName",
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "selectAllValue": "All",
+ "showDefault": false
+ },
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "defaultValue": "value::all",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ {
+ "id": "ea62a59c-3799-400d-a7af-f0ad14cc46c7",
+ "version": "KqlParameterItem/1.0",
+ "name": "Collection",
+ "label": "Source Collection",
+ "type": 2,
+ "isRequired": true,
+ "isGlobal": true,
+ "multiSelect": true,
+ "quote": "'",
+ "delimiter": ",",
+ "query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| distinct SourceCollectionName \r\n| extend Collection = iff(SourceCollectionName == \"\",\"No Collection\", SourceCollectionName)\r\n| project Collection",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "showDefault": false
+ },
+ "defaultValue": "value::all",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ {
+ "id": "817265c3-f308-44e0-a24c-33dac7ee2c91",
+ "version": "KqlParameterItem/1.0",
+ "name": "DataSource",
+ "label": "Resource Type",
+ "type": 2,
+ "isRequired": true,
+ "multiSelect": true,
+ "quote": "",
+ "delimiter": ",",
+ "query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| distinct SourceType ",
+ "value": [
+ "value::all"
+ ],
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "showDefault": false
+ },
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "defaultValue": "value::all",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ }
+ ],
+ "style": "pills"
+ },
+ "name": "parameters - 0",
+ "id": "308895e1-dab9-42fa-8515-b24e7bdf997b"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let NumberofSourcesByRegion = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where SourceType contains \"Azure\"\r\n// GDPR filter: keep only sources with classification or sensitivity label\r\n| where array_length(todynamic(Classification)) > 0 or array_length(todynamic(SensitivityLabel)) > 0\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| distinct SourcePath, SourceRegion\r\n| summarize AssetCount = count() by SourceRegion;\r\nNumberofSourcesByRegion",
+ "size": 0,
+ "title": "Classified Azure Sources by Region",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "map",
+ "mapSettings": {
+ "locInfo": "AzureLoc",
+ "locInfoColumn": "SourceRegion",
+ "sizeSettings": "AssetCount",
+ "sizeAggregation": "Sum",
+ "legendMetric": "AssetCount",
+ "legendAggregation": "Sum",
+ "itemColorSettings": {
+ "nodeColorField": "AssetCount",
+ "colorAggregation": "Sum",
+ "type": "heatmap",
+ "heatmapPalette": "greenRed"
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 2",
+ "id": "08c858ab-4c4c-482d-84b8-e915987804a2"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where ActivityType == \"Classification\" \r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\r\nlet AllAssets = MostRecentScanLogs\r\n | summarize AssetCount = count() by SourceType;\r\nlet ClassifiedAssets = MostRecentScanLogs\r\n | where Classification != \"[]\"\r\n | summarize AssetClassifiedCount = count() by SourceType;\r\nlet ClassifiedAssetsByResourceType = AllAssets\r\n | join kind= leftouter ClassifiedAssets on SourceType\r\n | extend AssetCount = strcat(AssetCount, \" assets found in total\")\r\n | project SourceType, AssetCount, AssetClassifiedCount;\r\nClassifiedAssetsByResourceType",
+ "size": 0,
+ "title": "Total Classified Assets by Resource Type",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SourceType",
+ "formatter": 16,
+ "formatOptions": {
+ "showIcon": true
+ }
+ },
+ "leftContent": {
+ "columnMatch": "AssetClassifiedCount",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ },
+ "emptyValCustomText": "0"
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "AssetCount"
+ },
+ "showBorder": true
+ },
+ "mapSettings": {
+ "locInfo": "LatLong",
+ "sizeSettings": "AssetClassifiedCount",
+ "sizeAggregation": "Sum",
+ "legendMetric": "AssetClassifiedCount",
+ "legendAggregation": "Sum",
+ "itemColorSettings": {
+ "type": "heatmap",
+ "colorAggregation": "Sum",
+ "nodeColorField": "AssetClassifiedCount",
+ "heatmapPalette": "greenRed"
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 25",
+ "id": "a0ad7be5-354e-4cda-94aa-2f9c1fb7096a"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where ActivityType == \"Classification\"\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName) \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\r\nlet AllAssets = MostRecentScanLogs\r\n| summarize AssetCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\r\nlet ClassifiedAssets = MostRecentScanLogs\r\n| where Classification != \"[]\"\r\n| summarize AssetClassifiedCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\r\nlet AssetsDrilldown = AllAssets\r\n| join kind= leftouter ClassifiedAssets on DataSource, SourceType\r\n| extend PathName = substring(DataSource, 1)\r\n| extend ClassifiedPercentage = round((100.0 * AssetClassifiedCount / AssetCount),1)\r\n| project DataSource, SourceRegion, SourceType, ClassifiedPercentage, AssetClassifiedCount, AssetCount, PathName;\r\nAssetsDrilldown",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Select 'Data Source' below to view Assets Drilldown",
+ "timeContextFromParameter": "TimeRange",
+ "showRefreshButton": true,
+ "exportFieldName": "PathName",
+ "exportParameterName": "UserSelectedDataSource",
+ "exportDefaultValue": "All",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "DataSource",
+ "formatter": 0,
+ "formatOptions": {
+ "customColumnWidthSetting": "25ch"
+ }
+ },
+ {
+ "columnMatch": "ClassifiedPercentage",
+ "formatter": 0,
+ "formatOptions": {
+ "customColumnWidthSetting": "20ch"
+ },
+ "numberFormat": {
+ "unit": 1,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 1
+ }
+ }
+ },
+ {
+ "columnMatch": "AssetClassifiedCount",
+ "formatter": 2,
+ "formatOptions": {
+ "customColumnWidthSetting": "20ch"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "0"
+ }
+ },
+ {
+ "columnMatch": "AssetCount",
+ "formatter": 2,
+ "formatOptions": {
+ "customColumnWidthSetting": "20ch"
+ }
+ },
+ {
+ "columnMatch": "PathName",
+ "formatter": 5
+ }
+ ],
+ "filter": true,
+ "sortBy": [
+ {
+ "itemKey": "SourceType",
+ "sortOrder": 2
+ }
+ ],
+ "labelSettings": [
+ {
+ "columnId": "DataSource",
+ "label": "Data Source"
+ },
+ {
+ "columnId": "SourceRegion",
+ "label": "Source Region"
+ },
+ {
+ "columnId": "SourceType",
+ "label": "Source Type"
+ },
+ {
+ "columnId": "ClassifiedPercentage",
+ "label": "% Classified"
+ },
+ {
+ "columnId": "AssetClassifiedCount",
+ "label": "Classified Assets"
+ },
+ {
+ "columnId": "AssetCount",
+ "label": "Total Assets"
+ },
+ {
+ "columnId": "PathName",
+ "label": "Source Path"
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "SourceType",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "customWidth": "50",
+ "name": "query - 8",
+ "styleSettings": {
+ "showBorder": true
+ },
+ "id": "42ad81e8-292a-485c-87a5-01b7a19b19f9"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | where \"{UserSelectedDataSource:label}\" == \"All\" or (SourcePath contains \"{UserSelectedDataSource:label}\")\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\r\nlet ClassificationCounts = MostRecentScanLogs\r\n | where ActivityType == \"Classification\"\r\n | mv-expand Classification\r\n | summarize ClassificationCount= count(todynamic(Classification)) by AssetPath\r\n | project ClassificationCount, AssetPath;\r\nlet ClassifiedAssetsWithCounts = MostRecentScanLogs\r\n | where ActivityType == \"Classification\"\r\n | join kind= leftouter ClassificationCounts on AssetPath\r\n | summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId) by AssetPath ;\r\nlet LabeledAssets = MostRecentScanLogs\r\n | where ActivityType == \"Labeling\" \r\n | mv-expand SensitivityLabel to typeof(string)\r\n | where SensitivityLabel != int(null)\r\n | mv-expand SensitivityLabelDetails\r\n | summarize arg_max(SensitivityLabel, SourceType, SensitivityLabelTrigger, SensitivityLabelDetails) by AssetPath\r\n | project AssetPath, SensitivityLabel, SensitivityLabelTrigger, SensitivityLabelDetails;\r\nlet ClassificationCountWithSensitivityInformation = ClassifiedAssetsWithCounts\r\n | join kind= leftouter LabeledAssets on AssetPath\r\n | project\r\n TimeGenerated,\r\n PurviewTenantId,\r\n PurviewAccountName,\r\n PurviewRegion,\r\n AssetName,\r\n AssetPath,\r\n AssetType,\r\n AssetCreationTime,\r\n AssetModifiedTime,\r\n AssetLastScanTime,\r\n FileExtension,\r\n FileSize,\r\n ActivityType,\r\n ClassificationTrigger,\r\n Classification,\r\n ClassificationCount,\r\n ClassificationDetails,\r\n SensitivityLabelTrigger,\r\n SensitivityLabel,\r\n SensitivityLabelDetails,\r\n SourceName,\r\n SourceType,\r\n SourcePath,\r\n SourceSubscriptionId,\r\n SourceRegion,\r\n SourceCollectionName,\r\n SourceScanId\r\n | sort by ClassificationCount;\r\nClassificationCountWithSensitivityInformation",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Assets Drilldown",
+ "timeContextFromParameter": "TimeRange",
+ "showRefreshButton": true,
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "TimeGenerated",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewTenantId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewAccountName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewRegion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetPath",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "GenericDetails",
+ "linkIsContextBlade": true,
+ "customColumnWidthSetting": "60ch"
+ }
+ },
+ {
+ "columnMatch": "AssetType",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetCreationTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetModifiedTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetLastScanTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "FileExtension",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "FileSize",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "ActivityType",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Classification",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "ClassificationCount",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "0"
+ }
+ },
+ {
+ "columnMatch": "ClassificationDetails",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelTrigger",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabel",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "No Label"
+ }
+ },
+ {
+ "columnMatch": "SensitivityLabelDetails",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceType",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourcePath",
+ "formatter": 13,
+ "formatOptions": {
+ "linkTarget": "Resource",
+ "showIcon": true
+ }
+ },
+ {
+ "columnMatch": "SourceSubscriptionId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceRegion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceCollectionName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceScanId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewSubscriptionId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceOwner",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetOwner",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "ClassificationActivityTrigger",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelActivityTrigger",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelGuid",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "ActivityTrigger",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelName",
+ "formatter": 5,
+ "formatOptions": {
+ "customColumnWidthSetting": "25ch"
+ }
+ }
+ ],
+ "rowLimit": 1000,
+ "filter": true,
+ "labelSettings": [
+ {
+ "columnId": "AssetPath",
+ "label": "Asset Path"
+ },
+ {
+ "columnId": "ClassificationCount",
+ "label": "Classifications"
+ },
+ {
+ "columnId": "SensitivityLabel",
+ "label": "Sensitivity Label"
+ },
+ {
+ "columnId": "SourcePath",
+ "label": "Data Source"
+ }
+ ]
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 9",
+ "styleSettings": {
+ "showBorder": true
+ },
+ "id": "38d442dd-603b-4fa2-b740-39f84fd1fef6"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Classification\" \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\r\nlet Classifications = MostRecentScanLogs\r\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\r\n| project Classification, AssetCount, FileSize;\r\nClassifications\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Select 'Classification' below to view Classification Drilldown",
+ "timeContextFromParameter": "TimeRange",
+ "showRefreshButton": true,
+ "exportFieldName": "Classification",
+ "exportParameterName": "UserSelectedClassification",
+ "exportDefaultValue": "All",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Classification",
+ "formatter": 0,
+ "formatOptions": {
+ "customColumnWidthSetting": "50ch"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "No Classifications"
+ }
+ },
+ {
+ "columnMatch": "AssetCount",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "blue",
+ "customColumnWidthSetting": "25ch"
+ }
+ },
+ {
+ "columnMatch": "FileSize",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue",
+ "customColumnWidthSetting": "25ch"
+ }
+ }
+ ],
+ "filter": true,
+ "sortBy": [
+ {
+ "itemKey": "$gen_bar_AssetCount_1",
+ "sortOrder": 2
+ }
+ ],
+ "labelSettings": [
+ {
+ "columnId": "AssetCount",
+ "label": "Classified Asset Count"
+ },
+ {
+ "columnId": "FileSize",
+ "label": "Total Size of Files (MB)"
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "$gen_bar_AssetCount_1",
+ "sortOrder": 2
+ }
+ ],
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "Classification",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Size",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 4 - Copy",
+ "styleSettings": {
+ "showBorder": true
+ },
+ "id": "012f6b86-fa7a-4bd4-be75-09debaeb9824"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Classification\" \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\r\nlet ClassificationsDrilldown = MostRecentScanLogs\r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend SelectedClassification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where SelectedClassification != \"\"\r\n| where \"{UserSelectedClassification:label}\" == \"All\" or (split(\"{UserSelectedClassification:label}\", \", \") contains SelectedClassification)\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\r\nClassificationsDrilldown\r\n| take 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Classifications Drilldown- Asset Level",
+ "timeContextFromParameter": "TimeRange",
+ "showRefreshButton": true,
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "TimeGenerated",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewTenantId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewAccountName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewRegion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetPath",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "GenericDetails",
+ "linkIsContextBlade": true,
+ "customColumnWidthSetting": "70ch"
+ }
+ },
+ {
+ "columnMatch": "AssetType",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetCreationTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetModifiedTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetLastScanTime",
+ "formatter": 0,
+ "formatOptions": {
+ "customColumnWidthSetting": "30ch"
+ }
+ },
+ {
+ "columnMatch": "FileExtension",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "FileSize",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "ActivityType",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Classification",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceType",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourcePath",
+ "formatter": 13,
+ "formatOptions": {
+ "linkTarget": "Resource",
+ "showIcon": true
+ }
+ },
+ {
+ "columnMatch": "SourceSubscriptionId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceRegion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceCollectionName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceScanId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewSubscriptionId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceOwner",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetOwner",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "ActivityTrigger",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelGuid",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 5
+ }
+ ],
+ "filter": true,
+ "labelSettings": [
+ {
+ "columnId": "AssetPath",
+ "label": "Asset Path"
+ },
+ {
+ "columnId": "AssetLastScanTime",
+ "label": "Asset Last Scan Time"
+ },
+ {
+ "columnId": "SourcePath",
+ "label": "Data Source"
+ }
+ ]
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 10",
+ "styleSettings": {
+ "showBorder": true
+ },
+ "id": "871d8a2f-b10b-41b8-9e6a-7664c4b8a2a5"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let SensitivityLabels = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Labeling\" \r\n | extend SensitivityLabel = iff(SensitivityLabel[0] == \"\", \"No Label\", SensitivityLabel[0])\r\n | extend Label = replace(@\"\\\\\", \"/\", SensitivityLabel)\r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType\r\n | summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by SensitivityLabel, Label\r\n | project SensitivityLabel, FileSize, AssetCount, Label\r\n | sort by AssetCount;\r\nSensitivityLabels",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Select 'Sensitivity Label' below to view Sensitivity Labels Drilldown",
+ "showRefreshButton": true,
+ "exportFieldName": "Label",
+ "exportParameterName": "UserSelectedLabel",
+ "exportDefaultValue": "All",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "SensitivityLabel",
+ "formatter": 1
+ },
+ {
+ "columnMatch": "FileSize",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue",
+ "customColumnWidthSetting": "20ch"
+ }
+ },
+ {
+ "columnMatch": "Count",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "blue",
+ "customColumnWidthSetting": "20ch"
+ }
+ },
+ {
+ "columnMatch": "Label",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelName",
+ "formatter": 1,
+ "formatOptions": {
+ "customColumnWidthSetting": "60ch"
+ },
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ }
+ }
+ }
+ ],
+ "filter": true,
+ "labelSettings": [
+ {
+ "columnId": "SensitivityLabel",
+ "label": "Sensitivity Label"
+ },
+ {
+ "columnId": "FileSize",
+ "label": "File Size"
+ },
+ {
+ "columnId": "AssetCount",
+ "label": "Asset Count"
+ }
+ ]
+ },
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "SensitivityLabelName",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "LabelCount",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 14 - Copy",
+ "styleSettings": {
+ "showBorder": true
+ },
+ "id": "1be9d25c-73ae-405a-b1b1-ab8015acaaa2"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Labeling\" \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\r\nlet LabelDrilldown = MostRecentScanLogs \r\n| extend SensitivityLabel = iff(SensitivityLabel[0] == \"\", \"No Label\", SensitivityLabel[0])\r\n| extend Label = replace(@\"\\\\\", \"/\", SensitivityLabel)\r\n| where \"{UserSelectedLabel:label}\" == \"All\" or \"{UserSelectedLabel:label}\" == Label\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\r\nLabelDrilldown\r\n| take 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Sensitivity Labels Drilldown- Asset Level",
+ "showRefreshButton": true,
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "TimeGenerated",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewTenantId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewAccountName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "PurviewRegion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetPath",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "GenericDetails",
+ "linkIsContextBlade": true,
+ "customColumnWidthSetting": "70ch"
+ }
+ },
+ {
+ "columnMatch": "AssetType",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetCreationTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetModifiedTime",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "FileExtension",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "FileSize",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "ActivityType",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelTrigger",
+ "formatter": 5,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "No Label"
+ }
+ },
+ {
+ "columnMatch": "SensitivityLabel",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "No Label"
+ }
+ },
+ {
+ "columnMatch": "SensitivityLabelDetails",
+ "formatter": 5,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "No Label"
+ }
+ },
+ {
+ "columnMatch": "SourceName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceType",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourcePath",
+ "formatter": 13,
+ "formatOptions": {
+ "linkTarget": "Resource",
+ "showIcon": true
+ }
+ },
+ {
+ "columnMatch": "SourceSubscriptionId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceRegion",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceCollectionName",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceScanId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelName",
+ "formatter": 0,
+ "numberFormat": {
+ "unit": 0,
+ "options": {
+ "style": "decimal"
+ },
+ "emptyValCustomText": "No Label"
+ }
+ },
+ {
+ "columnMatch": "PurviewSubscriptionId",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SourceOwner",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AssetOwner",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "ActivityTrigger",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "Classification",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "ClassificationCount",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "SensitivityLabelGuid",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 5
+ }
+ ],
+ "filter": true,
+ "labelSettings": [
+ {
+ "columnId": "AssetPath",
+ "label": "Asset Path"
+ },
+ {
+ "columnId": "AssetLastScanTime",
+ "label": "Asset Last Scan Time"
+ },
+ {
+ "columnId": "SensitivityLabel",
+ "label": "Sensitivity Label"
+ },
+ {
+ "columnId": "SourcePath",
+ "label": "Source Path"
+ }
+ ]
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 13",
+ "styleSettings": {
+ "showBorder": true
+ },
+ "id": "73f6529f-81d8-4d05-a9ba-33542f45a365"
}
- ]
- }
- }
+ ]
},
"conditionalVisibility": {
- "parameterName": "Results305",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "305"
- },
- {
- "type": 3,
+ "parameterName": "isPurviewLogsVisible",
+ "comparison": "isEqualTo",
+ "value": "true"
+ },
+ "name": "Purview Logs",
+ "id": "d1e10c67-1a56-4141-8643-b146e2de793c"
+ },
+ {
+ "type": 12,
"content": {
- "version": "KqlItem/1.0",
- "query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"]), UserPrincipalName = tostring(Entities[\"UserPrincipalName\"])\r\n | extend UPN = coalesce (UserPrincipalName, iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\"))\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| distinct UserPrincipalName, AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\r\n| where (AlertName contains \"sensitive\" or AlertName contains \"leak\" or AlertName contains \"theft\" or AlertName contains \"steal\" or AlertName contains \"PII\" or AlertName contains \"intellectual\" or AlertName contains \"confidential\" or AlertName contains \"spill\") or (Tactics contains \"exfil\")\r\n| sort by TimeGenerated desc\r\n| limit 100",
- "size": 0,
- "title": "Sensitive Data Alert Details",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "AlertName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "3",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "ProductName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "AlertLink",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Alert >"
- }
- },
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "High",
- "representation": "red",
- "text": "{0}{1}"
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## 🗄 Azure SQL Databases\r\n\r\nThis section helps you monitor **access to classified and sensitive data stored in Azure SQL databases**. It supports GDPR requirements for **security of processing (Art. 32)** and **data protection by design and by default (Art. 25)** by detecting anomalies, tracking access patterns, and providing evidence of safeguards around personal data. \r\n\r\nKey objectives of this section: \r\n- Identify **daily anomaly scores** to highlight unusual database activity that may indicate misuse or data exfiltration \r\n- Monitor **queries by sensitivity labels and information types** to ensure personal data is accessed only for legitimate purposes \r\n- Track **application and IP access** to classified data for accountability and traceability \r\n- Detect potential **privilege misuse or unauthorized access attempts** by reviewing query and principal activity over time \r\n- Provide auditors with proof of **continuous monitoring of database activity** against sensitive data assets \r\n\r\nBy analyzing these metrics, analysts can confirm that **personal data stored in databases is accessed appropriately**, and that monitoring controls are in place to detect and respond to suspicious or non-compliant activity.\r\n"
},
- {
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
- "text": "{0}{1}"
+ "customWidth": "40",
+ "name": "text - 4",
+ "id": "500010a5-5343-4165-928f-d72e02753646"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
},
- {
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
- "text": "{0}{1}"
+ "customWidth": "10",
+ "name": "text - 5",
+ "id": "b0f6f314-3466-4cf6-8bd0-08956bfd228a"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "| Azure SQL Databases | | |\r\n|:--| - | - |\r\n| Daily anomaly scores, by database | Anomaly score over time for the selected database (from the list above) | Daily activity over time for the selected database (from the list above) |\r\n| Number of queries, by sensitivity label | Number of queries, by information type | Number of queries, by principal |\r\n|Number of queries, Details|Application access to classified data (by information type)|IP access to classified data (by information type)|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range, Servers and Databases. Only panels with data are shown. \r\n"
},
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "UPN",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "2",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IncidentUrl",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Incident >"
+ "customWidth": "40",
+ "name": "text - 6",
+ "id": "6f509478-6d84-4c6a-9b4a-376e7c63394e"
},
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- }
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "conditionalVisibility": {
- "parameterName": "Results305",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "305b"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "MicrosoftPurviewInformationProtection\r\n| where LabelName <> \"\"\r\n| extend CommonProperties = parse_json(Common)\r\n| extend ApplicationName = tostring(CommonProperties.ApplicationName)\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by LabelName, ApplicationName\r\n| render timechart",
- "size": 0,
- "title": "Data Access by Sensitivity Labels Over Time",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "AlertName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "3",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "High",
- "representation": "red",
- "text": "{0}{1}"
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "crossComponentResources": [
+ "value::selected"
+ ],
+ "parameters": [
+ {
+ "id": "332be9fd-33ad-407e-843e-5f2c49a50b6a",
+ "version": "KqlParameterItem/1.0",
+ "name": "Servers",
+ "type": 5,
+ "isRequired": true,
+ "multiSelect": true,
+ "quote": "\"",
+ "delimiter": ",",
+ "query": "where type == \"microsoft.sql/servers\"\r\n| project id=tolower(id)",
+ "crossComponentResources": [
+ "{Subscription}"
+ ],
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "selectAllValue": "",
+ "showDefault": false
+ },
+ "timeContext": {
+ "durationMs": 0
+ },
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 1,
+ "resourceType": "microsoft.resourcegraph/resources",
+ "value": [
+ "value::all"
+ ]
+ },
+ {
+ "id": "b4cc825f-166b-4929-916a-21b8073748c2",
+ "version": "KqlParameterItem/1.0",
+ "name": "Databases",
+ "type": 5,
+ "isRequired": true,
+ "multiSelect": true,
+ "quote": "'",
+ "delimiter": ",",
+ "query": "where type == \"microsoft.sql/servers/databases\"\r\n| project id=tolower(id)\r\n| extend serverName = split(id,'/databases/')[0]\r\n| where serverName in ({Servers})\r\n| project id",
+ "crossComponentResources": [
+ "value::selected"
+ ],
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "selectAllValue": "",
+ "showDefault": false
+ },
+ "timeContext": {
+ "durationMs": 0
+ },
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 1,
+ "resourceType": "microsoft.resourcegraph/resources",
+ "value": [
+ "value::all"
+ ]
+ }
+ ],
+ "style": "pills"
},
- {
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
- "text": "{0}{1}"
+ "name": "parameters - 1",
+ "id": "1842d085-362b-4a72-a2bd-0764e673eb71"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AzureDiagnostics\r\n| where TimeGenerated > {TimeRange:start}\r\n| where ResourceType == \"SERVERS/DATABASES\"\r\n| where Category == \"SQLSecurityAuditEvents\"\r\n| where tolower(ResourceId) in ({Databases})\r\n| extend Database = strcat(LogicalServerName_s, '/', database_name_s)\r\n| summarize DailyCount = count() by ResourceId, Database, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId, Database\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, Database, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n| extend MaxAnomalyScore = AnomalyScore, MinAnomalyScore = AnomalyScore, AnomlyScoreTrend = AnomalyScore\r\n| mv-apply MaxAnomalyScore to typeof(real) on (top 1 by MaxAnomalyScore desc)\r\n| mv-apply MinAnomalyScore to typeof(real) on (top 1 by MinAnomalyScore asc)\r\n| mv-expand with_itemindex=Index AnomalyScore\r\n| where Index == array_length(DailyCounts)-1\r\n| project-away day, Index\r\n| extend AnomalyScoreAbs = abs(toreal(AnomalyScore))\r\n| extend WasAnomalous = iif(MaxAnomalyScore > 3 or MinAnomalyScore < -3, true, false)\r\n| extend Anomalous = iif(AnomalyScoreAbs > 3, true, false)\r\n| order by AnomalyScoreAbs desc\r\n",
+ "size": 0,
+ "title": "Daily anomaly scores, by database",
+ "timeContextFromParameter": "TimeRange",
+ "exportFieldName": "ResourceId",
+ "exportParameterName": "SelectedResource",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "DailyCounts",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "AnomalyScore",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "startsWith",
+ "thresholdValue": "-",
+ "representation": "trenddown",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "0",
+ "representation": "right",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "representation": "trendup",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "MaxAnomalyScore",
+ "formatter": 1
+ },
+ {
+ "columnMatch": "MinAnomalyScore",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "AnomlyScoreTrend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "AnomalyScoreAbs",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "WasAnomalous",
+ "formatter": 1
+ },
+ {
+ "columnMatch": "Anomalous",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ }
},
- {
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
- "text": "{0}{1}"
+ "name": "query - 1",
+ "id": "5946edde-e778-4e10-938c-5922224c6395"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AzureDiagnostics\r\n| where TimeGenerated > {TimeRange:start}\r\n| where ResourceType == \"SERVERS/DATABASES\"\r\n| where Category == \"SQLSecurityAuditEvents\"\r\n| where tolower(ResourceId) == tolower('{SelectedResource}')\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n",
+ "size": 0,
+ "title": "Anomaly score over time for the selected database (from the list above)",
+ "color": "orange",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "timechart",
+ "chartSettings": {
+ "yAxis": [
+ "AnomalyScore"
+ ],
+ "ySettings": {
+ "numberFormatSettings": {
+ "unit": 0,
+ "options": {
+ "style": "decimal",
+ "useGrouping": true
+ }
+ }
+ }
+ }
},
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "ProductName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "AlertLink",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Alert >"
- }
- },
- {
- "columnMatch": "UPN",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "2",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IncidentUrl",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Incident >"
+ "customWidth": "50",
+ "name": "query - 2 - Copy",
+ "id": "4385bafc-f482-47ba-9a10-6301972f6d1e"
},
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- }
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results306",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "306a"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "MicrosoftPurviewInformationProtection\r\n| where LabelName <> \"\"\r\n// 🔎 Filter out common or non-critical labels here (example excludes \"General\").\r\n// Update the list inside !in(...) and uncomment below line to exclude labels that are considered low-sensitivity in your org.\r\n// | where LabelName !in (\"General\")\r\n| summarize count() by LabelName\r\n| render piechart",
- "size": 0,
- "title": "Data Access by Sensitivity Label",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "AlertName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "3",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "High",
- "representation": "red",
- "text": "{0}{1}"
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AzureDiagnostics\r\n| where TimeGenerated > {TimeRange:start}\r\n| where ResourceType == \"SERVERS/DATABASES\"\r\n| where Category == \"SQLSecurityAuditEvents\"\r\n| where tolower(ResourceId) == tolower('{SelectedResource}')\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n",
+ "size": 0,
+ "title": "Daily activity over time for the selected database (from the list above)",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "timechart",
+ "chartSettings": {
+ "yAxis": [
+ "DailyCounts"
+ ],
+ "ySettings": {
+ "numberFormatSettings": {
+ "unit": 0,
+ "options": {
+ "style": "decimal",
+ "useGrouping": true
+ }
+ }
+ }
+ }
},
- {
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
- "text": "{0}{1}"
+ "customWidth": "50",
+ "name": "query - 2",
+ "id": "dafad3e9-f4ad-4643-adc1-d743c55f3f66"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend label = tostring(parsed[\"@label\"]) \r\n| where label != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by label",
+ "size": 0,
+ "title": "Number of queries, by sensitivity label",
+ "timeContextFromParameter": "TimeRange",
+ "exportMultipleValues": true,
+ "exportedParameters": [
+ {
+ "fieldName": "label",
+ "parameterName": "SelectedLabel",
+ "parameterType": 1
+ }
+ ],
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "label",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "dcount",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "showBorder": false
+ }
},
- {
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
- "text": "{0}{1}"
+ "customWidth": "33",
+ "name": "query - 3 - Copy",
+ "styleSettings": {
+ "margin": "0",
+ "padding": "0"
},
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "ProductName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "AlertLink",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Alert >"
- }
- },
- {
- "columnMatch": "UPN",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "2",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IncidentUrl",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Incident >"
+ "id": "47978bbf-40f9-45ea-bfe5-0664f71e8ceb"
},
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- }
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results306",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "306b"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "MicrosoftPurviewInformationProtection\r\n| where LabelName <> \"\"\r\n| extend CommonProperties = parse_json(Common)\r\n| extend ApplicationName = tostring(CommonProperties.ApplicationName)\r\n| extend properties = parse_json(ProtectionEventData)\r\n| extend ProtectionOwner = tostring(properties.ProtectionOwner)\r\n| extend IsProtected = tostring(properties.IsProtected)\r\n| distinct UserId, LabelName, ApplicationName, Operation, IsProtected, Platform, ProtectionOwner, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 100\r\n\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "Sensitive Data Access Details",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId_s",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "AlertName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "3",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "High",
- "representation": "red",
- "text": "{0}{1}"
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend info_type = tostring(parsed[\"@information_type\"]) \r\n| where info_type != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by info_type",
+ "size": 0,
+ "title": "Number of queries, by information type",
+ "timeContextFromParameter": "TimeRange",
+ "exportMultipleValues": true,
+ "exportedParameters": [
+ {
+ "fieldName": "info_type",
+ "parameterName": "SelectedInformationType",
+ "parameterType": 1
+ }
+ ],
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "tiles",
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "info_type",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "dcount",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "chartSettings": {
+ "createOtherGroup": 10
+ }
},
- {
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
- "text": "{0}{1}"
+ "customWidth": "33",
+ "name": "query - 3 - Copy - Copy",
+ "styleSettings": {
+ "margin": "0",
+ "padding": "0"
},
- {
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
- "text": "{0}{1}"
+ "id": "ecd1a5a6-37d8-4967-8923-613975e3c376"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend Principal = server_principal_name_s\r\n| summarize dcount = dcount(sequence_group_id_g) by Principal",
+ "size": 0,
+ "title": "Number of queries, by principal",
+ "timeContextFromParameter": "TimeRange",
+ "exportMultipleValues": true,
+ "exportedParameters": [
+ {
+ "fieldName": "Principal",
+ "parameterName": "SelectedPrincipal",
+ "parameterType": 1
+ }
+ ],
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "Principal",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "dcount",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ },
+ "showBorder": false
+ },
+ "chartSettings": {
+ "createOtherGroup": 10
+ }
},
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "ProductName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "AlertLink",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Alert >"
- }
- },
- {
- "columnMatch": "UPN",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "2",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IncidentUrl",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url",
- "linkLabel": "Go to Incident >"
+ "customWidth": "33",
+ "name": "query - 3 - Copy - Copy - Copy",
+ "styleSettings": {
+ "margin": "0",
+ "padding": "0"
+ },
+ "id": "351e424a-f002-4040-8fe7-de51c49acbf2"
},
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- }
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AzureDiagnostics\r\n| where tolower(ResourceId) in ({Databases})\r\n| where isempty(data_sensitivity_information_s) == false\r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n//| evaluate bag_unpack(parsed, columnsConflict='keep_source')\r\n| mvexpand parsed \r\n| project TimeGenerated, ResourceId, Label = tostring(parsed.['@label']), InformationType = tostring(parsed.['@information_type'])\r\n , Succeeded = succeeded_s, Principal = server_principal_name_s, ClientIP = client_ip_s, Application = application_name_s, Statement = statement_s, Rows = response_rows_d, Action = action_name_s\r\n| where Label != \"\" or InformationType != \"\"\r\n| where isempty('{SelectedLabel}') or (strcat('\"',Label,'\"') in (split('{SelectedLabel}',',')))\r\n| where isempty('{SelectedInformationType}') or (strcat('\"',InformationType,'\"') in (split('{SelectedInformationType}',',')))\r\n| where isempty('{SelectedPrincipal}') or (strcat('\"',Principal,'\"') in (split('{SelectedPrincipal}',',')))",
+ "size": 0,
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ]
+ },
+ "name": "query - 15",
+ "id": "aaae6307-f6f3-45c3-aeda-2eec81f6fc46"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend label = tostring(parsed[\"@label\"]) \r\n| where label != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by label_and_app = strcat(label, \" | \", application_name_s)\r\n| order by label_and_app asc, dcount desc",
+ "size": 0,
+ "title": "Application access to classified data (by sensitivity label)",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "piechart"
+ },
+ "customWidth": "40",
+ "name": "query - 3 - Copy - Copy",
+ "styleSettings": {
+ "margin": "0",
+ "padding": "0"
+ },
+ "id": "67f88e5c-2e93-4f34-846f-143dbcac6209"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend label = tostring(parsed[\"@label\"]) \r\n| where label != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by label_and_ip = strcat(label, \" | \", client_ip_s) \r\n| order by label_and_ip asc, dcount desc",
+ "size": 0,
+ "title": "IP access to classified data (by sensitivity label)",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "piechart",
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "action_name_s",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "count_",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "graphSettings": {
+ "type": 0,
+ "topContent": {
+ "columnMatch": "action_name_s",
+ "formatter": 1
+ },
+ "centerContent": {
+ "columnMatch": "count_",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ }
+ },
+ "customWidth": "40",
+ "name": "query - 3",
+ "styleSettings": {
+ "margin": "0",
+ "padding": "0"
+ },
+ "id": "c10cb013-1b7c-4014-8f40-9b069aee0771"
}
- ]
- }
- }
- },
- "conditionalVisibility": {
- "parameterName": "Results306",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results306c"
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "isDLPVisible",
- "comparison": "isEqualTo",
- "value": "true"
- },
- "name": "DLP"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 1,
- "content": {
- "json": "## 🔍 Purview Logs\r\n\r\nThis section provides visibility into the **classification and labeling of personal and sensitive data** across your Azure and Microsoft 365 environment. It directly supports GDPR principles of **lawfulness, fairness, transparency, and accountability (Art. 5)** as well as requirements for **records of processing activities (Art. 30)** and **data protection by design and by default (Art. 25)**. \r\n\r\nKey objectives of this section: \r\n- Track **classified Azure sources by region** to understand where personal data is stored and processed \r\n- Monitor the **volume and types of classified assets** across different resource types \r\n- Drill down to the **asset and file level** to validate that personal data is discovered and properly classified \r\n- Assess the application of **sensitivity labels** to ensure data is protected according to organizational policy \r\n- Provide auditors with clear evidence of **data inventory and classification coverage** \r\n\r\nBy reviewing these metrics, analysts can verify that **data discovery, classification, and labeling controls** are functioning as required, and quickly spot gaps where sensitive data may not be properly governed.\r\n"
- },
- "customWidth": "40",
- "name": "text - 12"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "10",
- "name": "text - 13"
- },
- {
- "type": 1,
- "content": {
- "json": "| Purview Logs | | |\r\n|:--| - | - |\r\n| Classified Azure Sources by Region | Total Classified Assets by Resource Type | Select 'Data Source' below to view Assets Drilldown |\r\n| Assets Drilldown | Classifications by Asset Count and File Size |Classifications Drilldown- Asset Level|\r\n|Sensitivity Labels by Asset Count and File Size|Sensitivity Labels Drilldown- Asset Level|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range, Purview Account, Source Collectiona and Resource Type. Only panels with data are shown.\r\n"
- },
- "customWidth": "40",
- "name": "text - 14"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "a5b9cb0c-6219-4782-a10d-1370a8a6edb4",
- "version": "KqlParameterItem/1.0",
- "name": "PurviewAccount",
- "label": "Purview Account",
- "type": 2,
- "isRequired": true,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "query": "PurviewDataSensitivityLogs\r\n|distinct PurviewAccountName",
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "selectAllValue": "All",
- "showDefault": false
- },
- "timeContext": {
- "durationMs": 2592000000
- },
- "defaultValue": "value::all",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- {
- "id": "ea62a59c-3799-400d-a7af-f0ad14cc46c7",
- "version": "KqlParameterItem/1.0",
- "name": "Collection",
- "label": "Source Collection",
- "type": 2,
- "isRequired": true,
- "isGlobal": true,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| distinct SourceCollectionName \r\n| extend Collection = iff(SourceCollectionName == \"\",\"No Collection\", SourceCollectionName)\r\n| project Collection",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "showDefault": false
- },
- "defaultValue": "value::all",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- {
- "id": "817265c3-f308-44e0-a24c-33dac7ee2c91",
- "version": "KqlParameterItem/1.0",
- "name": "DataSource",
- "label": "Resource Type",
- "type": 2,
- "isRequired": true,
- "multiSelect": true,
- "quote": "",
- "delimiter": ",",
- "query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| distinct SourceType ",
- "value": [
- "value::all"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "showDefault": false
- },
- "timeContext": {
- "durationMs": 2592000000
- },
- "defaultValue": "value::all",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "parameters - 0"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "7afa304d-b448-4d6c-8c54-69e51a7249a9",
- "version": "KqlParameterItem/1.0",
- "name": "Results200",
- "type": 1,
- "query": "let NumberofSourcesByRegion = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where SourceType contains \"Azure\"\r\n// GDPR filter: keep only sources with classification or sensitivity label\r\n| where array_length(todynamic(Classification)) > 0 or array_length(todynamic(SensitivityLabel)) > 0\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"));\r\nNumberofSourcesByRegion\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results305"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "34376939-8858-4c9e-b1ff-a89df0cbd3e7",
- "version": "KqlParameterItem/1.0",
- "name": "Results201",
- "type": 1,
- "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where ActivityType == \"Classification\" \r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\r\nlet AllAssets = MostRecentScanLogs\r\n | summarize AssetCount = count() by SourceType;\r\nlet ClassifiedAssets = MostRecentScanLogs\r\n | where Classification != \"[]\"\r\n | summarize AssetClassifiedCount = count() by SourceType;\r\nlet ClassifiedAssetsByResourceType = AllAssets\r\n | join kind= leftouter ClassifiedAssets on SourceType\r\n | extend AssetCount = strcat(AssetCount, \" assets found in total\")\r\n | project SourceType, AssetCount, AssetClassifiedCount;\r\nClassifiedAssetsByResourceType\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results305 - Copy"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "84a173b6-3660-49aa-8949-729ed6cdbacb",
- "version": "KqlParameterItem/1.0",
- "name": "Results202",
- "type": 1,
- "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where ActivityType == \"Classification\"\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName) \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\r\nlet AllAssets = MostRecentScanLogs\r\n| summarize AssetCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\r\nlet ClassifiedAssets = MostRecentScanLogs\r\n| where Classification != \"[]\"\r\n| summarize AssetClassifiedCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\r\nlet AssetsDrilldown = AllAssets\r\n| join kind= leftouter ClassifiedAssets on DataSource, SourceType\r\n| extend PathName = substring(DataSource, 1)\r\n| extend ClassifiedPercentage = round((100.0 * AssetClassifiedCount / AssetCount),1)\r\n| project DataSource, SourceRegion, SourceType, ClassifiedPercentage, AssetClassifiedCount, AssetCount, PathName;\r\nAssetsDrilldown\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results202"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "5b145cf1-1b6e-41be-8266-b7e3f928bae8",
- "version": "KqlParameterItem/1.0",
- "name": "Results203",
- "type": 1,
- "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Classification\" \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\r\nlet Classifications = MostRecentScanLogs\r\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\r\n| project Classification, AssetCount, FileSize;\r\nClassifications\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results203"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "0d1bdef8-7287-4e24-a185-070cf1179d38",
- "version": "KqlParameterItem/1.0",
- "name": "Results204",
- "type": 1,
- "query": "let SensitivityLabels = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Labeling\" \r\n | extend SensitivityLabel = iff(SensitivityLabel[0] == \"\", \"No Label\", SensitivityLabel[0])\r\n | extend Label = replace(@\"\\\\\", \"/\", SensitivityLabel)\r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType\r\n | summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by SensitivityLabel, Label\r\n | project SensitivityLabel, FileSize, AssetCount, Label\r\n | sort by AssetCount;\r\nSensitivityLabels\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results204"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let NumberofSourcesByRegion = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where SourceType contains \"Azure\"\r\n// GDPR filter: keep only sources with classification or sensitivity label\r\n| where array_length(todynamic(Classification)) > 0 or array_length(todynamic(SensitivityLabel)) > 0\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| distinct SourcePath, SourceRegion\r\n| summarize AssetCount = count() by SourceRegion;\r\nNumberofSourcesByRegion",
- "size": 0,
- "title": "Classified Azure Sources by Region",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "map",
- "mapSettings": {
- "locInfo": "AzureLoc",
- "locInfoColumn": "SourceRegion",
- "sizeSettings": "AssetCount",
- "sizeAggregation": "Sum",
- "legendMetric": "AssetCount",
- "legendAggregation": "Sum",
- "itemColorSettings": {
- "nodeColorField": "AssetCount",
- "colorAggregation": "Sum",
- "type": "heatmap",
- "heatmapPalette": "greenRed"
- }
- }
+ ]
},
- "customWidth": "50",
"conditionalVisibility": {
- "parameterName": "Results200",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 2"
- },
- {
- "type": 3,
+ "parameterName": "isAzureSQLDatabasesVisible",
+ "comparison": "isEqualTo",
+ "value": "true"
+ },
+ "name": "Azure SQL Databases",
+ "id": "b5ddd9df-8a2c-427b-aa5a-97d2c5e81968"
+ },
+ {
+ "type": 12,
"content": {
- "version": "KqlItem/1.0",
- "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where ActivityType == \"Classification\" \r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\r\nlet AllAssets = MostRecentScanLogs\r\n | summarize AssetCount = count() by SourceType;\r\nlet ClassifiedAssets = MostRecentScanLogs\r\n | where Classification != \"[]\"\r\n | summarize AssetClassifiedCount = count() by SourceType;\r\nlet ClassifiedAssetsByResourceType = AllAssets\r\n | join kind= leftouter ClassifiedAssets on SourceType\r\n | extend AssetCount = strcat(AssetCount, \" assets found in total\")\r\n | project SourceType, AssetCount, AssetClassifiedCount;\r\nClassifiedAssetsByResourceType",
- "size": 0,
- "title": "Total Classified Assets by Resource Type",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SourceType",
- "formatter": 16,
- "formatOptions": {
- "showIcon": true
- }
- },
- "leftContent": {
- "columnMatch": "AssetClassifiedCount",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "# 📊 [User & Entity Behavior Analytics (UEBA)](https://docs.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)\n---\n\nThis section focuses on detecting **anomalous behaviors by users and entities** that may indicate insider threats, compromised accounts, or attempts to exfiltrate personal data. It supports GDPR obligations around **security of processing (Art. 32)** and **accountability (Art. 5(2))** by helping organizations proactively identify suspicious activity that could put personal data at risk. \n\nKey objectives of this section: \n- Highlight **user anomalies** such as unusual access times, geolocations, or activity volumes \n- Detect **high-risk behaviors** flagged by Microsoft’s identity protection and analytics models \n- Monitor **entity risk scores** to prioritize investigations of potentially compromised accounts or devices \n- Correlate **web session anomalies** to identify potential data exfiltration attempts \n- Provide auditors with evidence of **continuous monitoring of user activity and proactive risk detection** \n\nBy reviewing these metrics, analysts can ensure that **unusual or risky behaviors are identified early**, reducing the likelihood of personal data misuse or unauthorized disclosure, and demonstrating effective monitoring controls under GDPR.\n"
+ },
+ "customWidth": "40",
+ "name": "text - 2",
+ "id": "974c5eb7-510d-4197-b161-009b709a6e23"
},
- "emptyValCustomText": "0"
- }
- },
- "secondaryContent": {
- "columnMatch": "AssetCount"
- },
- "showBorder": true
- },
- "mapSettings": {
- "locInfo": "LatLong",
- "sizeSettings": "AssetClassifiedCount",
- "sizeAggregation": "Sum",
- "legendMetric": "AssetClassifiedCount",
- "legendAggregation": "Sum",
- "itemColorSettings": {
- "type": "heatmap",
- "colorAggregation": "Sum",
- "nodeColorField": "AssetClassifiedCount",
- "heatmapPalette": "greenRed"
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results201",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 25"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where ActivityType == \"Classification\"\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName) \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\r\nlet AllAssets = MostRecentScanLogs\r\n| summarize AssetCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\r\nlet ClassifiedAssets = MostRecentScanLogs\r\n| where Classification != \"[]\"\r\n| summarize AssetClassifiedCount = count() by DataSource = SourcePath, SourceRegion, SourceType;\r\nlet AssetsDrilldown = AllAssets\r\n| join kind= leftouter ClassifiedAssets on DataSource, SourceType\r\n| extend PathName = substring(DataSource, 1)\r\n| extend ClassifiedPercentage = round((100.0 * AssetClassifiedCount / AssetCount),1)\r\n| project DataSource, SourceRegion, SourceType, ClassifiedPercentage, AssetClassifiedCount, AssetCount, PathName;\r\nAssetsDrilldown",
- "size": 0,
- "showAnalytics": true,
- "title": "Select 'Data Source' below to view Assets Drilldown",
- "timeContextFromParameter": "TimeRange",
- "showRefreshButton": true,
- "exportFieldName": "PathName",
- "exportParameterName": "UserSelectedDataSource",
- "exportDefaultValue": "All",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "DataSource",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "25ch"
- }
- },
- {
- "columnMatch": "ClassifiedPercentage",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "20ch"
+ {
+ "type": 1,
+ "content": {
+ "json": ""
+ },
+ "customWidth": "10",
+ "name": "text - 14",
+ "id": "fece2da2-007f-4d8b-8db5-33fed138796b"
},
- "numberFormat": {
- "unit": 1,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 1
- }
- }
- },
- {
- "columnMatch": "AssetClassifiedCount",
- "formatter": 2,
- "formatOptions": {
- "customColumnWidthSetting": "20ch"
+ {
+ "type": 1,
+ "content": {
+ "json": "| User & Entity Behavior Analytics (UEBA) | - | - |\r\n|:--| :--| :--| \r\n| Anomalous Activity by Geolocation | Anomalous Activity by User & GeoLocation | Entity Behavior Analytics Alerts |\r\n| User Anomalies | User Sign-in Risk Details |ASim WebSession: Detect potential data exfilteration using timeseries anomaly|\r\n| Anomalous Password Reset | Anomalous Failed Logon |Anomalous Geolocation Logon|\r\n| Anomalous AAD Account Manipulation | Anomalous Account Creation |Anomalous Role Assignment|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User."
+ },
+ "customWidth": "40",
+ "name": "text - 14",
+ "id": "9205d47c-c3e4-47eb-906a-58d4049ea39a"
},
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- },
- "emptyValCustomText": "0"
- }
- },
- {
- "columnMatch": "AssetCount",
- "formatter": 2,
- "formatOptions": {
- "customColumnWidthSetting": "20ch"
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let AnomalySignIns = BehaviorAnalytics\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\r\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\r\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\r\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\r\n| where FirstTimeDeviceLogon == \"True\" or FirstTimeUserAction == \"True\" or UncommonAction == \"True\" or UncommonVolumeOfActions == \"True\";\r\nAnomalySignIns | join (SigninLogs) on UserPrincipalName",
+ "size": 3,
+ "showAnalytics": true,
+ "title": "Anomalous Activity by Geolocation",
+ "noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "map",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "warning",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "UncommonActionVolume",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "UncommonAction",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ {
+ "columnMatch": "FirstTimeUserAction",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "FirstTimeDeviceLogon",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ },
+ {
+ "columnMatch": "IncidentCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "AnomalyCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ }
+ ]
+ },
+ "sortBy": [],
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "latitude_",
+ "longitude": "longitude_",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "labelSettings": "city_",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "redBright"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results46",
+ "id": "e93ddfb8-91b4-4787-9ce6-f13d3d17a034"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let AnomalySignIns = BehaviorAnalytics\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\r\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\r\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\r\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\r\n| where FirstTimeDeviceLogon == \"True\" or FirstTimeUserAction == \"True\" or UncommonAction == \"True\" or UncommonVolumeOfActions == \"True\";\r\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\r\n| where SourceIPLocation <> \"\"\r\n| summarize count() by UserPrincipalName, SourceIPLocation\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Anomalous Activity by User & GeoLocation",
+ "noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Location",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Globe",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "SourceIPLocation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Globe",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ }
+ ],
+ "filter": true
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 14",
+ "id": "c7c0b7ec-26c2-492a-892a-2f74d46f618c"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n | where ActionType == \"Sign-in\"\r\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n | join (\r\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indication from AAD\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//insider\r\nlet AnomalousRoleAssignment = AuditLogs\r\n | where TimeGenerated > ago(28d)\r\n | where OperationName == \"Add member to role\"\r\n | mv-expand TargetResources\r\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n | where isnotempty(RoleId) and RoleId in (critical, high)\r\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n | where isnotempty(RoleName)\r\n | extend TargetId = tostring(TargetResources.id)\r\n | extend Target = tostring(TargetResources.userPrincipalName)\r\n | join kind=inner (\r\n BehaviorAnalytics\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n )\r\n on $left._ItemId == $right.SourceRecordId\r\n | extend AnomalyName = \"Anomalous Role Assignment\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to privileged role, or ones that add users for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, RoleName, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; let LogOns=materialize(\r\n BehaviorAnalytics\r\n | where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n | where ActionType == \"ResourceAccess\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n | where ActionType == \"RemoteInteractiveLogon\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n | where ActionType == \"InteractiveLogon\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n | extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administrator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n | where ActionType == \"Reset user password\"\r\n | where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n | join (\r\n AuditLogs\r\n | where OperationName == \"Reset user password\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | mv-expand TargetResources\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority\r\n | sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n | where ActionType == \"Sign-in\"\r\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n | join (\r\n SigninLogs\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n | where ActivityType == \"LogOn\"\r\n | where UsersInsights.BlastRadius == \"High\"\r\n | join (\r\n SigninLogs \r\n | where Status.errorCode == 50126\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n | where OperationName == \"Update user\"\r\n | mv-expand AdditionalDetails\r\n | where AdditionalDetails.key == \"UserPrincipalName\"\r\n | mv-expand TargetResources\r\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n | where isnotempty(RoleId) and RoleId in (critical, high)\r\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n | where isnotempty(RoleName)\r\n | extend TargetId = tostring(TargetResources.id)\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | join kind=inner ( \r\n BehaviorAnalytics\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n )\r\n on $left._ItemId == $right.SourceRecordId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName) \r\n | extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to privileged role, or ones that changed users for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, RoleName, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n | where ActionType == \"Add user\"\r\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n | join(\r\n AuditLogs\r\n | where OperationName == \"Add user\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | mv-expand TargetResources\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\n UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority\r\n | sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\nlet TopUsersByAnomalies = AnomalyTable\r\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\r\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\r\n | sort by AnomalyCount desc;\r\nlet TopUsersByIncidents = SecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | where Status == \"New\" or Status == \"Active\"\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n | union TopUsersByAnomalies\r\n | extend \r\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\r\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\r\n UPNExists = iff(isempty(UPN), false, true),\r\n NameExists = iff(isempty(Name), false, true),\r\n SidExists = iff(isempty(Sid), false, true),\r\n AADExists = iff(isempty(AadUserId), false, true)\r\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\r\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\r\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\r\n | project [\"UserName\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\"AadUserId\"]=AadAnchor, [\"OnPremSid\"]=SidAnchor, [\"UserPrincipalName\"]=UPNAnchor;\r\nTopUsersByIncidents\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\r\n| sort by AlertCount desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Entity Behavior Analytics Alerts",
+ "noDataMessage": "No results, Confirm Sentinel Entity Behavior is Enabled",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IncidentCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "AnomalyCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ }
+ ],
+ "rowLimit": 2500,
+ "filter": true,
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AlertCount_2",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "$gen_heatmap_AlertCount_2",
+ "sortOrder": 2
+ }
+ ],
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 1",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "ff2e4961-6e1b-4492-bf8c-9c1740fc408c"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let UncommonActionVolume = BehaviorAnalytics\r\n| extend UncommonActionVolume = tostring(ActivityInsights.UncommonHighVolumeOfActions)\r\n| where UncommonActionVolume == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename UncommonActionVolume = count_;\r\nlet UncommonAction = BehaviorAnalytics\r\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\r\n| where UncommonAction == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename UncommonAction = count_;\r\nlet Uncommon = UncommonActionVolume | join(UncommonAction) on UserPrincipalName;\r\nlet FirstTimeDeviceLogon = BehaviorAnalytics\r\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\r\n| where FirstTimeDeviceLogon == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename FirstTimeDeviceLogon = count_;\r\nlet FirstTimeUserAction = BehaviorAnalytics\r\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\r\n| where FirstTimeUserAction == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename FirstTimeUserAction = count_;\r\nlet FirstTime = FirstTimeUserAction | join(FirstTimeDeviceLogon) on UserPrincipalName;\r\nUncommon | join kind=fullouter(FirstTime) on UserPrincipalName\r\n| where UserPrincipalName <> \"\"\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| project UserPrincipalName, UncommonActionVolume, UncommonAction, FirstTimeUserAction, FirstTimeDeviceLogon\r\n| sort by UncommonActionVolume desc \r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "User Anomalies",
+ "noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "UncommonActionVolume",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "UncommonAction",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ {
+ "columnMatch": "FirstTimeUserAction",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "FirstTimeDeviceLogon",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ },
+ {
+ "columnMatch": "IncidentCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "AlertCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "AnomalyCount",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "yellow"
+ }
+ }
+ ],
+ "filter": true,
+ "sortBy": [
+ {
+ "itemKey": "$gen_bar_FirstTimeDeviceLogon_4",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "$gen_bar_FirstTimeDeviceLogon_4",
+ "sortOrder": 2
+ }
+ ],
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 4",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "951c5fc4-a44b-408c-b0f6-3f0644d950bb"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "AADUserRiskEvents\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend UserProfile = strcat(\"#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserId)\r\n| extend countryOrRegion_ = tostring(Location.countryOrRegion)\r\n| extend city_ = tostring(Location.city)\r\n| extend state_ = tostring(Location.state)\r\n| extend latitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).longitude)\r\n| distinct UserPrincipalName, UserProfile, RiskLevel, RiskEventType, city_, state_, countryOrRegion_, UserId\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "User Sign-in Risk Details",
+ "noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See How To: Configure and enable Microsoft Entra ID: Identity Protection risk policies (https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies)",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "UserProfile",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "OpenBlade",
+ "linkLabel": "EntraID User Profile >>",
+ "bladeOpenContext": {
+ "bladeName": "UserDetailsMenuBlade",
+ "extensionName": "Microsoft_AAD_IAM",
+ "bladeParameters": [
+ {
+ "name": "userId",
+ "source": "column",
+ "value": "UserId"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "columnMatch": "RiskLevel",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "high",
+ "representation": "Sev0",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "medium",
+ "representation": "Sev1",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "low",
+ "representation": "Sev2",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Sev3",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 5
+ }
+ ],
+ "filter": true
+ }
+ },
+ "name": "query - 14",
+ "id": "ba8fecab-c220-4941-b768-e36aacb8302d"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let start = {TimeRange:grain};\r\nlet end = 1d;\r\nlet timeframe = 1h;\r\nlet scorethreshold = 5;\r\nlet bytessentperhourthreshold = 10;\r\nlet TimeSeriesData = _Im_WebSession(starttime=start, endtime=now())\r\n | where isnotempty(DstIpAddr)\r\n and not(ipv4_is_private(DstIpAddr))\r\n | summarize SrcBytesSum=tolong(sum(SrcBytes)) by EventProduct, bin(TimeGenerated, 1h)\r\n | extend EventTime = TimeGenerated\r\n | make-series TotalBytesSent = sum(SrcBytesSum) on EventTime from startofday(ago(start)) to startofday(now()) step timeframe by EventProduct;\r\n// TimeSeriesData block ends here\r\n//Take only anomalies in TimeSeriesData\r\nlet TimeSeriesAnomalies = materialize(TimeSeriesData\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\r\n | mv-expand\r\n TotalBytesSent to typeof(long),\r\n EventTime to typeof(datetime),\r\n anomalies to typeof(double),\r\n score to typeof(double),\r\n baseline to typeof(long)\r\n | where anomalies > 0 and baseline > 0\r\n | extend AnomalyHour = EventTime\r\n | extend\r\n TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024) / 1024), 2),\r\n BaselineBytesSentinMBperHour = round(((baseline / 1024) / 1024), 2),\r\n score = round(score, 2)\r\n | project\r\n EventProduct,\r\n AnomalyHour,\r\n TotalBytesSentinMBperHour,\r\n BaselineBytesSentinMBperHour,\r\n anomalies,\r\n score\r\n //| where AnomalyHour between (startofday(ago(end)) .. startofday(now())) // Get TimeSeriesAnomalies in previous day\r\n );\r\n let AnomalyHours = materialize (TimeSeriesAnomalies\r\n | project AnomalyHour);\r\n //Previous day aggregated per hour\r\n let Last14DayLogs = \r\n _Im_WebSession(starttime=start, endtime=now())\r\n | extend DateHour = bin(TimeGenerated, timeframe) // create a new column and round to hour\r\n | where DateHour in (AnomalyHours) // Filter dataset to include only anomaly AnomalyHours\r\n | where isnotempty(DstIpAddr) and isnotempty(SrcIpAddr) and isnotempty(SrcBytes)\r\n | where not(ipv4_is_private(DstIpAddr))\r\n | project\r\n TimeGenerated,\r\n DateHour,\r\n DstIpAddr,\r\n SrcIpAddr,\r\n SrcBytes,\r\n DstBytes,\r\n DstPortNumber,\r\n EventProduct\r\n | summarize\r\n HourlyCount = count(),\r\n TimeGeneratedMax = arg_max(TimeGenerated, *),\r\n DestinationIPList = make_set(DstIpAddr, 100),\r\n DestinationPortList = make_set(DstPortNumber, 100),\r\n TotalSentBytes = tolong(sum(SrcBytes)),\r\n TotalReceivedBytes = tolong(sum(DstBytes))\r\n by SrcIpAddr, EventProduct, TimeGeneratedHour = bin(TimeGenerated, timeframe)\r\n | extend\r\n SentBytesinMB = ((TotalSentBytes / 1024) / 1024),\r\n ReceivedBytesinMB = ((TotalReceivedBytes / 1024) / 1024)\r\n | where SentBytesinMB > bytessentperhourthreshold\r\n | sort by TimeGeneratedHour asc, SentBytesinMB desc\r\n | extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\r\n | where Rank <= 10 // Selecting Top 10 records with Highest BytesSent in each Hour\r\n | project\r\n EventProduct,\r\n TimeGeneratedHour,\r\n TimeGeneratedMax,\r\n SrcIpAddr,\r\n DestinationIPList,\r\n DestinationPortList,\r\n SentBytesinMB,\r\n ReceivedBytesinMB,\r\n Rank,\r\n HourlyCount;\r\n Last14DayLogs",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "ASim WebSession: Detect potential data exfilteration using timeseries anomaly",
+ "noDataMessage": "There are no results within the selected thresholds.",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "UserProfile",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "OpenBlade",
+ "linkLabel": "EntraID User Profile >>",
+ "bladeOpenContext": {
+ "bladeName": "UserDetailsMenuBlade",
+ "extensionName": "Microsoft_AAD_IAM",
+ "bladeParameters": [
+ {
+ "name": "userId",
+ "source": "column",
+ "value": "UserId"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "columnMatch": "RiskLevel",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "high",
+ "representation": "Sev0",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "medium",
+ "representation": "Sev1",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "low",
+ "representation": "Sev2",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Sev3",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 5
+ }
+ ],
+ "filter": true
+ }
+ },
+ "name": "query - 14",
+ "id": "fc5230a6-7aca-46f1-bcc5-3c9ea812f322"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "BehaviorAnalytics\r\n| where ActionType == \"Reset user password\"\r\n| where ActivityInsights has \"True\"\r\n| join (\r\n AuditLogs\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n| extend UserPrincipalName = iff(UserPrincipalName has \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName has \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n| sort by TimeGenerated desc\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Anomalous Password Reset",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "IPAddress",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results50",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "c93f91e7-272c-4458-bd02-99e8c69fff8f"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "BehaviorAnalytics\r\n| where ActivityType == \"LogOn\"\r\n| where UsersInsights.BlastRadius == \"High\"\r\n| join (\r\nSigninLogs | where Status.errorCode == 50126\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Anomalous Failed Logon",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IPAddress",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results51",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "eeb331e6-f62c-4916-b83d-db3a707542f2"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "BehaviorAnalytics\r\n| where ActionType == \"Sign-in\"\r\n| where ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True and ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True\r\n | join (\r\nSigninLogs\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Anomalous Geolocation Logon",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IPAddress",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results52",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "0efbb157-26f6-4649-a044-ff83f4df1c7d"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\r\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nAuditLogs\r\n| where OperationName == \"Update user\"\r\n| mv-expand AdditionalDetails\r\n| mv-expand TargetResources\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where RoleId in (critical,high)\r\n| where isnotempty(RoleId) or isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n) on $left._ItemId == $right.SourceRecordId\r\n| where UsersInsights.BlastRadius == \"High\" or ActivityInsights has \"True\"\r\n| extend UserPrincipalName = iff(UserPrincipalName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Anomalous AAD Account Manipulation",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IPAddress",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results53",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "507a34c7-a19a-459b-889c-f0aeb675dc6f"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\r\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nAuditLogs\r\n| where OperationName == \"Add user\"\r\n| mv-expand AdditionalDetails\r\n| mv-expand TargetResources\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where RoleId in (critical,high)\r\n| where isnotempty(RoleId) or isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n) on $left._ItemId == $right.SourceRecordId\r\n| where UsersInsights.BlastRadius == \"High\" or ActivityInsights has \"True\"\r\n| extend UserPrincipalName = iff(UserPrincipalName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Anomalous Account Creation",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IPAddress",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results54",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "9ce7206a-77de-4e57-91b3-0cf2128d3106"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nAuditLogs\r\n| where OperationName == \"Add member to role\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where RoleId in (critical,high)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = tostring(TargetResources.userPrincipalName)\r\n| where isnotempty(RoleId) or isnotempty(RoleName)\r\n| join kind=inner ( BehaviorAnalytics\r\n) on $left._ItemId == $right.SourceRecordId\r\n| where UsersInsights.BlasrRadius == \"High\" or ActivityInsights has \"True\"\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Anomalous Role Assignment",
+ "timeContextFromParameter": "TimeRange",
+ "showRefreshButton": true,
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IPAddress",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results55",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "2b2c0989-48e3-40c2-aeec-f472e8ed35e1"
}
- },
- {
- "columnMatch": "PathName",
- "formatter": 5
- }
- ],
- "filter": true,
- "sortBy": [
- {
- "itemKey": "SourceType",
- "sortOrder": 2
- }
- ],
- "labelSettings": [
- {
- "columnId": "DataSource",
- "label": "Data Source"
- },
- {
- "columnId": "SourceRegion",
- "label": "Source Region"
- },
- {
- "columnId": "SourceType",
- "label": "Source Type"
- },
- {
- "columnId": "ClassifiedPercentage",
- "label": "% Classified"
- },
- {
- "columnId": "AssetClassifiedCount",
- "label": "Classified Assets"
- },
- {
- "columnId": "AssetCount",
- "label": "Total Assets"
- },
- {
- "columnId": "PathName",
- "label": "Source Path"
- }
]
- },
- "sortBy": [
- {
- "itemKey": "SourceType",
- "sortOrder": 2
- }
- ]
},
- "customWidth": "50",
"conditionalVisibility": {
- "parameterName": "Results202",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 8",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
+ "parameterName": "isUEBAVisible",
+ "comparison": "isEqualTo",
+ "value": "true"
+ },
+ "name": "Entity Insights",
+ "id": "4fdf82dc-6871-4a32-9e24-231da0f8d0f4"
+ },
+ {
+ "type": 12,
"content": {
- "version": "KqlItem/1.0",
- "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | where \"{UserSelectedDataSource:label}\" == \"All\" or (SourcePath contains \"{UserSelectedDataSource:label}\")\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType ;\r\nlet ClassificationCounts = MostRecentScanLogs\r\n | where ActivityType == \"Classification\"\r\n | mv-expand Classification\r\n | summarize ClassificationCount= count(todynamic(Classification)) by AssetPath\r\n | project ClassificationCount, AssetPath;\r\nlet ClassifiedAssetsWithCounts = MostRecentScanLogs\r\n | where ActivityType == \"Classification\"\r\n | join kind= leftouter ClassificationCounts on AssetPath\r\n | summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId) by AssetPath ;\r\nlet LabeledAssets = MostRecentScanLogs\r\n | where ActivityType == \"Labeling\" \r\n | mv-expand SensitivityLabel to typeof(string)\r\n | where SensitivityLabel != int(null)\r\n | mv-expand SensitivityLabelDetails\r\n | summarize arg_max(SensitivityLabel, SourceType, SensitivityLabelTrigger, SensitivityLabelDetails) by AssetPath\r\n | project AssetPath, SensitivityLabel, SensitivityLabelTrigger, SensitivityLabelDetails;\r\nlet ClassificationCountWithSensitivityInformation = ClassifiedAssetsWithCounts\r\n | join kind= leftouter LabeledAssets on AssetPath\r\n | project\r\n TimeGenerated,\r\n PurviewTenantId,\r\n PurviewAccountName,\r\n PurviewRegion,\r\n AssetName,\r\n AssetPath,\r\n AssetType,\r\n AssetCreationTime,\r\n AssetModifiedTime,\r\n AssetLastScanTime,\r\n FileExtension,\r\n FileSize,\r\n ActivityType,\r\n ClassificationTrigger,\r\n Classification,\r\n ClassificationCount,\r\n ClassificationDetails,\r\n SensitivityLabelTrigger,\r\n SensitivityLabel,\r\n SensitivityLabelDetails,\r\n SourceName,\r\n SourceType,\r\n SourcePath,\r\n SourceSubscriptionId,\r\n SourceRegion,\r\n SourceCollectionName,\r\n SourceScanId\r\n | sort by ClassificationCount;\r\nClassificationCountWithSensitivityInformation",
- "size": 0,
- "showAnalytics": true,
- "title": "Assets Drilldown",
- "timeContextFromParameter": "TimeRange",
- "showRefreshButton": true,
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewTenantId",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewAccountName",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewRegion",
- "formatter": 5
- },
- {
- "columnMatch": "AssetName",
- "formatter": 5
- },
- {
- "columnMatch": "AssetPath",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "GenericDetails",
- "linkIsContextBlade": true,
- "customColumnWidthSetting": "60ch"
- }
- },
- {
- "columnMatch": "AssetType",
- "formatter": 5
- },
- {
- "columnMatch": "AssetCreationTime",
- "formatter": 5
- },
- {
- "columnMatch": "AssetModifiedTime",
- "formatter": 5
- },
- {
- "columnMatch": "AssetLastScanTime",
- "formatter": 5
- },
- {
- "columnMatch": "FileExtension",
- "formatter": 5
- },
- {
- "columnMatch": "FileSize",
- "formatter": 5
- },
- {
- "columnMatch": "ActivityType",
- "formatter": 5
- },
- {
- "columnMatch": "Classification",
- "formatter": 5
- },
- {
- "columnMatch": "ClassificationCount",
- "formatter": 4,
- "formatOptions": {
- "palette": "blue"
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "# 📂 [Microsoft 365 Activity](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender)\n---\n\nThis section monitors **user and administrator activities across Microsoft 365 services** such as Exchange, SharePoint, OneDrive, and Teams. It supports GDPR obligations for **integrity and confidentiality of personal data (Art. 5(1)(f))**, **records of processing activities (Art. 30)**, and **security of processing (Art. 32)** by ensuring that access and modifications to personal data are visible, traceable, and appropriately controlled. \n\nKey objectives of this section: \n- Track **file activity actions** to identify how sensitive data is being accessed, shared, or modified \n- Detect **risky behaviors** such as external sharing, non-owner mailbox access, or unusual PowerShell sign-ins \n- Monitor for **policy tampering, malicious inbox rules, and Exchange audit log changes** that could undermine data protection \n- Identify **unusual user behaviors in Teams and SharePoint**, including mass deletions, uploads, or operations from previously unseen devices or IPs \n- Provide auditors with detailed evidence of **user actions, administrative changes, and protections applied to personal data** \n\nBy analyzing these metrics, analysts can validate that **personal data within Microsoft 365 is accessed and processed lawfully**, and that the organization maintains robust monitoring to detect misuse or unauthorized disclosures.\n"
+ },
+ "customWidth": "40",
+ "name": "text - 2",
+ "id": "57c68865-5820-4227-899e-5ab7145b5897"
},
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- },
- "emptyValCustomText": "0"
- }
- },
- {
- "columnMatch": "ClassificationDetails",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelTrigger",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabel",
- "formatter": 0,
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- },
- "emptyValCustomText": "No Label"
- }
- },
- {
- "columnMatch": "SensitivityLabelDetails",
- "formatter": 5
- },
- {
- "columnMatch": "SourceName",
- "formatter": 5
- },
- {
- "columnMatch": "SourceType",
- "formatter": 5
- },
- {
- "columnMatch": "SourcePath",
- "formatter": 13,
- "formatOptions": {
- "linkTarget": "Resource",
- "showIcon": true
- }
- },
- {
- "columnMatch": "SourceSubscriptionId",
- "formatter": 5
- },
- {
- "columnMatch": "SourceRegion",
- "formatter": 5
- },
- {
- "columnMatch": "SourceCollectionName",
- "formatter": 5
- },
- {
- "columnMatch": "SourceScanId",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewSubscriptionId",
- "formatter": 5
- },
- {
- "columnMatch": "SourceOwner",
- "formatter": 5
- },
- {
- "columnMatch": "AssetOwner",
- "formatter": 5
- },
- {
- "columnMatch": "ClassificationActivityTrigger",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelActivityTrigger",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelGuid",
- "formatter": 5
- },
- {
- "columnMatch": "UserId",
- "formatter": 5
- },
- {
- "columnMatch": "ActivityTrigger",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelName",
- "formatter": 5,
- "formatOptions": {
- "customColumnWidthSetting": "25ch"
- }
- }
- ],
- "rowLimit": 1000,
- "filter": true,
- "labelSettings": [
- {
- "columnId": "AssetPath",
- "label": "Asset Path"
- },
- {
- "columnId": "ClassificationCount",
- "label": "Classifications"
- },
- {
- "columnId": "SensitivityLabel",
- "label": "Sensitivity Label"
- },
- {
- "columnId": "SourcePath",
- "label": "Data Source"
- }
- ]
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results202",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 9",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Classification\" \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\r\nlet Classifications = MostRecentScanLogs\r\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\r\n| project Classification, AssetCount, FileSize;\r\nClassifications\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "Select 'Classification' below to view Classification Drilldown",
- "timeContextFromParameter": "TimeRange",
- "showRefreshButton": true,
- "exportFieldName": "Classification",
- "exportParameterName": "UserSelectedClassification",
- "exportDefaultValue": "All",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Classification",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "50ch"
+ {
+ "type": 1,
+ "content": {
+ "json": ""
+ },
+ "customWidth": "10",
+ "name": "text - 56",
+ "id": "c5e09a1b-95c1-4d7d-914a-17597d2874c4"
},
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- },
- "emptyValCustomText": "No Classifications"
- }
- },
- {
- "columnMatch": "AssetCount",
- "formatter": 4,
- "formatOptions": {
- "palette": "blue",
- "customColumnWidthSetting": "25ch"
- }
- },
- {
- "columnMatch": "FileSize",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue",
- "customColumnWidthSetting": "25ch"
- }
- }
- ],
- "filter": true,
- "sortBy": [
- {
- "itemKey": "$gen_bar_AssetCount_1",
- "sortOrder": 2
- }
- ],
- "labelSettings": [
- {
- "columnId": "AssetCount",
- "label": "Classified Asset Count"
- },
- {
- "columnId": "FileSize",
- "label": "Total Size of Files (MB)"
- }
- ]
- },
- "sortBy": [
- {
- "itemKey": "$gen_bar_AssetCount_1",
- "sortOrder": 2
- }
- ],
- "tileSettings": {
- "showBorder": false,
- "titleContent": {
- "columnMatch": "Classification",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Size",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "maximumSignificantDigits": 3,
- "maximumFractionDigits": 2
- }
- }
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results203",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 4 - Copy",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Classification\" \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\r\nlet ClassificationsDrilldown = MostRecentScanLogs\r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend SelectedClassification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where SelectedClassification != \"\"\r\n| where \"{UserSelectedClassification:label}\" == \"All\" or (split(\"{UserSelectedClassification:label}\", \", \") contains SelectedClassification)\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\r\nClassificationsDrilldown\r\n| take 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Classifications Drilldown- Asset Level",
- "timeContextFromParameter": "TimeRange",
- "showRefreshButton": true,
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewTenantId",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewAccountName",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewRegion",
- "formatter": 5
- },
- {
- "columnMatch": "AssetName",
- "formatter": 5
- },
- {
- "columnMatch": "AssetPath",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "GenericDetails",
- "linkIsContextBlade": true,
- "customColumnWidthSetting": "70ch"
- }
- },
- {
- "columnMatch": "AssetType",
- "formatter": 5
- },
- {
- "columnMatch": "AssetCreationTime",
- "formatter": 5
- },
- {
- "columnMatch": "AssetModifiedTime",
- "formatter": 5
- },
- {
- "columnMatch": "AssetLastScanTime",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "30ch"
- }
- },
- {
- "columnMatch": "FileExtension",
- "formatter": 5
- },
- {
- "columnMatch": "FileSize",
- "formatter": 5
- },
- {
- "columnMatch": "ActivityType",
- "formatter": 5
- },
- {
- "columnMatch": "Classification",
- "formatter": 5
- },
- {
- "columnMatch": "SourceName",
- "formatter": 5
- },
- {
- "columnMatch": "SourceType",
- "formatter": 5
- },
- {
- "columnMatch": "SourcePath",
- "formatter": 13,
- "formatOptions": {
- "linkTarget": "Resource",
- "showIcon": true
+ {
+ "type": 1,
+ "content": {
+ "json": "| Microsoft 365 Activity | - | - | \r\n|:--| :--| :--|\r\n| File Activity Actions | File Activity Actions over Time | Most Frequently Accessed Files |\r\n| File Transfer Activity by User Over Time | File activity by external users | Previously Unseen Exchange Admin Operations (Last 1 Day) |\r\n| SharePoint File Operations by Users from Previously Unseen IPs | SharePointFileOperation via Devices with Previously Unseen User Agents |Non-Owner Mailbox Login Activity |\r\n| PowerShell or Non-Browser Mailbox Sign-In Activity | Multiple Teams Deleted by a Single User | User Added to Team and Immediately Uploads File |\r\n|Executable with Double File Extension and Acces Summary |Mail Redirect via Exchange Transport Rules | Email Forwarding|\r\n| User Added as Owner of Multiple Teams | Exchange Audit Log Disabled | Malicious Inbox Rule: Removing Helpdesk/Security Warning Emails|\r\n|Office Policy Tampering |Windows Reserved Filenames Staged on Office File Services|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown.\r\n"
+ },
+ "customWidth": "50",
+ "name": "SI OV",
+ "id": "e4f95345-1aa3-4e41-ab91-c7a0b40b0261"
+ },
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "51f438d6-e64f-4e00-9cb4-a3be91405e38",
+ "version": "KqlParameterItem/1.0",
+ "name": "Classifications",
+ "type": 2,
+ "multiSelect": true,
+ "quote": "'",
+ "delimiter": ",",
+ "query": "PurviewDataSensitivityLogs\r\n| where Classification != \"[]\"\r\n| mv-expand Classification // expand array if multiple classifications exist\r\n| extend Classification = tostring(Classification)\r\n| summarize by Classification\r\n| order by Classification asc",
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "selectAllValue": "All",
+ "showDefault": false
+ },
+ "timeContext": {
+ "durationMs": 0
+ },
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "value": [
+ "value::all"
+ ]
+ }
+ ],
+ "style": "pills"
+ },
+ "customWidth": "10",
+ "name": "parameters - 41",
+ "id": "207667fc-4156-48aa-9111-61b4b67446ac"
+ },
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "c4a56865-2460-45f6-b264-a1040b7b3818",
+ "version": "KqlParameterItem/1.0",
+ "name": "SensitivityLabels",
+ "type": 2,
+ "multiSelect": true,
+ "quote": "'",
+ "delimiter": ",",
+ "query": "PurviewDataSensitivityLogs\r\n| where SensitivityLabel != \"[]\"\r\n| mv-expand SensitivityLabel // expand array if multiple classifications exist\r\n| extend SensitivityLabel = tostring(SensitivityLabel)\r\n| summarize by SensitivityLabel\r\n| order by SensitivityLabel asc",
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "selectAllValue": "All",
+ "showDefault": false
+ },
+ "timeContext": {
+ "durationMs": 0
+ },
+ "timeContextFromParameter": "TimeRange",
+ "defaultValue": "value::all",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ }
+ ],
+ "style": "pills"
+ },
+ "customWidth": "10",
+ "name": "parameters - 41 - Copy",
+ "id": "f1651e12-4a6e-4b02-97d7-3bf750d10cc6"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
+ },
+ "customWidth": "80",
+ "name": "text - 43",
+ "id": "5c7c0385-6a5c-4af0-9508-e52ee6156221"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where Operation contains \"file\"\r\n| extend Path = OfficeObjectId\r\n| summarize count() by UserId, Operation\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "File Activity Actions",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results80",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "73ba9144-a5aa-46f7-8aee-f9e03e2d9a45"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where Operation contains \"file\"\r\n| extend Path = OfficeObjectId\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Operation\r\n| render timechart\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "File Activity Actions over Time",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results80b",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "714bf669-7d44-4290-af84-7903d9b29ae1"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where Operation contains \"file\"\r\n| summarize count() by UserId, SourceFileName, SourceFileExtension, OfficeObjectId \r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Most Frequently Accessed Files",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "SourceFileName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "info",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeObjectId",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url"
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results80d",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "9556ed93-445e-4db5-966a-daa3565b8172"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\n//let startTime = {TimeRange:grain}; // Adjust as needed\r\nOfficeActivity\r\n//| where TimeGenerated >= startTime\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where EventSource == \"SharePoint\" and OfficeWorkload has_any(\"SharePoint\", \"OneDrive\") and Operation has_any (\"FileDownloaded\", \"FileSyncDownloadedFull\", \"FileSyncUploadedFull\", \"FileUploaded\")\r\n| summarize UploadedFiles = count() by bin(TimeGenerated, 1h), UserId\r\n| order by TimeGenerated asc\r\n| render timechart\r\n",
+ "size": 0,
+ "title": "File Transfer Activity by User Over Time",
+ "timeContextFromParameter": "TimeRange",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "customWidth": "50",
+ "name": "query - 47",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "b9fd7530-56ba-4f6c-9b45-8f5a4d6176ff"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where ExternalAccess == \"True\"\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "File activity by external users",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results83",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "853239f9-e304-48c6-bc26-5678f6bc886e"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nlet historicalActivity=\r\n OfficeActivity\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | where RecordType == \"ExchangeAdmin\" \r\n | summarize historicalCount=count() by UserId;\r\nlet recentActivity = OfficeActivity\r\n | where UserId in ({UserPrincipalName})\r\n | where TimeGenerated > ago(endtime)\r\n | summarize recentCount=count() by UserId;\r\nrecentActivity\r\n| join kind = leftanti (\r\n historicalActivity\r\n )\r\n on UserId\r\n| project UserId, recentCount\r\n| order by recentCount asc, UserId\r\n| join kind = rightsemi \r\n (OfficeActivity \r\n | where TimeGenerated >= ago(endtime) \r\n | where RecordType == \"ExchangeAdmin\")\r\n on UserId\r\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by RecordType, Operation, UserType, UserId, OriginatingServer, ResultStatus\r\n| sort by count_ desc\r\n| take 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Previously Unseen Exchange Admin Operations (Last 1 Day)",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results85",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "334fe5d0-1ab3-41ff-ab61-1988bbe3642b"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nlet starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nlet historicalActivity=\r\n OfficeActivity\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | summarize historicalCount=count() by ClientIP;\r\nlet recentActivity = OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated > ago(endtime);\r\nrecentActivity\r\n| join kind= leftanti (\r\n historicalActivity \r\n )\r\n on ClientIP\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| summarize count() by UserId, ClientIP\r\n| sort by count_ desc\r\n| take 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "SharePoint File Operations by Users from Previously Unseen IPs",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results86",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "ef04cd6e-0de4-4f88-9962-df51f521e546"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nlet starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nlet historicalActivity=\r\n OfficeActivity\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | summarize historicalCount=count() by UserAgent, RecordType;\r\nlet recentActivity = OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated > ago(endtime);\r\nrecentActivity\r\n| join kind = leftanti (\r\n historicalActivity \r\n )\r\n on UserAgent, RecordType\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| summarize count() by UserId, UserAgent, RecordType\r\n| sort by count_ desc\r\n| take 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "SharePointFileOperation via Devices with Previously Unseen User Agents",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results87",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "9a133043-09b4-4c6c-a1c8-253e3ac598d5"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where Operation == \"MailboxLogin\" and Logon_Type != \"Owner\" \r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| take 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Non-Owner Mailbox Login Activity",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results88",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "c9d097ab-e5b3-4357-b67e-88627e47c6a8"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where Operation == \"MailboxLogin\"\r\n| where ClientInfoString == \"Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client\"\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| take 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "PowerShell or Non-Browser Mailbox Sign-In Activity",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results89",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "18ee18c0-5a9f-4dd0-bcb6-2b626155c665"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// Adjust this value to change how many Teams should be deleted before including\r\nlet max_delete = 3;\r\nlet deleting_users = (\r\n OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where OfficeWorkload =~ \"MicrosoftTeams\"\r\n | where Operation =~ \"TeamDeleted\"\r\n | summarize count() by UserId\r\n | where count_ > max_delete\r\n | project UserId);\r\nOfficeActivity\r\n| where OfficeWorkload =~ \"MicrosoftTeams\"\r\n| where Operation =~ \"TeamDeleted\"\r\n| where UserId in (deleting_users)\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| take 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Multiple Teams Deleted by a Single User",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results90",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "d85926d5-0a70-4c85-9db7-538765c6bf05"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nlet threshold = 1m;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where OfficeWorkload =~ \"MicrosoftTeams\"\r\n| where Operation == \"MemberAdded\"\r\n| extend TeamName = iff(isempty(TeamName), Members[0].UPN, TeamName)\r\n| project TimeGenerated, UserId, UploaderID=UserId, TeamName\r\n| join (\r\n OfficeActivity\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\r\n | where Operation == \"FileUploaded\"\r\n | where SourceFileName has_any (PurviewClassifiedFiles)\r\n | project UserId, UploadTime=TimeGenerated, UploaderID=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName\r\n )\r\n on UploaderID\r\n| where UploadTime > TimeGenerated and UploadTime < TimeGenerated + threshold\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| take 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "User Added to Team and Immediately Uploads File",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results91",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "05b8dbcb-ab11-40ef-99b2-0777fdb077e9"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let known_ext = dynamic([\"lnk\", \"log\", \"option\", \"config\", \"manifest\", \"partial\"]);\r\nlet excluded_users = dynamic([\"app@sharepoint\"]);\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where RecordType =~ \"SharePointFileOperation\" and isnotempty(SourceFileName)\r\n| where OfficeObjectId has \".exe.\" and SourceFileExtension !in~ (known_ext)\r\n| extend Extension = extract(\"[^.]*.[^.]*$\", 0, OfficeObjectId)\r\n| join kind= leftouter ( \r\n OfficeActivity\r\n | where RecordType =~ \"SharePointFileOperation\" and (Operation =~ \"FileDownloaded\" or Operation =~ \"FileAccessed\") \r\n | where SourceFileExtension !in~ (known_ext)\r\n )\r\n on OfficeObjectId \r\n| where UserId1 !in~ (excluded_users)\r\n| extend userBag = pack(UserId1, ClientIP1) \r\n| summarize makeset(UserId1), make_bag(userBag), Start=max(TimeGenerated), End=min(TimeGenerated) by UserId, OfficeObjectId, SourceFileName, Extension \r\n| extend NumberOfUsers = array_length(bag_keys(bag_userBag))\r\n| project UploadTime=Start, Uploader=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, Extension, NumberOfUsers\r\n| extend timestamp = UploadTime, Uploader",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Executable with Double File Extension and Acces Summary",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results92",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "ffacab43-2c15-40c6-a0fd-5785ad7eb3f3"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where OfficeWorkload == \"Exchange\"\r\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\r\n| extend p = parse_json(Parameters)\r\n| extend RuleName = case(\r\n Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\r\n Operation =~ \"New-TransportRule\", tostring(p[1].Value),\r\n \"Unknown\"\r\n ) \r\n| mvexpand p\r\n| where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") and isnotempty(p.Value)\r\n| extend RedirectTo = p.Value\r\n| extend ClientIPOnly = case( \r\n ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP, \":\")[0]), \r\n ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP, \"-\")[0]), \r\n ClientIP has \"[\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \"]\")[0]))),\r\n ClientIP\r\n ) \r\n| extend Port = case(\r\n ClientIP has \".\" and ClientIP has \":\", (split(ClientIP, \":\")[1]),\r\n ClientIP has \".\" and ClientIP has \"-\", (split(ClientIP, \"-\")[1]),\r\n ClientIP has \"[\" and ClientIP has \":\", tostring(split(ClientIP, \"]:\")[1]),\r\n ClientIP has \"[\" and ClientIP has \"-\", tostring(split(ClientIP, \"]-\")[1]),\r\n ClientIP\r\n )\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Mail Redirect via Exchange Transport Rules",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 4,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results93",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "c968c8ef-e778-409a-aa9d-22a2bbf81623"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// a threshold can be enabled, see commented line below for PrevSeenCount\r\nlet threshold = 1;\r\n// Reserved FileNames/Extension for Windows\r\nlet Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']);\r\nlet starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where TimeGenerated >= ago(endtime)\r\n| where isnotempty(SourceFileExtension)\r\n| where SourceFileName !~ SourceFileExtension\r\n| where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\r\n| where UserAgent !has \"Mac OS\" \r\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName, SourceFileExtension \r\n| join kind= leftanti (\r\n OfficeActivity\r\n | where TimeGenerated between (ago(starttime)..ago(endtime))\r\n | where isnotempty(SourceFileExtension)\r\n | where SourceFileName !~ SourceFileExtension\r\n | where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\r\n | where UserAgent !has \"Mac OS\" \r\n | summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId), SourceFileName = make_set(SourceFileName), PrevSeenCount = count() by SourceFileExtension\r\n // To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\r\n //| where PrevSeenCount > threshold\r\n | mvexpand SourceRelativeUrl, UserId, SourceFileName\r\n | extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId), SourceFileName = tostring(SourceFileName)\r\n )\r\n on SourceFileExtension\r\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\r\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\.', '_', UserId))\r\n// identify when UserId is not a match to the specific site url personal folder reference\r\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true, false) \r\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation), UserAgents = make_list(UserAgent), \r\n OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\r\n by OfficeWorkload, RecordType, UserType, UserKey, UserId, ClientIP, Site_Url, SourceFileExtension, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Windows Reserved Filenames Staged on Office File Services",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results94",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "b9a42483-69a2-42fd-adbf-fffb48b0efb4"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where (Operation contains 'Forward') \r\n or (Parameters contains 'ForwardTo')\r\n| extend parsed=parse_json(Parameters)\r\n| extend fwdingDestination_initial = (iif(Operation =~ \"Set-Mailbox\", tostring(parsed[1].Value), tostring(parsed[2].Value)))\r\n| where isnotempty(fwdingDestination_initial)\r\n| extend fwdingDestination = iff(fwdingDestination_initial has \"smtp\", (split(fwdingDestination_initial, \":\")[1]), fwdingDestination_initial)\r\n| parse fwdingDestination with * '@' ForwardedtoDomain \r\n| parse UserId with *'@' UserDomain\r\n| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.')[0]))\r\n| where ForwardedtoDomain !contains subDomain\r\n| extend Result = iff(ForwardedtoDomain != UserDomain, \"Mailbox rule created to forward to External Domain\", \"Forward rule for Internal domain\")\r\n| extend ClientIPAddress = case(ClientIP has \".\", tostring(split(ClientIP, \":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \"]\")[0]))), ClientIP)\r\n| extend Port = case(\r\n ClientIP has \".\", (split(ClientIP, \":\")[1]),\r\n ClientIP has \"[\", tostring(split(ClientIP, \"]:\")[1]),\r\n ClientIP\r\n )\r\n| summarize count() by UserId, fwdingDestination, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Email Forwarding",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "fwdingDestination",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "warning",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results95",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "ac7afd7e-bf7b-4189-91f7-d5694bb25219"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// Adjust this value to change how many teams a user is made owner of before detecting\r\nlet max_owner_count = 3;\r\n// Change this value to adjust how larger timeframe the query is run over.\r\nlet high_owner_count = (OfficeActivity\r\n | where OfficeWorkload =~ \"MicrosoftTeams\"\r\n | where Operation =~ \"MemberRoleChanged\"\r\n | extend Member = tostring(parse_json(Members)[0].UPN) \r\n | extend NewRole = toint(parse_json(Members)[0].Role) \r\n | where NewRole == 2\r\n | summarize dcount(TeamName) by Member\r\n | where dcount_TeamName > max_owner_count\r\n | project Member);\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where OfficeWorkload =~ \"MicrosoftTeams\"\r\n| where Operation =~ \"MemberRoleChanged\"\r\n| extend Member = tostring(parse_json(Members)[0].UPN) \r\n| extend NewRole = toint(parse_json(Members)[0].Role) \r\n| where NewRole == 2\r\n| where Member in (high_owner_count)\r\n| summarize count() by UserId\r\n| sort by count_ desc",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "User Added as Owner of Multiple Teams",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results98",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "4e3c2214-7f92-46d7-bd8b-eb218f190ca5"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where UserType in~ (\"Admin\",\"DcAdmin\") \r\n// Only admin or global-admin can disable audit logging\r\n| where Operation =~ \"Set-AdminAuditLogConfig\" \r\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\r\n| where AdminAuditLogEnabledValue =~ \"False\" \r\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\r\n| summarize count() by UserId\r\n| sort by count_ desc",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Exchange Audit Log Disabled",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results99",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "b0e97b8d-a03a-42d8-944e-311268fd6d2f"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "//Add Keywords for Emails as needed\r\nlet Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where Operation =~ \"New-InboxRule\"\r\n| where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" \r\n| extend Events=todynamic(Parameters)\r\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\r\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\r\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\r\n| where SubjectContainsWords has_any (Keywords)\r\n or BodyContainsWords has_any (Keywords)\r\n or SubjectOrBodyContainsWords has_any (Keywords)\r\n| extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\r\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\r\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\')[-1]))\r\n| summarize count() by UserId\r\n| sort by count_ desc",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Malicious Inbox Rule: Removing Helpdesk/Security Warning Emails",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results100",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "15e6a852-9141-46b4-8ee5-fa662b527662"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let opList = OfficeActivity \r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| summarize by Operation\r\n//| where Operation startswith \"Remove-\" or Operation startswith \"Disable-\"\r\n| where Operation has_any (\"Remove\", \"Disable\")\r\n| where Operation contains \"AntiPhish\" or Operation contains \"SafeAttachment\" or Operation contains \"SafeLinks\" or Operation contains \"Dlp\" or Operation contains \"Audit\"\r\n| summarize make_set(Operation);\r\nOfficeActivity\r\n// Only admin or global-admin can disable/remove policy\r\n| where RecordType =~ \"ExchangeAdmin\"\r\n| where UserType in~ (\"Admin\",\"DcAdmin\")\r\n// Pass in interesting Operation list\r\n| where Operation in~ (opList)\r\n| extend ClientIPOnly = case( \r\nClientIP has \".\", tostring(split(ClientIP,\":\")[0]), \r\nClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\r\nClientIP\r\n) \r\n| extend Port = case(\r\nClientIP has \".\", (split(ClientIP,\":\")[1]),\r\nClientIP has \"[\", tostring(split(ClientIP,\"]:\")[1]),\r\nClientIP\r\n)\r\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\r\n| summarize count() by UserId\r\n| sort by count_ desc",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Office Policy Tampering",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "redBright"
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results101",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "e02a57ea-f4a1-4656-b049-e6213497f737"
}
- },
- {
- "columnMatch": "SourceSubscriptionId",
- "formatter": 5
- },
- {
- "columnMatch": "SourceRegion",
- "formatter": 5
- },
- {
- "columnMatch": "SourceCollectionName",
- "formatter": 5
- },
- {
- "columnMatch": "SourceScanId",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewSubscriptionId",
- "formatter": 5
- },
- {
- "columnMatch": "SourceOwner",
- "formatter": 5
- },
- {
- "columnMatch": "AssetOwner",
- "formatter": 5
- },
- {
- "columnMatch": "ActivityTrigger",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelGuid",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelName",
- "formatter": 5
- },
- {
- "columnMatch": "UserId",
- "formatter": 5
- }
- ],
- "filter": true,
- "labelSettings": [
- {
- "columnId": "AssetPath",
- "label": "Asset Path"
- },
- {
- "columnId": "AssetLastScanTime",
- "label": "Asset Last Scan Time"
- },
- {
- "columnId": "SourcePath",
- "label": "Data Source"
- }
]
- }
},
- "customWidth": "50",
"conditionalVisibility": {
- "parameterName": "Results203",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 10",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
+ "parameterName": "isM365ActivityVisible",
+ "comparison": "isEqualTo",
+ "value": "true"
+ },
+ "name": "Office Activity Group",
+ "id": "a5c2b0bf-a5ff-4084-84f6-605c660427bf"
+ },
+ {
+ "type": 12,
"content": {
- "version": "KqlItem/1.0",
- "query": "let SensitivityLabels = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Labeling\" \r\n | extend SensitivityLabel = iff(SensitivityLabel[0] == \"\", \"No Label\", SensitivityLabel[0])\r\n | extend Label = replace(@\"\\\\\", \"/\", SensitivityLabel)\r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType\r\n | summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by SensitivityLabel, Label\r\n | project SensitivityLabel, FileSize, AssetCount, Label\r\n | sort by AssetCount;\r\nSensitivityLabels",
- "size": 0,
- "showAnalytics": true,
- "title": "Select 'Sensitivity Label' below to view Sensitivity Labels Drilldown",
- "showRefreshButton": true,
- "exportFieldName": "Label",
- "exportParameterName": "UserSelectedLabel",
- "exportDefaultValue": "All",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "SensitivityLabel",
- "formatter": 1
- },
- {
- "columnMatch": "FileSize",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue",
- "customColumnWidthSetting": "20ch"
- }
- },
- {
- "columnMatch": "Count",
- "formatter": 4,
- "formatOptions": {
- "palette": "blue",
- "customColumnWidthSetting": "20ch"
- }
- },
- {
- "columnMatch": "Label",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelName",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "60ch"
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "# [Sign-Ins (Entra ID)](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins)\n---\n\nThis section provides visibility into **user authentication events and access patterns**, supporting GDPR requirements for **integrity and confidentiality of personal data (Art. 5(1)(f))** and **security of processing (Art. 32)**. Monitoring sign-ins helps ensure that only authorized individuals access systems processing personal data, and that suspicious authentication activity is detected quickly. \n\nKey objectives of this section: \n- Track **sign-ins by geolocation and over time** to spot unusual or high-risk access locations \n- Monitor **failed sign-in attempts and brute-force activity** to identify potential account compromise \n- Detect **anomalous patterns** such as cross-application anomalies, sign-in bursts, or VPN-based logins \n- Review **application and client usage trends** to confirm that personal data is accessed only through approved channels \n- Provide auditors with evidence of **access control enforcement and monitoring** \n\nBy analyzing these metrics, analysts can verify that **access to personal data is properly secured**, and that the enterprise maintains the ability to **detect, investigate, and remediate suspicious sign-in activity** in line with GDPR obligations.\n\n\n\n"
+ },
+ "name": "text - 2",
+ "id": "a4d7e8d9-e963-4417-959f-cb9c783ad9a5"
+ }
+ ]
+ },
+ "customWidth": "40",
+ "name": "group - 32",
+ "id": "7cd82204-fee8-4b5e-a0ab-8819d2543e11"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
+ },
+ "customWidth": "10",
+ "name": "text - 29",
+ "id": "e69f5d24-5239-4c56-b968-db348535dbe8"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "| Sign-Ins (Entra ID) | - | - |\r\n|:--| :--| :--| \r\n| Sign-Ins by Geolocation | Authentication Details | Sign-In Locations Over Time |\r\n| Sign-Ins Count By Application Name | Applications Access Count By Users | Client Application Count by Users |\r\n| Anomalous Sign-in & App Access | Entra ID Failed Sign-in Attempts | Entra ID Brute Force Sign-in Attempts |\r\n|Cross-App Sign-in Anomaly (Success then Failure) | Sign-In Burst From Multiple Locations | Sign-in From VPN |\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown."
+ },
+ "customWidth": "40",
+ "name": "SI OV",
+ "id": "ddcc72b0-f7a3-4eff-a580-ba3773b72685"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SigninLogs\r\n| where Location <> \"\"\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\r\n| extend city_ = tostring(LocationDetails.city)\r\n| project latitude_,longitude_,city_",
+ "size": 3,
+ "showAnalytics": true,
+ "title": "Sign-Ins by Geolocation",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "map",
+ "mapSettings": {
+ "locInfo": "LatLong",
+ "locInfoColumn": "Location",
+ "latitude": "latitude_",
+ "longitude": "longitude_",
+ "sizeSettings": "city_",
+ "sizeAggregation": "Count",
+ "labelSettings": "city_",
+ "legendMetric": "city_",
+ "numberOfMetrics": 100,
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "state_",
+ "colorAggregation": "Count",
+ "type": "heatmap",
+ "heatmapPalette": "coldHot"
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results46",
+ "id": "3e27f8e8-6059-4621-9fd9-6840cfa6352d"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status);\r\nlet data = \r\nunion SigninLogs,nonInteractive\r\n|extend errorCode = toint(Status.errorCode)\r\n| extend SigninStatus = case(\r\n errorCode == 0, \"Success\",\r\n errorCode in (50055,50058,50072,50074,50125,50127,50129,50140,50143,50144,51006,52004,65001,16000,16001,16003,81010,81012,81014), \"Pending user action\",\r\n \"Failure\"\r\n);\r\ndata\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where IsInteractive == true\r\n| summarize Count = count() by SigninStatus\r\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\r\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\r\n on SigninStatus\r\n| project-away SigninStatus1, TimeGenerated\r\n| extend Status = SigninStatus\r\n| union (\r\n data \r\n | summarize Count = count()\r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend SigninStatus = 'All Sign-ins', Status = '*' \r\n)\r\n| where SigninStatus <> \"All Sign-ins\"\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Authentication Details",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "tiles",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "User",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "info",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Activities",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "LatLong",
+ "locInfoColumn": "Location",
+ "latitude": "latitude_",
+ "longitude": "longitude_",
+ "sizeSettings": "city_",
+ "sizeAggregation": "Count",
+ "labelSettings": "city_",
+ "legendMetric": "city_",
+ "numberOfMetrics": 100,
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "state_",
+ "colorAggregation": "Count",
+ "type": "heatmap",
+ "heatmapPalette": "coldHot"
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results47",
+ "id": "a04b9f50-45b0-4550-92ef-572347a486e0"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where IsInteractive == true\r\n| extend city_ = tostring(LocationDetails.city)\r\n| extend state_ = tostring(LocationDetails.state)\r\n| where state_ <> \"\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by state_\r\n| render timechart",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Sign-In Locations Over Time",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "city_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "state_",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "SigninStatus",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "blue"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "Trend",
+ "formatter": 9,
+ "formatOptions": {
+ "palette": "green"
+ }
+ },
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "name": "Results49",
+ "id": "430cad35-c398-45c0-95bc-7e70e51f8283"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where ResultType == 0 and AppDisplayName != \"\"\r\n| summarize count() by AppDisplayName\r\n| join (\r\nSigninLogs\r\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \r\n) on AppDisplayName\r\n| top 10 by count_ desc",
+ "size": 4,
+ "showAnalytics": true,
+ "title": "Sign-Ins Count By Application Name",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "visualization": "tiles",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "User",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "info",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Activities",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ },
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "AppDisplayName",
+ "formatter": 1,
+ "formatOptions": {
+ "showIcon": true
+ }
+ },
+ "leftContent": {
+ "columnMatch": "count_",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto",
+ "showIcon": true
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ },
+ "secondaryContent": {
+ "columnMatch": "TrendList",
+ "formatter": 9,
+ "formatOptions": {
+ "showIcon": true
+ }
+ },
+ "showBorder": false
+ },
+ "graphSettings": {
+ "type": 0,
+ "topContent": {
+ "columnMatch": "AppDisplayName",
+ "formatter": 1
+ },
+ "centerContent": {
+ "columnMatch": "count_",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "mapSettings": {
+ "locInfo": "LatLong",
+ "locInfoColumn": "Location",
+ "latitude": "latitude_",
+ "longitude": "longitude_",
+ "sizeSettings": "city_",
+ "sizeAggregation": "Count",
+ "labelSettings": "city_",
+ "legendMetric": "city_",
+ "numberOfMetrics": 100,
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "state_",
+ "colorAggregation": "Count",
+ "type": "heatmap",
+ "heatmapPalette": "coldHot"
+ }
+ }
+ },
+ "name": "Results48",
+ "id": "8f026c95-ba0a-4053-98a7-68be6f18f9c6"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize Count=count() by UserPrincipalName, AppDisplayName\r\n| sort by Count desc\r\n| limit 250",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Applications Access Count By Users",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "AppDisplayName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "trendup",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "IPAddress",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results51",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "9388f83d-5fc3-4611-b1c1-11e9f6f26747"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend Browser = tostring(DeviceDetail.browser)\r\n| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)\r\n| summarize Count=count() by UserPrincipalName, Browser, OperatingSystem\r\n| sort by Count desc\r\n| limit 250\r\n\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Client Application Count by Users",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ },
+ {
+ "columnMatch": "UserAgent",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "1",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "ClientAppUsed",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "trenddown",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "AppDisplayName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "trendup",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "IPAddress",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "uninitialized",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results52",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "41a8d174-2cf8-4573-a4e4-7e043f418048"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n// Forces Log Analytics to recognize that the query should be run over full time range\r\n| extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", \r\n tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]), \";\") \r\n| project TimeGenerated, AppDisplayName, UserPrincipalName, locationString \r\n// Create time series \r\n| make-series dLocationCount = dcount(locationString)\r\n on TimeGenerated\r\n step 1d\r\n by UserPrincipalName, AppDisplayName \r\n// Compute best fit line for each entry \r\n| extend (RSquare, Slope, Variance, RVariance, Interception, LineFit) = series_fit_line(dLocationCount) \r\n// Filter for truly anomalous patterns:\r\n// - abs(Slope) > 0.5 → exclude stable users; keeps those with growing/shrinking location diversity\r\n// - Variance > 2 → exclude trivial fluctuations; ensures location counts are inconsistent\r\n// - RSquare > 0.5 → exclude poor fits; ensures the slope represents a real trend, not random noise\r\n| where abs(Slope) > 0.5 and Variance > 2 and RSquare > 0.5\r\n| project UserPrincipalName, AppDisplayName, Slope, Variance, RSquare\r\n| order by abs(Slope) desc\r\n| limit 50",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Anomalous Sign-in Location by User Account and Authenticating Application",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results53",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "867a83fa-8a74-4554-b8e9-f89ce802209d"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n// 50126 - Invalid username or password, or invalid on-premises username or password.\r\n// 50020 - The user doesn't exist in the tenant.\r\n// 50076 → MFA required but not satisfied\r\n// 50053 → Account locked due to repeated sign-in attempts\r\n| where ResultType in (\"50126\", \"50020\", \"50076\", \"50053\")\r\n| summarize Count=count() by UserPrincipalName, AppDisplayName\r\n| sort by Count desc\r\n| limit 250",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Entra ID Failed Sign-in Attempts",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results54",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "f42567b1-0fad-4cf3-b6ac-0f19cba137b1"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let failureCountThreshold = 5;\r\nlet successCountThreshold = 1;\r\nlet authenticationWindow = 20m;\r\nlet aadFunc = (tableName: string) {\r\n table(tableName)\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n | extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\r\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\r\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\r\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\r\n // Split out failure versus non-failure types\r\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\"), \"Success\", \"Failure\")\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\r\n make_set(State), make_set(Region), make_set(ResultType), FailureCount = countif(FailureOrSuccess == \"Failure\"), SuccessCount = countif(FailureOrSuccess == \"Success\") \r\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\r\n | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\r\n | mvexpand IPAddress\r\n | extend IPAddress = tostring(IPAddress)\r\n };\r\nlet aadSignin = aadFunc(\"SigninLogs\");\r\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\r\nunion isfuzzy=true aadSignin, aadNonInt\r\n| summarize AttemptWindows = count(), TotalFailures = sum(FailureCount), TotalSuccesses = sum(SuccessCount) by UserPrincipalName, AppDisplayName\r\n| order by AttemptWindows desc\r\n| limit 250",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Entra ID Brute Force Sign-in Attempts",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results55",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "c80addb4-a836-47fd-a319-0fa64d9bc735"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let timeFrame = {TimeRange:grain};\r\nlet logonDiff = 1m;\r\nlet Success = SigninLogs \r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n | where TimeGenerated >= timeFrame \r\n | where ResultType == \"0\" \r\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\", \"Office 365 SharePoint Online\")\r\n | project SuccessLogonTime = TimeGenerated, UserPrincipalName, IPAddress, SuccessAppDisplayName = AppDisplayName;\r\nlet Fail = SigninLogs \r\n | where TimeGenerated >= timeFrame \r\n | where ResultType !in (\"0\", \"50140\") \r\n | where ResultDescription !~ \"Other\" \r\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\", \"Office 365 SharePoint Online\")\r\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, IPAddress, FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription;\r\nlet InitialDataSet = \r\n Success\r\n | join kind= inner (\r\n Fail\r\n )\r\n on UserPrincipalName, IPAddress \r\n | where isnotempty(FailedAppDisplayName)\r\n | where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and SuccessAppDisplayName != FailedAppDisplayName;\r\nlet InitialHits = \r\n InitialDataSet\r\n | summarize FailedLogonTime = min(FailedLogonTime), SuccessLogonTime = min(SuccessLogonTime) \r\n by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName, IPAddress, ResultType, ResultDescription;\r\n// Only take hits where there is 5 or less distinct AppDisplayNames on the success side as this limits highly active applications where failures occur more regularly\r\nlet Distribution =\r\n InitialDataSet\r\n | summarize count(SuccessAppDisplayName) by SuccessAppDisplayName, ResultType\r\n | where count_SuccessAppDisplayName <= 5;\r\nInitialHits\r\n| join (\r\n Distribution \r\n )\r\n on SuccessAppDisplayName, ResultType\r\n| project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription \r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName\r\n| sort by count_ desc\r\n| limit 250\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Cross-App Sign-in Anomaly (Success then Failure)",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "SuccessAppDisplayName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "success",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "FailedAppDisplayName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "failed",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results56",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "f9f17c4e-782a-4c10-85af-bbb032c06162"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let signIns = SigninLogs\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n | extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\",\r\n tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n | where locationString != \"//\" \r\n // filter out signins associated with top 100 signin locations \r\n | join kind=anti (\r\n SigninLogs\r\n | extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", \r\n tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n | where locationString != \"//\"\r\n | summarize count() by locationString\r\n | order by count_ desc\r\n | take 100)\r\n on locationString; // TODO - make this threshold percentage-based\r\n// We will perform a time window join to identify signins from multiple locations within a 10-minute period\r\nlet lookupWindow = 10m;\r\nlet lookupBin = lookupWindow / 2.0; // lookup bin = equal to 1/2 of the lookup window\r\nsignIns \r\n| project-rename Start=TimeGenerated \r\n| extend TimeKey = bin(Start, lookupBin)\r\n| join kind = inner (\r\n signIns \r\n | project-rename End=TimeGenerated, EndLocationString=locationString \r\n // TimeKey on the right side of the join - emulates this authentication appearing several times\r\n | extend TimeKey = range(bin(End - lookupWindow, lookupBin),\r\n bin(End, lookupBin), lookupBin)\r\n | mvexpand TimeKey to typeof(datetime) // translate TimeKey arrange range to a column\r\n )\r\n on Identity, TimeKey\r\n| where End > Start\r\n| project timeSpan = End - Start, Identity, locationString, EndLocationString, tostring(Start), tostring(End), UserPrincipalName\r\n| where locationString != EndLocationString\r\n| summarize by timeSpan, Identity, locationString, EndLocationString, Start, End, UserPrincipalName\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName, locationString, EndLocationString\r\n| sort by count_ desc\r\n| limit 250\r\n",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Sign-In Burst From Multiple Locations",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results57",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "dfbddb09-52ab-4313-8975-87760a66417a"
},
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- }
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let IP_Data = (externaldata(network: string)\r\n [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv\"] with (format=\"csv\"));\r\nSigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where ResultType == 0\r\n| extend additionalDetails = tostring(Status.additionalDetails)\r\n| evaluate ipv4_lookup(IP_Data, IPAddress, network, return_unmatched = false)\r\n| summarize count() by UserPrincipalName, AppDisplayName, network\r\n| sort by count_ desc\r\n| limit 250",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Sign-Ins From VPNs",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "Location",
+ "latitude": "SourceIPLocation",
+ "longitude": "SourceIPLocation",
+ "sizeSettings": "Location",
+ "sizeAggregation": "Count",
+ "legendMetric": "Location",
+ "legendAggregation": "Count",
+ "itemColorSettings": {
+ "nodeColorField": "Location",
+ "colorAggregation": "Count",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blueDark"
+ }
+ ]
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "Results58",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "d8a944ed-22f3-4cc0-bb6b-962e306a47c9"
}
- }
- ],
- "filter": true,
- "labelSettings": [
- {
- "columnId": "SensitivityLabel",
- "label": "Sensitivity Label"
- },
- {
- "columnId": "FileSize",
- "label": "File Size"
- },
- {
- "columnId": "AssetCount",
- "label": "Asset Count"
- }
]
- },
- "tileSettings": {
- "showBorder": false,
- "titleContent": {
- "columnMatch": "SensitivityLabelName",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "LabelCount",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "maximumSignificantDigits": 3,
- "maximumFractionDigits": 2
- }
- }
- }
- }
},
- "customWidth": "50",
"conditionalVisibility": {
- "parameterName": "Results204",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 14 - Copy",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
+ "parameterName": "isSignInsVisible",
+ "comparison": "isEqualTo",
+ "value": "true"
+ },
+ "name": "Sign-Ins",
+ "id": "02595a8f-51f5-4a12-905d-4dec6b629000"
+ },
+ {
+ "type": 12,
"content": {
- "version": "KqlItem/1.0",
- "query": "let MostRecentScanLogs = PurviewDataSensitivityLogs\r\n | where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n | where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n | extend CollectionName = iff(SourceCollectionName == \"\", \"No Collection\", SourceCollectionName)\r\n | where ActivityType == \"Labeling\" \r\n | summarize arg_max( AssetLastScanTime, *) by AssetPath, ActivityType;\r\nlet LabelDrilldown = MostRecentScanLogs \r\n| extend SensitivityLabel = iff(SensitivityLabel[0] == \"\", \"No Label\", SensitivityLabel[0])\r\n| extend Label = replace(@\"\\\\\", \"/\", SensitivityLabel)\r\n| where \"{UserSelectedLabel:label}\" == \"All\" or \"{UserSelectedLabel:label}\" == Label\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\r\nLabelDrilldown\r\n| take 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Sensitivity Labels Drilldown- Asset Level",
- "showRefreshButton": true,
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewTenantId",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewAccountName",
- "formatter": 5
- },
- {
- "columnMatch": "PurviewRegion",
- "formatter": 5
- },
- {
- "columnMatch": "AssetName",
- "formatter": 5
- },
- {
- "columnMatch": "AssetPath",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "GenericDetails",
- "linkIsContextBlade": true,
- "customColumnWidthSetting": "70ch"
- }
- },
- {
- "columnMatch": "AssetType",
- "formatter": 5
- },
- {
- "columnMatch": "AssetCreationTime",
- "formatter": 5
- },
- {
- "columnMatch": "AssetModifiedTime",
- "formatter": 5
- },
- {
- "columnMatch": "FileExtension",
- "formatter": 5
- },
- {
- "columnMatch": "FileSize",
- "formatter": 5
- },
- {
- "columnMatch": "ActivityType",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelTrigger",
- "formatter": 5,
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- },
- "emptyValCustomText": "No Label"
- }
- },
- {
- "columnMatch": "SensitivityLabel",
- "formatter": 0,
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- },
- "emptyValCustomText": "No Label"
- }
- },
- {
- "columnMatch": "SensitivityLabelDetails",
- "formatter": 5,
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- },
- "emptyValCustomText": "No Label"
- }
- },
- {
- "columnMatch": "SourceName",
- "formatter": 5
- },
- {
- "columnMatch": "SourceType",
- "formatter": 5
- },
- {
- "columnMatch": "SourcePath",
- "formatter": 13,
- "formatOptions": {
- "linkTarget": "Resource",
- "showIcon": true
- }
- },
- {
- "columnMatch": "SourceSubscriptionId",
- "formatter": 5
- },
- {
- "columnMatch": "SourceRegion",
- "formatter": 5
- },
- {
- "columnMatch": "SourceCollectionName",
- "formatter": 5
- },
- {
- "columnMatch": "SourceScanId",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelName",
- "formatter": 0,
- "numberFormat": {
- "unit": 0,
- "options": {
- "style": "decimal"
- },
- "emptyValCustomText": "No Label"
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "# 📝 [Audit Logs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs)\n---\n\nThis section provides accountability and traceability for **administrative and user activities** across cloud services. It directly supports GDPR requirements for **records of processing activities (Art. 30)**, **security of processing (Art. 32)**, and **accountability (Art. 5(2))** by ensuring that all actions related to personal data can be tracked, reviewed, and evidenced. \n\nKey objectives of this section: \n- Detect **risky administrative actions** such as password resets, consent grants, or policy changes \n- Identify **suspicious logins** from inactive accounts or unusual sources that may indicate misuse of personal data \n- Monitor for **rare or unexpected audit events** that could signal attempts to bypass controls \n- Provide a reliable record of **who accessed what, when, and with what privileges** \n- Supply auditors with verifiable evidence of **control enforcement, activity logging, and retention** \n\nBy reviewing these metrics, analysts can confirm that **all processing activities are logged and monitored**, supporting GDPR requirements for transparency, oversight, and demonstrable compliance.\n"
+ },
+ "name": "text - 2",
+ "id": "f4407721-5db2-4293-aada-4de45c5bd280"
+ }
+ ]
+ },
+ "customWidth": "40",
+ "name": "group - 27",
+ "id": "e95a2f10-9cde-4760-85b0-f3801c61e9a1"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": ""
+ },
+ "customWidth": "10",
+ "name": "text - 26",
+ "id": "50c953d9-3525-493b-a41a-dd062d0fbf67"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "| Audit Log (Entra ID)) | - | - |\r\n|:--| :--| :--|\r\n| Changing Passwords Across Multiple Cloud Accounts | Credential & Secret Search Activity by Users | Unexpected Logins From Inactive Accounts |\r\n| Rare Audit Activity Initiated |Suspicious Consent to Application Discovery |\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown."
+ },
+ "customWidth": "40",
+ "name": "SI OV",
+ "id": "f072461b-6c31-46f6-a78b-ae158c6dbb46"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let action = dynamic([\"change \", \"changed \", \"reset \"]);\r\nlet pWord = dynamic([\"password \", \"credentials \"]);\r\n(union isfuzzy=true\r\n (SecurityEvent\r\n | where EventID in (4723, 4724)\r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(Activity),\r\n ActionCount = count()\r\n by\r\n Resource = Computer,\r\n OperationName = strcat(\"TargetAccount: \", TargetUserName),\r\n UserId = Account,\r\n Type\r\n ),\r\n (AuditLogs\r\n | where OperationName has_any (pWord) and OperationName has_any (action)\r\n | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) \r\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) \r\n | where ResultDescription != \"None\" \r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(ResultDescription),\r\n CorrelationIds = makeset(CorrelationId),\r\n ActionCount = count()\r\n by\r\n OperationName = strcat(Category, \" - \", OperationName, \" - \", Result),\r\n Resource,\r\n UserId = TargetUserPrincipalName,\r\n Type\r\n | extend ResultDescriptions = tostring(ResultDescriptions)\r\n ),\r\n (OfficeActivity\r\n | where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\r\n | extend ResultDescriptions = case(\r\n OfficeWorkload =~ \"AzureActiveDirectory\",\r\n tostring(ExtendedProperties),\r\n OfficeWorkload has_any (\"Exchange\", \"OneDrive\"),\r\n OfficeObjectId,\r\n RecordType\r\n ) \r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(ResultDescriptions),\r\n ActionCount = count()\r\n by\r\n Resource = OfficeWorkload,\r\n OperationName = strcat(Operation, \" - \", ResultStatus),\r\n IPAddress = ClientIP,\r\n UserId,\r\n Type\r\n ),\r\n (Syslog\r\n | where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(SyslogMessage),\r\n ActionCount = count()\r\n by\r\n Resource = HostName,\r\n OperationName = Facility,\r\n IPAddress = HostIP,\r\n ProcessName,\r\n Type\r\n ),\r\n (SigninLogs\r\n | where OperationName =~ \"Sign-in activity\" and ResultType has_any (\"50125\", \"50133\")\r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(ResultDescription),\r\n CorrelationIds = makeset(CorrelationId),\r\n ActionCount = count()\r\n by\r\n Resource,\r\n OperationName = strcat(OperationName, \" - \", ResultType),\r\n IPAddress,\r\n UserId = UserPrincipalName,\r\n Type\r\n )\r\n)\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| summarize LogSource=make_set(Type), ActionCount=sum(ActionCount) by UserId\r\n| sort by ActionCount desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Changing Passwords Across Multiple Cloud Accounts",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ }
+ },
+ "customWidth": "50",
+ "name": "Results103",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "fdcd7a0a-0b3d-4e34-af8f-0927c3435c31"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "// Extend this list with items to search for\r\nlet keywords = dynamic([\"password\", \"pwd\", \"creds\", \"credentials\", \"secret\"]);\r\n// To exclude key phrases or tables to exclude add to these lists\r\nlet table_exclusions = dynamic([\"AuditLogs\", \"SigninLogs\", \"LAQueryLogs\", \"SecurityEvent\"]);\r\nlet keyword_exclusion = dynamic([\"reset user password\", \"change user password\"]);\r\nLAQueryLogs\r\n| where RequestClientApp != 'Sentinel-General'\r\n| extend querytext_lower = tolower(QueryText)\r\n| where querytext_lower has_any(keywords)\r\n| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget, ResponseCode, ResponseRowCount, ResponseDurationMs, CorrelationId\r\n| extend timestamp = TimeGenerated, Username = AADEmail\r\n| join kind=leftanti (LAQueryLogs\r\n | where RequestClientApp != 'Sentinel-General'\r\n | extend querytext_lower = tolower(QueryText)\r\n | where QueryText has_any(table_exclusions) or querytext_lower has_any(keyword_exclusion))\r\n on CorrelationId\r\n| where isnotempty(Username) and ResponseRowCount > 0\r\n| where \"{UserPrincipalName:label}\" == \"All\" or Username in ({UserPrincipalName})\r\n| summarize count() by Username\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Credential & Secret Search Activity by Users",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "Username",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ }
+ },
+ "customWidth": "50",
+ "name": "Results104",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "fb49d794-87c9-4893-b14b-6e5c31939cf6"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let recentWindow = 1d; // Accounts that logged in recently\r\nlet historyWindow = 30d; // Look back period for prior logins\r\nlet newAccountWindow = 7d; // Exclude accounts created in last 7 days\r\n// Step 1: Recent successful logins\r\nlet recentLogins = SigninLogs\r\n| where TimeGenerated >= ago(recentWindow)\r\n| where ResultType == 0\r\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), loginCountRecent = count() \r\n by UserPrincipalName, Identity;\r\n// Step 2: Exclude accounts that had successful logins in the historical period\r\nlet historicalLogins = SigninLogs\r\n| where TimeGenerated between (ago(historyWindow) .. ago(recentWindow))\r\n| where ResultType == 0\r\n| summarize by UserPrincipalName, Identity;\r\nlet dormantLogins = recentLogins\r\n| join kind=leftanti (historicalLogins) on UserPrincipalName;\r\n// Step 3: Exclude newly created accounts\r\nlet newAccounts = AuditLogs\r\n| where TimeGenerated >= ago(newAccountWindow)\r\n| where OperationName == \"Add user\"\r\n| extend NewUserPrincipalName = tolower(extractjson(\"$.userPrincipalName\", tostring(TargetResources[0]), typeof(string)));\r\ndormantLogins\r\n| join kind=leftanti (newAccounts) on $left.UserPrincipalName == $right.NewUserPrincipalName\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Unexpected Logins From Inactive Accounts",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserPrincipalName",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "Person",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "orange"
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ }
+ ],
+ "filter": true
+ }
+ },
+ "customWidth": "50",
+ "name": "Results105",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "70d3d081-9185-4b44-b7a3-304b41e26f8c"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let current = 1d;\r\nlet auditLookback = {TimeRange:grain};\r\nlet propertyIgnoreList = dynamic([\"TargetId.UserType\", \"StsRefreshTokensValidFrom\", \"LastDirSyncTime\", \"DeviceOSVersion\", \"CloudDeviceOSVersion\", \"DeviceObjectVersion\"]);\r\nlet AuditTrail = AuditLogs\r\n | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\r\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\r\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\r\n | extend ModProps = TargetResources.[0].modifiedProperties\r\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\r\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\r\n | mv-expand ModProps\r\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\r\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \"Action Client Name\" and newValue !~ \"DirectorySync\") and (PropertyName !~ \"Included Updated Properties\" and newValue !~ \"LastDirSyncTime\")\r\n | summarize count() by OperationName, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, PropertyName, TargetResourceName;\r\nlet AccountMods = AuditLogs \r\n | where TimeGenerated >= ago(current)\r\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\r\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\r\n | extend ModProps = TargetResources.[0].modifiedProperties\r\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\r\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\r\n | mv-expand ModProps\r\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\r\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \"Action Client Name\" and newValue !~ \"DirectorySync\") and (PropertyName !~ \"Included Updated Properties\" and newValue !~ \"LastDirSyncTime\")\r\n | extend ModifiedProps = pack(\"PropertyName\", PropertyName, \"newValue\", newValue, \"Id\", Id, \"CorrelationId\", CorrelationId) \r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Activity = make_bag(ModifiedProps) by Type, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, Category, OperationName, PropertyName, TargetResourceName;\r\nlet RareAudits = AccountMods\r\n | join kind= leftanti (\r\n AuditTrail \r\n )\r\n on OperationName, InitiatedByUser, InitiatedByIPAddress;//, TargetUserPrincipalName, PropertyName; //uncomment if you want to see Rare Property changes to a given TargetUserPrincipalName.\r\nRareAudits \r\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), make_set(Activity), make_set(PropertyName) by Type, InitiatedByUser, InitiatedByIPAddress, OperationName, TargetUserPrincipalName, TargetResourceName\r\n| extend StartTime, InitiatedByUser, Hostname = iff(set_PropertyName has_any ('DeviceOSType', 'CloudDeviceOSType'), TargetResourceName, ''), InitiatedByIPAddress\r\n| where \"{UserPrincipalName:label}\" == \"All\" or InitiatedByUser in ({UserPrincipalName})\r\n| distinct InitiatedByUser, OperationName, StartTime\r\n| sort by StartTime desc\r\n| limit 100",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Rare Audit Activity Initiated",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "InitiatedByUser",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "pending",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ],
+ "filter": true
+ }
+ },
+ "customWidth": "50",
+ "name": "Results107",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "9859bf72-8015-406e-bc8e-140f395e477d"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let auditLookback = {TimeRange:grain};\r\n// Setting threshold to 3 as a default, change as needed. Any operation that has been initiated by a user or app more than 3 times in the past 30 days will be exluded\r\nlet threshold = 3;\r\n// Helper function to extract relevant fields from AuditLog events\r\nlet auditLogEvents = view (startTimeSpan: timespan) {\r\n AuditLogs\r\n | where TimeGenerated >= ago(auditLookback)\r\n | extend ModProps = TargetResources.[0].modifiedProperties\r\n | extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \r\n tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\r\n | extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \r\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\r\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\r\n | mvexpand ModProps\r\n | extend PropertyName = tostring(ModProps.displayName), newValue = replace('\\\"', \"\", tostring(ModProps.newValue));\r\n};\r\n// Get just the InitiatedBy and CorrleationId so we can look at associated audit activity\r\n// 2 other operations that can be part of malicious activity in this situation are \r\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", replace the below if you are interested in those as starting points for OperationName\r\nlet HistoricalConsent = auditLogEvents(auditLookback) \r\n | where OperationName == \"Consent to application\"\r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() \r\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\r\n// Remove comment below to only include operations initiated by a user or app that is above the threshold for the last 30 days\r\n//| where OperationCount > threshold\r\n;\r\nlet Correlate = HistoricalConsent \r\n | summarize by InitiatedBy, CorrelationId;\r\n// 2 other operations that can be part of malicious activity in this situation are \r\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", replace the below if you changed the starting OperationName above\r\nlet allOtherEvents = auditLogEvents(auditLookback) \r\n | where OperationName != \"Consent to application\";\r\n// Gather associated activity based on audit activity for \"Consent to application\" and InitiatedBy and CorrleationId\r\nlet CorrelatedEvents = Correlate \r\n | join allOtherEvents on InitiatedBy, CorrelationId\r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \r\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\r\n;\r\n// Union the results\r\nlet Results = union isfuzzy=true HistoricalConsent, CorrelatedEvents;\r\n// newValues that are simple semi-colon separated, make those dynamic for easy viewing and Aggregate into the PropertyUpdate set based on CorrelationId and Id(DirectoryId)\r\nResults\r\n| extend newValue = split(newValue, \";\")\r\n| extend PropertyUpdate = pack(PropertyName, newValue, \"Id\", Id)\r\n// Extract scope requested\r\n| extend perms = tostring(parse_json(tostring(PropertyUpdate.[\"ConsentAction.Permissions\"]))[0])\r\n| extend scope = extract('Scope:\\\\s*([^,\\\\]]*)', 1, perms)\r\n// Filter out some common openid, and low privilege request scopes - uncomment line below to filter out where no scope is requested\r\n//| where isnotempty(scope)\r\n| where scope !contains 'openid' and scope !in ('user_impersonation', 'User.Read')\r\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate), make_set(scope)\r\n by InitiatedBy, IpAddress, TargetResourceName, OperationName, CorrelationId\r\n| extend StartTime, InitiatedBy, IpAddress\r\n| where \"{UserPrincipalName:label}\" == \"All\" or InitiatedBy in ({UserPrincipalName})\r\n| summarize count() by InitiatedBy\r\n| sort by count_ desc",
+ "size": 0,
+ "showAnalytics": true,
+ "title": "Suspicious Consent to Application Discovery",
+ "timeContextFromParameter": "TimeRange",
+ "showExportToExcel": true,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "crossComponentResources": [
+ "{Workspace}"
+ ],
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "UserId",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "Operation",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "OfficeWorkload",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "icons",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "resource",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "count_",
+ "formatter": 8,
+ "formatOptions": {
+ "palette": "blue"
+ }
+ }
+ ]
+ }
+ },
+ "customWidth": "50",
+ "name": "Results108",
+ "styleSettings": {
+ "maxWidth": "50"
+ },
+ "id": "276f4e0a-d0e7-4ce2-99d8-b37c3e86dfc7"
}
- },
- {
- "columnMatch": "PurviewSubscriptionId",
- "formatter": 5
- },
- {
- "columnMatch": "SourceOwner",
- "formatter": 5
- },
- {
- "columnMatch": "AssetOwner",
- "formatter": 5
- },
- {
- "columnMatch": "ActivityTrigger",
- "formatter": 5
- },
- {
- "columnMatch": "Classification",
- "formatter": 5
- },
- {
- "columnMatch": "ClassificationCount",
- "formatter": 5
- },
- {
- "columnMatch": "SensitivityLabelGuid",
- "formatter": 5
- },
- {
- "columnMatch": "UserId",
- "formatter": 5
- }
- ],
- "filter": true,
- "labelSettings": [
- {
- "columnId": "AssetPath",
- "label": "Asset Path"
- },
- {
- "columnId": "AssetLastScanTime",
- "label": "Asset Last Scan Time"
- },
- {
- "columnId": "SensitivityLabel",
- "label": "Sensitivity Label"
- },
- {
- "columnId": "SourcePath",
- "label": "Source Path"
- }
]
- }
},
- "customWidth": "50",
"conditionalVisibility": {
- "parameterName": "Results204",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 13",
- "styleSettings": {
- "showBorder": true
- }
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "isPurviewLogsVisible",
- "comparison": "isEqualTo",
- "value": "true"
- },
- "name": "Purview Logs"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 1,
- "content": {
- "json": "## 🗄 Azure SQL Databases\r\n\r\nThis section helps you monitor **access to classified and sensitive data stored in Azure SQL databases**. It supports GDPR requirements for **security of processing (Art. 32)** and **data protection by design and by default (Art. 25)** by detecting anomalies, tracking access patterns, and providing evidence of safeguards around personal data. \r\n\r\nKey objectives of this section: \r\n- Identify **daily anomaly scores** to highlight unusual database activity that may indicate misuse or data exfiltration \r\n- Monitor **queries by sensitivity labels and information types** to ensure personal data is accessed only for legitimate purposes \r\n- Track **application and IP access** to classified data for accountability and traceability \r\n- Detect potential **privilege misuse or unauthorized access attempts** by reviewing query and principal activity over time \r\n- Provide auditors with proof of **continuous monitoring of database activity** against sensitive data assets \r\n\r\nBy analyzing these metrics, analysts can confirm that **personal data stored in databases is accessed appropriately**, and that monitoring controls are in place to detect and respond to suspicious or non-compliant activity.\r\n"
- },
- "customWidth": "40",
- "name": "text - 4"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "10",
- "name": "text - 5"
- },
- {
- "type": 1,
- "content": {
- "json": "| Azure SQL Databases | | |\r\n|:--| - | - |\r\n| Daily anomaly scores, by database | Anomaly score over time for the selected database (from the list above) | Daily activity over time for the selected database (from the list above) |\r\n| Number of queries, by sensitivity label | Number of queries, by information type | Number of queries, by principal |\r\n|Number of queries, Details|Application access to classified data (by information type)|IP access to classified data (by information type)|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range, Servers and Databases. Only panels with data are shown. \r\n"
- },
- "customWidth": "40",
- "name": "text - 6"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "value::selected"
- ],
- "parameters": [
- {
- "id": "332be9fd-33ad-407e-843e-5f2c49a50b6a",
- "version": "KqlParameterItem/1.0",
- "name": "Servers",
- "type": 5,
- "isRequired": true,
- "multiSelect": true,
- "quote": "\"",
- "delimiter": ",",
- "query": "where type == \"microsoft.sql/servers\"\r\n| project id=tolower(id)",
- "crossComponentResources": [
- "{Subscription}"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "selectAllValue": "",
- "showDefault": false
- },
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 1,
- "resourceType": "microsoft.resourcegraph/resources",
- "value": [
- "value::all"
- ]
- },
- {
- "id": "b4cc825f-166b-4929-916a-21b8073748c2",
- "version": "KqlParameterItem/1.0",
- "name": "Databases",
- "type": 5,
- "isRequired": true,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "query": "where type == \"microsoft.sql/servers/databases\"\r\n| project id=tolower(id)\r\n| extend serverName = split(id,'/databases/')[0]\r\n| where serverName in ({Servers})\r\n| project id",
- "crossComponentResources": [
- "value::selected"
- ],
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "selectAllValue": "",
- "showDefault": false
- },
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 1,
- "resourceType": "microsoft.resourcegraph/resources",
- "value": [
- "value::all"
- ]
- }
- ],
- "style": "pills",
- "queryType": 1,
- "resourceType": "microsoft.resourcegraph/resources"
- },
- "name": "parameters - 1"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "7afa304d-b448-4d6c-8c54-69e51a7249a9",
- "version": "KqlParameterItem/1.0",
- "name": "Results205",
- "type": 1,
- "query": "AzureDiagnostics\r\n| where TimeGenerated > {TimeRange:start}\r\n| where ResourceType == \"SERVERS/DATABASES\"\r\n| where Category == \"SQLSecurityAuditEvents\"\r\n| where tolower(ResourceId) in ({Databases})\r\n| extend Database = strcat(LogicalServerName_s, '/', database_name_s)\r\n| summarize DailyCount = count() by ResourceId, Database, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId, Database\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, Database, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n| extend MaxAnomalyScore = AnomalyScore, MinAnomalyScore = AnomalyScore, AnomlyScoreTrend = AnomalyScore\r\n| mv-apply MaxAnomalyScore to typeof(real) on (top 1 by MaxAnomalyScore desc)\r\n| mv-apply MinAnomalyScore to typeof(real) on (top 1 by MinAnomalyScore asc)\r\n| mv-expand with_itemindex=Index AnomalyScore\r\n| where Index == array_length(DailyCounts)-1\r\n| project-away day, Index\r\n| extend AnomalyScoreAbs = abs(toreal(AnomalyScore))\r\n| extend WasAnomalous = iif(MaxAnomalyScore > 3 or MinAnomalyScore < -3, true, false)\r\n| extend Anomalous = iif(AnomalyScoreAbs > 3, true, false)\r\n| order by AnomalyScoreAbs desc\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 2592000000
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results205"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "c303d4f8-4af1-4516-945e-66798123d9d9",
- "version": "KqlParameterItem/1.0",
- "name": "Results206",
- "type": 1,
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend label = tostring(parsed[\"@label\"]) \r\n| where label != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by label\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results206"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "3ce1ba31-e991-4012-a9f9-b1196c54f4e5",
- "version": "KqlParameterItem/1.0",
- "name": "Results207",
- "type": 1,
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend info_type = tostring(parsed[\"@information_type\"]) \r\n| where info_type != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by info_type\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results207"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "a13bcd2c-8f8b-4087-94fe-862c41b78c56",
- "version": "KqlParameterItem/1.0",
- "name": "Results208",
- "type": 1,
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend Principal = server_principal_name_s\r\n| summarize dcount = dcount(sequence_group_id_g) by Principal\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results208"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "3cc27864-9c39-42e8-9cd6-25e1dfb9bcca",
- "version": "KqlParameterItem/1.0",
- "name": "Results210",
- "type": 1,
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend label = tostring(parsed[\"@label\"]) \r\n| where label != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by label_and_app = strcat(label, \" | \", application_name_s)\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results210"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "59b17e09-3c6d-4a11-a18d-2bc61a3ceba3",
- "version": "KqlParameterItem/1.0",
- "name": "Results211",
- "type": 1,
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend label = tostring(parsed[\"@label\"]) \r\n| where label != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by label_and_ip = strcat(label, \" | \", client_ip_s) \r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
+ "parameterName": "isAuditLogsVisible",
+ "comparison": "isEqualTo",
+ "value": "true"
},
- "customWidth": "20",
- "name": "Results211"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AzureDiagnostics\r\n| where TimeGenerated > {TimeRange:start}\r\n| where ResourceType == \"SERVERS/DATABASES\"\r\n| where Category == \"SQLSecurityAuditEvents\"\r\n| where tolower(ResourceId) in ({Databases})\r\n| extend Database = strcat(LogicalServerName_s, '/', database_name_s)\r\n| summarize DailyCount = count() by ResourceId, Database, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId, Database\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, Database, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n| extend MaxAnomalyScore = AnomalyScore, MinAnomalyScore = AnomalyScore, AnomlyScoreTrend = AnomalyScore\r\n| mv-apply MaxAnomalyScore to typeof(real) on (top 1 by MaxAnomalyScore desc)\r\n| mv-apply MinAnomalyScore to typeof(real) on (top 1 by MinAnomalyScore asc)\r\n| mv-expand with_itemindex=Index AnomalyScore\r\n| where Index == array_length(DailyCounts)-1\r\n| project-away day, Index\r\n| extend AnomalyScoreAbs = abs(toreal(AnomalyScore))\r\n| extend WasAnomalous = iif(MaxAnomalyScore > 3 or MinAnomalyScore < -3, true, false)\r\n| extend Anomalous = iif(AnomalyScoreAbs > 3, true, false)\r\n| order by AnomalyScoreAbs desc\r\n",
- "size": 0,
- "title": "Daily anomaly scores, by database",
- "timeContextFromParameter": "TimeRange",
- "exportFieldName": "ResourceId",
- "exportParameterName": "SelectedResource",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "DailyCounts",
- "formatter": 9,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "AnomalyScore",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "startsWith",
- "thresholdValue": "-",
- "representation": "trenddown",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "0",
- "representation": "right",
- "text": "{0}{1}"
- },
- {
- "operator": "Default",
- "representation": "trendup",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "MaxAnomalyScore",
- "formatter": 1
- },
- {
- "columnMatch": "MinAnomalyScore",
- "formatter": 5
- },
- {
- "columnMatch": "AnomlyScoreTrend",
- "formatter": 9,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "AnomalyScoreAbs",
- "formatter": 5
- },
- {
- "columnMatch": "WasAnomalous",
- "formatter": 1
- },
- {
- "columnMatch": "Anomalous",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- }
- },
- "conditionalVisibility": {
- "parameterName": "Results205",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 1"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AzureDiagnostics\r\n| where TimeGenerated > {TimeRange:start}\r\n| where ResourceType == \"SERVERS/DATABASES\"\r\n| where Category == \"SQLSecurityAuditEvents\"\r\n| where tolower(ResourceId) == tolower('{SelectedResource}')\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n",
- "size": 0,
- "title": "Anomaly score over time for the selected database (from the list above)",
- "color": "orange",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "timechart",
- "chartSettings": {
- "yAxis": [
- "AnomalyScore"
- ],
- "ySettings": {
- "numberFormatSettings": {
- "unit": 0,
- "options": {
- "style": "decimal",
- "useGrouping": true
- }
- }
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results205",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 2 - Copy"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AzureDiagnostics\r\n| where TimeGenerated > {TimeRange:start}\r\n| where ResourceType == \"SERVERS/DATABASES\"\r\n| where Category == \"SQLSecurityAuditEvents\"\r\n| where tolower(ResourceId) == tolower('{SelectedResource}')\r\n| summarize DailyCount = count() by ResourceId, bin_at(TimeGenerated, 1d, now())\r\n| make-series metric = sum(DailyCount) on TimeGenerated in range({TimeRange:start}, now()-1d, 1d) by ResourceId\r\n| extend series_decompose_anomalies(metric) // Anomaly detection\r\n| project ResourceId, day = (TimeGenerated), DailyCounts = metric, AnomalyScore = series_decompose_anomalies_metric_ad_score\r\n",
- "size": 0,
- "title": "Daily activity over time for the selected database (from the list above)",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "timechart",
- "chartSettings": {
- "yAxis": [
- "DailyCounts"
- ],
- "ySettings": {
- "numberFormatSettings": {
- "unit": 0,
- "options": {
- "style": "decimal",
- "useGrouping": true
- }
- }
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results205",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 2"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend label = tostring(parsed[\"@label\"]) \r\n| where label != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by label",
- "size": 0,
- "title": "Number of queries, by sensitivity label",
- "timeContextFromParameter": "TimeRange",
- "exportMultipleValues": true,
- "exportedParameters": [
- {
- "fieldName": "label",
- "parameterName": "SelectedLabel",
- "parameterType": 1
- }
- ],
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "label",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "dcount",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "showBorder": false
- }
- },
- "customWidth": "33",
- "conditionalVisibility": {
- "parameterName": "Results206",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 3 - Copy",
- "styleSettings": {
- "margin": "0",
- "padding": "0"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend info_type = tostring(parsed[\"@information_type\"]) \r\n| where info_type != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by info_type",
- "size": 0,
- "title": "Number of queries, by information type",
- "timeContextFromParameter": "TimeRange",
- "exportMultipleValues": true,
- "exportedParameters": [
- {
- "fieldName": "info_type",
- "parameterName": "SelectedInformationType",
- "parameterType": 1
- }
- ],
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "tiles",
- "tileSettings": {
- "showBorder": false,
- "titleContent": {
- "columnMatch": "info_type",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "dcount",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "maximumSignificantDigits": 3,
- "maximumFractionDigits": 2
- }
- }
- }
- },
- "chartSettings": {
- "createOtherGroup": 10
- }
- },
- "customWidth": "33",
- "conditionalVisibility": {
- "parameterName": "Results207",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 3 - Copy - Copy",
- "styleSettings": {
- "margin": "0",
- "padding": "0"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend Principal = server_principal_name_s\r\n| summarize dcount = dcount(sequence_group_id_g) by Principal",
- "size": 0,
- "title": "Number of queries, by principal",
- "timeContextFromParameter": "TimeRange",
- "exportMultipleValues": true,
- "exportedParameters": [
- {
- "fieldName": "Principal",
- "parameterName": "SelectedPrincipal",
- "parameterType": 1
- }
- ],
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "Principal",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "dcount",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "maximumSignificantDigits": 3,
- "maximumFractionDigits": 2
- }
- }
- },
- "showBorder": false
- },
- "chartSettings": {
- "createOtherGroup": 10
- }
- },
- "customWidth": "33",
- "conditionalVisibility": {
- "parameterName": "Results208",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 3 - Copy - Copy - Copy",
- "styleSettings": {
- "margin": "0",
- "padding": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "387f6bac-5c95-41e3-9556-641188130759",
- "version": "KqlParameterItem/1.0",
- "name": "Results209",
- "type": 1,
- "query": "AzureDiagnostics\r\n| where tolower(ResourceId) in ({Databases})\r\n| where isempty(data_sensitivity_information_s) == false\r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n//| evaluate bag_unpack(parsed, columnsConflict='keep_source')\r\n| mvexpand parsed \r\n| project TimeGenerated, ResourceId, Label = tostring(parsed.['@label']), InformationType = tostring(parsed.['@information_type'])\r\n , Succeeded = succeeded_s, Principal = server_principal_name_s, ClientIP = client_ip_s, Application = application_name_s, Statement = statement_s, Rows = response_rows_d, Action = action_name_s\r\n| where Label != \"\" or InformationType != \"\"\r\n| where isempty('{SelectedLabel}') or (strcat('\"',Label,'\"') in (split('{SelectedLabel}',',')))\r\n| where isempty('{SelectedInformationType}') or (strcat('\"',InformationType,'\"') in (split('{SelectedInformationType}',',')))\r\n| where isempty('{SelectedPrincipal}') or (strcat('\"',Principal,'\"') in (split('{SelectedPrincipal}',',')))\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results208"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AzureDiagnostics\r\n| where tolower(ResourceId) in ({Databases})\r\n| where isempty(data_sensitivity_information_s) == false\r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n//| evaluate bag_unpack(parsed, columnsConflict='keep_source')\r\n| mvexpand parsed \r\n| project TimeGenerated, ResourceId, Label = tostring(parsed.['@label']), InformationType = tostring(parsed.['@information_type'])\r\n , Succeeded = succeeded_s, Principal = server_principal_name_s, ClientIP = client_ip_s, Application = application_name_s, Statement = statement_s, Rows = response_rows_d, Action = action_name_s\r\n| where Label != \"\" or InformationType != \"\"\r\n| where isempty('{SelectedLabel}') or (strcat('\"',Label,'\"') in (split('{SelectedLabel}',',')))\r\n| where isempty('{SelectedInformationType}') or (strcat('\"',InformationType,'\"') in (split('{SelectedInformationType}',',')))\r\n| where isempty('{SelectedPrincipal}') or (strcat('\"',Principal,'\"') in (split('{SelectedPrincipal}',',')))",
- "size": 0,
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ]
- },
- "conditionalVisibility": {
- "parameterName": "Results209",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 15"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend label = tostring(parsed[\"@label\"]) \r\n| where label != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by label_and_app = strcat(label, \" | \", application_name_s)\r\n| order by label_and_app asc, dcount desc",
- "size": 0,
- "title": "Application access to classified data (by sensitivity label)",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "piechart"
- },
- "customWidth": "40",
- "conditionalVisibility": {
- "parameterName": "Results210",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 3 - Copy - Copy",
- "styleSettings": {
- "margin": "0",
- "padding": "0"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AzureDiagnostics \r\n| where tolower(ResourceId) in ({Databases})\r\n| where data_sensitivity_information_s != \"\" \r\n| extend parsed=parse_xml(data_sensitivity_information_s).sensitivity_attributes.sensitivity_attribute \r\n| mvexpand parsed \r\n| extend label = tostring(parsed[\"@label\"]) \r\n| where label != \"\" \r\n| summarize dcount = dcount(sequence_group_id_g) by label_and_ip = strcat(label, \" | \", client_ip_s) \r\n| order by label_and_ip asc, dcount desc",
- "size": 0,
- "title": "IP access to classified data (by sensitivity label)",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "piechart",
- "tileSettings": {
- "showBorder": false,
- "titleContent": {
- "columnMatch": "action_name_s",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "count_",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "maximumSignificantDigits": 3,
- "maximumFractionDigits": 2
- }
- }
- }
- },
- "graphSettings": {
- "type": 0,
- "topContent": {
- "columnMatch": "action_name_s",
- "formatter": 1
- },
- "centerContent": {
- "columnMatch": "count_",
- "formatter": 1,
- "numberFormat": {
- "unit": 17,
- "options": {
- "maximumSignificantDigits": 3,
- "maximumFractionDigits": 2
- }
- }
- }
- }
- },
- "customWidth": "40",
- "conditionalVisibility": {
- "parameterName": "Results211",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 3",
- "styleSettings": {
- "margin": "0",
- "padding": "0"
- }
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "isAzureSQLDatabasesVisible",
- "comparison": "isEqualTo",
- "value": "true"
- },
- "name": "Azure SQL Databases"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "7afa304d-b448-4d6c-8c54-69e51a7249a9",
- "version": "KqlParameterItem/1.0",
- "name": "Results46",
- "type": 1,
- "query": "let AnomalySignIns = BehaviorAnalytics\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\r\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\r\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\r\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\r\n| where FirstTimeDeviceLogon == \"True\" or FirstTimeUserAction == \"True\" or UncommonAction == \"True\" or UncommonVolumeOfActions == \"True\";\r\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results205"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "1ba464d7-3754-40c5-9518-7fa597d2e910",
- "version": "KqlParameterItem/1.0",
- "name": "Results47",
- "type": 1,
- "query": "let AnomalySignIns = BehaviorAnalytics\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\r\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\r\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\r\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\r\n| where FirstTimeDeviceLogon == \"True\" or FirstTimeUserAction == \"True\" or UncommonAction == \"True\" or UncommonVolumeOfActions == \"True\";\r\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\r\n| where SourceIPLocation <> \"\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results47"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "65c2cb9f-754e-4a6e-9f49-f8d6b656a4f0",
- "version": "KqlParameterItem/1.0",
- "name": "Results48",
- "type": 1,
- "query": "let UncommonActionVolume = BehaviorAnalytics\r\n| extend UncommonActionVolume = tostring(ActivityInsights.UncommonHighVolumeOfActions)\r\n| where UncommonActionVolume == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename UncommonActionVolume = count_;\r\nlet UncommonAction = BehaviorAnalytics\r\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\r\n| where UncommonAction == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename UncommonAction = count_;\r\nlet Uncommon = UncommonActionVolume | join(UncommonAction) on UserPrincipalName;\r\nlet FirstTimeDeviceLogon = BehaviorAnalytics\r\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\r\n| where FirstTimeDeviceLogon == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename FirstTimeDeviceLogon = count_;\r\nlet FirstTimeUserAction = BehaviorAnalytics\r\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\r\n| where FirstTimeUserAction == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename FirstTimeUserAction = count_;\r\nlet FirstTime = FirstTimeUserAction | join(FirstTimeDeviceLogon) on UserPrincipalName;\r\nUncommon | join kind=fullouter(FirstTime) on UserPrincipalName\r\n| where UserPrincipalName <> \"\"\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| project UserPrincipalName, UncommonActionVolume, UncommonAction, FirstTimeUserAction, FirstTimeDeviceLogon\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results48"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "802544a8-295d-49ac-ac30-7669812ffc07",
- "version": "KqlParameterItem/1.0",
- "name": "Results49",
- "type": 1,
- "query": "AADUserRiskEvents\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results49"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "292eaf4d-ee6f-4b78-acf1-2f625846dfdb",
- "version": "KqlParameterItem/1.0",
- "name": "Results50",
- "type": 1,
- "query": "BehaviorAnalytics\r\n| where ActionType == \"Reset user password\"\r\n| where ActivityInsights has \"True\"\r\n| join (\r\n AuditLogs\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n| extend UserPrincipalName = iff(UserPrincipalName has \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName has \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n| sort by TimeGenerated desc\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results50"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "402cb027-2e34-4a17-8ede-e0778b245e49",
- "version": "KqlParameterItem/1.0",
- "name": "Results51",
- "type": 1,
- "query": "BehaviorAnalytics\r\n| where ActivityType == \"LogOn\"\r\n| where UsersInsights.BlastRadius == \"High\"\r\n| join (\r\nSigninLogs | where Status.errorCode == 50126\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results51"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "d6c529ca-65d1-49fc-87a0-5013578dcecf",
- "version": "KqlParameterItem/1.0",
- "name": "Results52",
- "type": 1,
- "query": "BehaviorAnalytics\r\n| where ActionType == \"Sign-in\"\r\n| where ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True and ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True\r\n | join (\r\nSigninLogs\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results52"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "776977c6-0e80-44ca-ac00-b875a0dbb650",
- "version": "KqlParameterItem/1.0",
- "name": "Results53",
- "type": 1,
- "query": "//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\r\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nAuditLogs\r\n| where OperationName == \"Update user\"\r\n| mv-expand AdditionalDetails\r\n| mv-expand TargetResources\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where RoleId in (critical,high)\r\n| where isnotempty(RoleId) or isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n) on $left._ItemId == $right.SourceRecordId\r\n| where UsersInsights.BlastRadius == \"High\" or ActivityInsights has \"True\"\r\n| extend UserPrincipalName = iff(UserPrincipalName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results53"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "48c0ca65-2da9-4c48-a95b-ea7b5aebc36b",
- "version": "KqlParameterItem/1.0",
- "name": "Results54",
- "type": 1,
- "query": "//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\r\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nAuditLogs\r\n| where OperationName == \"Add user\"\r\n| mv-expand AdditionalDetails\r\n| mv-expand TargetResources\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where RoleId in (critical,high)\r\n| where isnotempty(RoleId) or isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n) on $left._ItemId == $right.SourceRecordId\r\n| where UsersInsights.BlastRadius == \"High\" or ActivityInsights has \"True\"\r\n| extend UserPrincipalName = iff(UserPrincipalName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results54"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "ef5b3c8e-c859-4e9a-8b73-c60f23732867",
- "version": "KqlParameterItem/1.0",
- "name": "Results55",
- "type": 1,
- "query": "let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nAuditLogs\r\n| where OperationName == \"Add member to role\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where RoleId in (critical,high)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = tostring(TargetResources.userPrincipalName)\r\n| where isnotempty(RoleId) or isnotempty(RoleName)\r\n| join kind=inner ( BehaviorAnalytics\r\n) on $left._ItemId == $right.SourceRecordId\r\n| where UsersInsights.BlasrRadius == \"High\" or ActivityInsights has \"True\"\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results55"
- },
- {
- "type": 1,
- "content": {
- "json": "# 📊 [User & Entity Behavior Analytics (UEBA)](https://docs.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)\n---\n\nThis section focuses on detecting **anomalous behaviors by users and entities** that may indicate insider threats, compromised accounts, or attempts to exfiltrate personal data. It supports GDPR obligations around **security of processing (Art. 32)** and **accountability (Art. 5(2))** by helping organizations proactively identify suspicious activity that could put personal data at risk. \n\nKey objectives of this section: \n- Highlight **user anomalies** such as unusual access times, geolocations, or activity volumes \n- Detect **high-risk behaviors** flagged by Microsoft’s identity protection and analytics models \n- Monitor **entity risk scores** to prioritize investigations of potentially compromised accounts or devices \n- Correlate **web session anomalies** to identify potential data exfiltration attempts \n- Provide auditors with evidence of **continuous monitoring of user activity and proactive risk detection** \n\nBy reviewing these metrics, analysts can ensure that **unusual or risky behaviors are identified early**, reducing the likelihood of personal data misuse or unauthorized disclosure, and demonstrating effective monitoring controls under GDPR.\n"
- },
- "customWidth": "40",
- "name": "text - 2"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "10",
- "name": "text - 14"
- },
- {
- "type": 1,
- "content": {
- "json": "| User & Entity Behavior Analytics (UEBA) | - | - |\r\n|:--| :--| :--| \r\n| Anomalous Activity by Geolocation | Anomalous Activity by User & GeoLocation | Entity Behavior Analytics Alerts |\r\n| User Anomalies | User Sign-in Risk Details |ASim WebSession: Detect potential data exfilteration using timeseries anomaly|\r\n| Anomalous Password Reset | Anomalous Failed Logon |Anomalous Geolocation Logon|\r\n| Anomalous AAD Account Manipulation | Anomalous Account Creation |Anomalous Role Assignment|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User."
- },
- "customWidth": "40",
- "name": "text - 14"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let AnomalySignIns = BehaviorAnalytics\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\r\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\r\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\r\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\r\n| where FirstTimeDeviceLogon == \"True\" or FirstTimeUserAction == \"True\" or UncommonAction == \"True\" or UncommonVolumeOfActions == \"True\";\r\nAnomalySignIns | join (SigninLogs) on UserPrincipalName",
- "size": 3,
- "showAnalytics": true,
- "title": "Anomalous Activity by Geolocation",
- "noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "map",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "warning",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "UncommonActionVolume",
- "formatter": 4,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "UncommonAction",
- "formatter": 4,
- "formatOptions": {
- "palette": "green"
- }
- },
- {
- "columnMatch": "FirstTimeUserAction",
- "formatter": 4,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "FirstTimeDeviceLogon",
- "formatter": 4,
- "formatOptions": {
- "palette": "yellow"
- }
- },
- {
- "columnMatch": "IncidentCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "AlertCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "AnomalyCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "yellow"
- }
- }
- ]
- },
- "sortBy": [],
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "latitude_",
- "longitude": "longitude_",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "labelSettings": "city_",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "redBright"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results46",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results46"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let AnomalySignIns = BehaviorAnalytics\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\r\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\r\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\r\n| extend UncommonVolumeOfActions = tostring(ActivityInsights.UncommonHighVolumeOfActions)\r\n| where FirstTimeDeviceLogon == \"True\" or FirstTimeUserAction == \"True\" or UncommonAction == \"True\" or UncommonVolumeOfActions == \"True\";\r\nAnomalySignIns | join (SigninLogs) on UserPrincipalName\r\n| where SourceIPLocation <> \"\"\r\n| summarize count() by UserPrincipalName, SourceIPLocation\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Anomalous Activity by User & GeoLocation",
- "noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Location",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Globe",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "SourceIPLocation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Globe",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 4,
- "formatOptions": {
- "palette": "redBright"
- }
- }
- ],
- "filter": true
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results47",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 14"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n | where ActionType == \"Sign-in\"\r\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n | join (\r\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indication from AAD\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//insider\r\nlet AnomalousRoleAssignment = AuditLogs\r\n | where TimeGenerated > ago(28d)\r\n | where OperationName == \"Add member to role\"\r\n | mv-expand TargetResources\r\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n | where isnotempty(RoleId) and RoleId in (critical, high)\r\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n | where isnotempty(RoleName)\r\n | extend TargetId = tostring(TargetResources.id)\r\n | extend Target = tostring(TargetResources.userPrincipalName)\r\n | join kind=inner (\r\n BehaviorAnalytics\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n )\r\n on $left._ItemId == $right.SourceRecordId\r\n | extend AnomalyName = \"Anomalous Role Assignment\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to privileged role, or ones that add users for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, RoleName, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; let LogOns=materialize(\r\n BehaviorAnalytics\r\n | where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n | where ActionType == \"ResourceAccess\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n | where ActionType == \"RemoteInteractiveLogon\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n | where ActionType == \"InteractiveLogon\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n | extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administrator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n | where ActionType == \"Reset user password\"\r\n | where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n | join (\r\n AuditLogs\r\n | where OperationName == \"Reset user password\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | mv-expand TargetResources\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority\r\n | sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n | where ActionType == \"Sign-in\"\r\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n | join (\r\n SigninLogs\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n | where ActivityType == \"LogOn\"\r\n | where UsersInsights.BlastRadius == \"High\"\r\n | join (\r\n SigninLogs \r\n | where Status.errorCode == 50126\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n | where OperationName == \"Update user\"\r\n | mv-expand AdditionalDetails\r\n | where AdditionalDetails.key == \"UserPrincipalName\"\r\n | mv-expand TargetResources\r\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n | where isnotempty(RoleId) and RoleId in (critical, high)\r\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n | where isnotempty(RoleName)\r\n | extend TargetId = tostring(TargetResources.id)\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | join kind=inner ( \r\n BehaviorAnalytics\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n )\r\n on $left._ItemId == $right.SourceRecordId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName) \r\n | extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to privileged role, or ones that changed users for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, RoleName, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n | where ActionType == \"Add user\"\r\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n | join(\r\n AuditLogs\r\n | where OperationName == \"Add user\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | mv-expand TargetResources\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\n UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority\r\n | sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\nlet TopUsersByAnomalies = AnomalyTable\r\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\r\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\r\n | sort by AnomalyCount desc;\r\nlet TopUsersByIncidents = SecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | where Status == \"New\" or Status == \"Active\"\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n | union TopUsersByAnomalies\r\n | extend \r\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\r\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\r\n UPNExists = iff(isempty(UPN), false, true),\r\n NameExists = iff(isempty(Name), false, true),\r\n SidExists = iff(isempty(Sid), false, true),\r\n AADExists = iff(isempty(AadUserId), false, true)\r\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\r\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\r\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\r\n | project [\"UserName\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\"AadUserId\"]=AadAnchor, [\"OnPremSid\"]=SidAnchor, [\"UserPrincipalName\"]=UPNAnchor;\r\nTopUsersByIncidents\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\r\n| sort by AlertCount desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Entity Behavior Analytics Alerts",
- "noDataMessage": "No results, Confirm Sentinel Entity Behavior is Enabled",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IncidentCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "AlertCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "AnomalyCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "yellow"
- }
- }
- ],
- "rowLimit": 2500,
- "filter": true,
- "sortBy": [
- {
- "itemKey": "$gen_heatmap_AlertCount_2",
- "sortOrder": 2
- }
- ]
- },
- "sortBy": [
- {
- "itemKey": "$gen_heatmap_AlertCount_2",
- "sortOrder": 2
- }
- ],
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "name": "query - 1",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let UncommonActionVolume = BehaviorAnalytics\r\n| extend UncommonActionVolume = tostring(ActivityInsights.UncommonHighVolumeOfActions)\r\n| where UncommonActionVolume == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename UncommonActionVolume = count_;\r\nlet UncommonAction = BehaviorAnalytics\r\n| extend UncommonAction = tostring(ActivityInsights.ActionUncommonlyPerformedByUser)\r\n| where UncommonAction == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename UncommonAction = count_;\r\nlet Uncommon = UncommonActionVolume | join(UncommonAction) on UserPrincipalName;\r\nlet FirstTimeDeviceLogon = BehaviorAnalytics\r\n| extend FirstTimeDeviceLogon = tostring(ActivityInsights.FirstTimeUserLoggedOnToDevice)\r\n| where FirstTimeDeviceLogon == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename FirstTimeDeviceLogon = count_;\r\nlet FirstTimeUserAction = BehaviorAnalytics\r\n| extend FirstTimeUserAction = tostring(ActivityInsights.FirstTimeUserPerformedAction)\r\n| where FirstTimeUserAction == \"True\"\r\n| summarize count() by UserPrincipalName\r\n| project-rename FirstTimeUserAction = count_;\r\nlet FirstTime = FirstTimeUserAction | join(FirstTimeDeviceLogon) on UserPrincipalName;\r\nUncommon | join kind=fullouter(FirstTime) on UserPrincipalName\r\n| where UserPrincipalName <> \"\"\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| project UserPrincipalName, UncommonActionVolume, UncommonAction, FirstTimeUserAction, FirstTimeDeviceLogon\r\n| sort by UncommonActionVolume desc \r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "User Anomalies",
- "noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "UncommonActionVolume",
- "formatter": 4,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "UncommonAction",
- "formatter": 4,
- "formatOptions": {
- "palette": "green"
- }
- },
- {
- "columnMatch": "FirstTimeUserAction",
- "formatter": 4,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "FirstTimeDeviceLogon",
- "formatter": 4,
- "formatOptions": {
- "palette": "yellow"
- }
- },
- {
- "columnMatch": "IncidentCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "AlertCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "AnomalyCount",
- "formatter": 8,
- "formatOptions": {
- "palette": "yellow"
- }
- }
- ],
- "filter": true,
- "sortBy": [
- {
- "itemKey": "$gen_bar_FirstTimeDeviceLogon_4",
- "sortOrder": 2
- }
- ]
- },
- "sortBy": [
- {
- "itemKey": "$gen_bar_FirstTimeDeviceLogon_4",
- "sortOrder": 2
- }
- ],
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results48",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 4",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "AADUserRiskEvents\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend UserProfile = strcat(\"#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserId)\r\n| extend countryOrRegion_ = tostring(Location.countryOrRegion)\r\n| extend city_ = tostring(Location.city)\r\n| extend state_ = tostring(Location.state)\r\n| extend latitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).longitude)\r\n| distinct UserPrincipalName, UserProfile, RiskLevel, RiskEventType, city_, state_, countryOrRegion_, UserId\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "User Sign-in Risk Details",
- "noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See How To: Configure and enable Microsoft Entra ID: Identity Protection risk policies (https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies)",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "UserProfile",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "OpenBlade",
- "linkLabel": "EntraID User Profile >>",
- "bladeOpenContext": {
- "bladeName": "UserDetailsMenuBlade",
- "extensionName": "Microsoft_AAD_IAM",
- "bladeParameters": [
- {
- "name": "userId",
- "source": "column",
- "value": "UserId"
- }
- ]
- }
- }
- },
- {
- "columnMatch": "RiskLevel",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "high",
- "representation": "Sev0",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "medium",
- "representation": "Sev1",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "low",
- "representation": "Sev2",
- "text": "{0}{1}"
- },
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Sev3",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 5
- }
- ],
- "filter": true
- }
- },
- "conditionalVisibility": {
- "parameterName": "Results49",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 14"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let start = {TimeRange:grain};\r\nlet end = 1d;\r\nlet timeframe = 1h;\r\nlet scorethreshold = 5;\r\nlet bytessentperhourthreshold = 10;\r\nlet TimeSeriesData = _Im_WebSession(starttime=start, endtime=now())\r\n | where isnotempty(DstIpAddr)\r\n and not(ipv4_is_private(DstIpAddr))\r\n | summarize SrcBytesSum=tolong(sum(SrcBytes)) by EventProduct, bin(TimeGenerated, 1h)\r\n | extend EventTime = TimeGenerated\r\n | make-series TotalBytesSent = sum(SrcBytesSum) on EventTime from startofday(ago(start)) to startofday(now()) step timeframe by EventProduct;\r\n// TimeSeriesData block ends here\r\n//Take only anomalies in TimeSeriesData\r\nlet TimeSeriesAnomalies = materialize(TimeSeriesData\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\r\n | mv-expand\r\n TotalBytesSent to typeof(long),\r\n EventTime to typeof(datetime),\r\n anomalies to typeof(double),\r\n score to typeof(double),\r\n baseline to typeof(long)\r\n | where anomalies > 0 and baseline > 0\r\n | extend AnomalyHour = EventTime\r\n | extend\r\n TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024) / 1024), 2),\r\n BaselineBytesSentinMBperHour = round(((baseline / 1024) / 1024), 2),\r\n score = round(score, 2)\r\n | project\r\n EventProduct,\r\n AnomalyHour,\r\n TotalBytesSentinMBperHour,\r\n BaselineBytesSentinMBperHour,\r\n anomalies,\r\n score\r\n //| where AnomalyHour between (startofday(ago(end)) .. startofday(now())) // Get TimeSeriesAnomalies in previous day\r\n );\r\n let AnomalyHours = materialize (TimeSeriesAnomalies\r\n | project AnomalyHour);\r\n //Previous day aggregated per hour\r\n let Last14DayLogs = \r\n _Im_WebSession(starttime=start, endtime=now())\r\n | extend DateHour = bin(TimeGenerated, timeframe) // create a new column and round to hour\r\n | where DateHour in (AnomalyHours) // Filter dataset to include only anomaly AnomalyHours\r\n | where isnotempty(DstIpAddr) and isnotempty(SrcIpAddr) and isnotempty(SrcBytes)\r\n | where not(ipv4_is_private(DstIpAddr))\r\n | project\r\n TimeGenerated,\r\n DateHour,\r\n DstIpAddr,\r\n SrcIpAddr,\r\n SrcBytes,\r\n DstBytes,\r\n DstPortNumber,\r\n EventProduct\r\n | summarize\r\n HourlyCount = count(),\r\n TimeGeneratedMax = arg_max(TimeGenerated, *),\r\n DestinationIPList = make_set(DstIpAddr, 100),\r\n DestinationPortList = make_set(DstPortNumber, 100),\r\n TotalSentBytes = tolong(sum(SrcBytes)),\r\n TotalReceivedBytes = tolong(sum(DstBytes))\r\n by SrcIpAddr, EventProduct, TimeGeneratedHour = bin(TimeGenerated, timeframe)\r\n | extend\r\n SentBytesinMB = ((TotalSentBytes / 1024) / 1024),\r\n ReceivedBytesinMB = ((TotalReceivedBytes / 1024) / 1024)\r\n | where SentBytesinMB > bytessentperhourthreshold\r\n | sort by TimeGeneratedHour asc, SentBytesinMB desc\r\n | extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\r\n | where Rank <= 10 // Selecting Top 10 records with Highest BytesSent in each Hour\r\n | project\r\n EventProduct,\r\n TimeGeneratedHour,\r\n TimeGeneratedMax,\r\n SrcIpAddr,\r\n DestinationIPList,\r\n DestinationPortList,\r\n SentBytesinMB,\r\n ReceivedBytesinMB,\r\n Rank,\r\n HourlyCount;\r\n Last14DayLogs",
- "size": 0,
- "showAnalytics": true,
- "title": "ASim WebSession: Detect potential data exfilteration using timeseries anomaly",
- "noDataMessage": "There are no results within the selected thresholds.",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "UserProfile",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "OpenBlade",
- "linkLabel": "EntraID User Profile >>",
- "bladeOpenContext": {
- "bladeName": "UserDetailsMenuBlade",
- "extensionName": "Microsoft_AAD_IAM",
- "bladeParameters": [
- {
- "name": "userId",
- "source": "column",
- "value": "UserId"
- }
- ]
- }
- }
- },
- {
- "columnMatch": "RiskLevel",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "high",
- "representation": "Sev0",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "medium",
- "representation": "Sev1",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "low",
- "representation": "Sev2",
- "text": "{0}{1}"
- },
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Sev3",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 5
- }
- ],
- "filter": true
- }
- },
- "name": "query - 14"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "BehaviorAnalytics\r\n| where ActionType == \"Reset user password\"\r\n| where ActivityInsights has \"True\"\r\n| join (\r\n AuditLogs\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n| extend UserPrincipalName = iff(UserPrincipalName has \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName has \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n| sort by TimeGenerated desc\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Anomalous Password Reset",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "IPAddress",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results50",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results50",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "BehaviorAnalytics\r\n| where ActivityType == \"LogOn\"\r\n| where UsersInsights.BlastRadius == \"High\"\r\n| join (\r\nSigninLogs | where Status.errorCode == 50126\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Anomalous Failed Logon",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IPAddress",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results51",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results51",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "BehaviorAnalytics\r\n| where ActionType == \"Sign-in\"\r\n| where ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True and ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True\r\n | join (\r\nSigninLogs\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Anomalous Geolocation Logon",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IPAddress",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results52",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results52",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\r\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nAuditLogs\r\n| where OperationName == \"Update user\"\r\n| mv-expand AdditionalDetails\r\n| mv-expand TargetResources\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where RoleId in (critical,high)\r\n| where isnotempty(RoleId) or isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n) on $left._ItemId == $right.SourceRecordId\r\n| where UsersInsights.BlastRadius == \"High\" or ActivityInsights has \"True\"\r\n| extend UserPrincipalName = iff(UserPrincipalName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Anomalous AAD Account Manipulation",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IPAddress",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results53",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results53",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "//Critical Roles: can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)\r\n//High Roles: Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app\r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nAuditLogs\r\n| where OperationName == \"Add user\"\r\n| mv-expand AdditionalDetails\r\n| mv-expand TargetResources\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where RoleId in (critical,high)\r\n| where isnotempty(RoleId) or isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) has \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n) on $left._ItemId == $right.SourceRecordId\r\n| where UsersInsights.BlastRadius == \"High\" or ActivityInsights has \"True\"\r\n| extend UserPrincipalName = iff(UserPrincipalName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName has \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Anomalous Account Creation",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IPAddress",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results54",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results54",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nAuditLogs\r\n| where OperationName == \"Add member to role\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where RoleId in (critical,high)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = tostring(TargetResources.userPrincipalName)\r\n| where isnotempty(RoleId) or isnotempty(RoleName)\r\n| join kind=inner ( BehaviorAnalytics\r\n) on $left._ItemId == $right.SourceRecordId\r\n| where UsersInsights.BlasrRadius == \"High\" or ActivityInsights has \"True\"\r\n| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Anomalous Role Assignment",
- "timeContextFromParameter": "TimeRange",
- "showRefreshButton": true,
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IPAddress",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results55",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results55",
- "styleSettings": {
- "maxWidth": "50"
- }
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "isUEBAVisible",
- "comparison": "isEqualTo",
- "value": "true"
- },
- "name": "Entity Insights"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 1,
- "content": {
- "json": "# 📂 [Microsoft 365 Activity](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender)\n---\n\nThis section monitors **user and administrator activities across Microsoft 365 services** such as Exchange, SharePoint, OneDrive, and Teams. It supports GDPR obligations for **integrity and confidentiality of personal data (Art. 5(1)(f))**, **records of processing activities (Art. 30)**, and **security of processing (Art. 32)** by ensuring that access and modifications to personal data are visible, traceable, and appropriately controlled. \n\nKey objectives of this section: \n- Track **file activity actions** to identify how sensitive data is being accessed, shared, or modified \n- Detect **risky behaviors** such as external sharing, non-owner mailbox access, or unusual PowerShell sign-ins \n- Monitor for **policy tampering, malicious inbox rules, and Exchange audit log changes** that could undermine data protection \n- Identify **unusual user behaviors in Teams and SharePoint**, including mass deletions, uploads, or operations from previously unseen devices or IPs \n- Provide auditors with detailed evidence of **user actions, administrative changes, and protections applied to personal data** \n\nBy analyzing these metrics, analysts can validate that **personal data within Microsoft 365 is accessed and processed lawfully**, and that the organization maintains robust monitoring to detect misuse or unauthorized disclosures.\n"
- },
- "customWidth": "40",
- "name": "text - 2"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "10",
- "name": "text - 56"
- },
- {
- "type": 1,
- "content": {
- "json": "| Microsoft 365 Activity | - | - | \r\n|:--| :--| :--|\r\n| File Activity Actions | File Activity Actions over Time | Most Frequently Accessed Files |\r\n| File Transfer Activity by User Over Time | File activity by external users | Previously Unseen Exchange Admin Operations (Last 1 Day) |\r\n| SharePoint File Operations by Users from Previously Unseen IPs | SharePointFileOperation via Devices with Previously Unseen User Agents |Non-Owner Mailbox Login Activity |\r\n| PowerShell or Non-Browser Mailbox Sign-In Activity | Multiple Teams Deleted by a Single User | User Added to Team and Immediately Uploads File |\r\n|Executable with Double File Extension and Acces Summary |Mail Redirect via Exchange Transport Rules | Email Forwarding|\r\n| User Added as Owner of Multiple Teams | Exchange Audit Log Disabled | Malicious Inbox Rule: Removing Helpdesk/Security Warning Emails|\r\n|Office Policy Tampering |Windows Reserved Filenames Staged on Office File Services|\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown.\r\n"
- },
- "customWidth": "50",
- "name": "SI OV"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "51f438d6-e64f-4e00-9cb4-a3be91405e38",
- "version": "KqlParameterItem/1.0",
- "name": "Classifications",
- "type": 2,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "query": "PurviewDataSensitivityLogs\r\n| where Classification != \"[]\"\r\n| mv-expand Classification // expand array if multiple classifications exist\r\n| extend Classification = tostring(Classification)\r\n| summarize by Classification\r\n| order by Classification asc",
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "selectAllValue": "All",
- "showDefault": false
- },
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": [
- "value::all"
- ]
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "parameters - 41"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "c4a56865-2460-45f6-b264-a1040b7b3818",
- "version": "KqlParameterItem/1.0",
- "name": "SensitivityLabels",
- "type": 2,
- "multiSelect": true,
- "quote": "'",
- "delimiter": ",",
- "query": "PurviewDataSensitivityLogs\r\n| where SensitivityLabel != \"[]\"\r\n| mv-expand SensitivityLabel // expand array if multiple classifications exist\r\n| extend SensitivityLabel = tostring(SensitivityLabel)\r\n| summarize by SensitivityLabel\r\n| order by SensitivityLabel asc",
- "typeSettings": {
- "additionalResourceOptions": [
- "value::all"
- ],
- "selectAllValue": "All",
- "showDefault": false
- },
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "defaultValue": "value::all",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "parameters - 41 - Copy"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "80",
- "name": "text - 43"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "2a891328-fdea-48e1-9363-99fc0ac0468c",
- "version": "KqlParameterItem/1.0",
- "name": "Results80",
- "type": 1,
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where Operation contains \"file\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results80",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "3a9f9b6b-8bd2-462a-840f-58d00dc9a937",
- "version": "KqlParameterItem/1.0",
- "name": "Results81",
- "type": 1,
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\n//let startTime = {TimeRange:grain}; // Adjust as needed\r\nOfficeActivity\r\n//| where TimeGenerated >= startTime\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where EventSource == \"SharePoint\" and OfficeWorkload has_any(\"SharePoint\", \"OneDrive\") and Operation has_any (\"FileDownloaded\", \"FileSyncDownloadedFull\", \"FileSyncUploadedFull\", \"FileUploaded\")\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results81",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "ebc6e154-835c-4dc9-9142-e84e21a723e3",
- "version": "KqlParameterItem/1.0",
- "name": "Results83",
- "type": 1,
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where ExternalAccess == \"True\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results83",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "0d5b45d1-3217-43e6-affd-56b73e7d3560",
- "version": "KqlParameterItem/1.0",
- "name": "Results85",
- "type": 1,
- "query": "let starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nlet historicalActivity=\r\n OfficeActivity\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | where RecordType == \"ExchangeAdmin\" and UserType in (\"Admin\", \"DcAdmin\")\r\n | summarize historicalCount=count() by UserId;\r\nlet recentActivity = OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where TimeGenerated > ago(endtime)\r\n | where UserType in (\"Admin\", \"DcAdmin\")\r\n | summarize recentCount=count() by UserId;\r\nrecentActivity\r\n| join kind = leftanti (\r\n historicalActivity\r\n )\r\n on UserId\r\n| project UserId, recentCount\r\n| order by recentCount asc, UserId\r\n| join kind = rightsemi \r\n (OfficeActivity \r\n | where TimeGenerated >= ago(endtime) \r\n | where RecordType == \"ExchangeAdmin\"\r\n | where UserType in (\"Admin\", \"DcAdmin\")) \r\n on UserId\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results85",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "fd74a8c1-4044-49f4-82de-b2653dc51d7c",
- "version": "KqlParameterItem/1.0",
- "name": "Results86",
- "type": 1,
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nlet starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nlet historicalActivity=\r\n OfficeActivity\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | summarize historicalCount=count() by ClientIP;\r\nlet recentActivity = OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated > ago(endtime);\r\nrecentActivity\r\n| join kind= leftanti (\r\n historicalActivity \r\n )\r\n on ClientIP\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results86",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "b5149369-531f-4db9-b16d-ae6af2af2ce6",
- "version": "KqlParameterItem/1.0",
- "name": "Results87",
- "type": 1,
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nlet starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nlet historicalActivity=\r\n OfficeActivity\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | summarize historicalCount=count() by UserAgent, RecordType;\r\nlet recentActivity = OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated > ago(endtime);\r\nrecentActivity\r\n| join kind = leftanti (\r\n historicalActivity \r\n )\r\n on UserAgent, RecordType\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results87",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "64a696b7-19fc-4cd6-a0fb-6b8d943868dc",
- "version": "KqlParameterItem/1.0",
- "name": "Results88",
- "type": 1,
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where Operation == \"MailboxLogin\" and Logon_Type != \"Owner\" \r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results88",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "57c00f66-6a47-4179-be44-c07b1f0f7ff1",
- "version": "KqlParameterItem/1.0",
- "name": "Results89",
- "type": 1,
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where Operation == \"MailboxLogin\"\r\n| where ClientInfoString == \"Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results89",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "a6eb5e71-9e0f-46f7-891c-11ac8b8f03cd",
- "version": "KqlParameterItem/1.0",
- "name": "Results90",
- "type": 1,
- "query": "// Adjust this value to change how many Teams should be deleted before including\r\nlet max_delete = 3;\r\nlet deleting_users = (\r\n OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where OfficeWorkload =~ \"MicrosoftTeams\"\r\n | where Operation =~ \"TeamDeleted\"\r\n | summarize count() by UserId\r\n | where count_ > max_delete\r\n | project UserId);\r\nOfficeActivity\r\n| where OfficeWorkload =~ \"MicrosoftTeams\"\r\n| where Operation =~ \"TeamDeleted\"\r\n| where UserId in (deleting_users)\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results90",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "c9283cec-012f-4e89-917b-4ebfea0d4c9c",
- "version": "KqlParameterItem/1.0",
- "name": "Results91",
- "type": 1,
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nlet threshold = 1m;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where OfficeWorkload =~ \"MicrosoftTeams\"\r\n| where Operation == \"MemberAdded\"\r\n| extend TeamName = iff(isempty(TeamName), Members[0].UPN, TeamName)\r\n| project TimeGenerated, UserId, UploaderID=UserId, TeamName\r\n| join (\r\n OfficeActivity\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\r\n | where Operation == \"FileUploaded\"\r\n | where SourceFileName has_any (PurviewClassifiedFiles)\r\n | project UserId, UploadTime=TimeGenerated, UploaderID=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName\r\n )\r\n on UploaderID\r\n| where UploadTime > TimeGenerated and UploadTime < TimeGenerated + threshold\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results91",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "045e5099-2b58-4af1-8525-5620752bed66",
- "version": "KqlParameterItem/1.0",
- "name": "Results92",
- "type": 1,
- "query": "let known_ext = dynamic([\"lnk\", \"log\", \"option\", \"config\", \"manifest\", \"partial\"]);\r\nlet excluded_users = dynamic([\"app@sharepoint\"]);\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where RecordType =~ \"SharePointFileOperation\" and isnotempty(SourceFileName)\r\n| where OfficeObjectId has \".exe.\" and SourceFileExtension !in~ (known_ext)\r\n| extend Extension = extract(\"[^.]*.[^.]*$\", 0, OfficeObjectId)\r\n| join kind= leftouter ( \r\n OfficeActivity\r\n | where RecordType =~ \"SharePointFileOperation\" and (Operation =~ \"FileDownloaded\" or Operation =~ \"FileAccessed\") \r\n | where SourceFileExtension !in~ (known_ext)\r\n )\r\n on OfficeObjectId \r\n| where UserId1 !in~ (excluded_users)\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results92",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "fb33950d-7f2b-4304-b688-9cb0e103f6dc",
- "version": "KqlParameterItem/1.0",
- "name": "Results93",
- "type": 1,
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where OfficeWorkload == \"Exchange\"\r\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\r\n| extend p = parse_json(Parameters)\r\n| extend RuleName = case(\r\n Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\r\n Operation =~ \"New-TransportRule\", tostring(p[1].Value),\r\n \"Unknown\"\r\n ) \r\n| mvexpand p\r\n| where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") and isnotempty(p.Value)\r\n| extend RedirectTo = p.Value\r\n| extend ClientIPOnly = case( \r\n ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP, \":\")[0]), \r\n ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP, \"-\")[0]), \r\n ClientIP has \"[\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \"]\")[0]))),\r\n ClientIP\r\n ) \r\n| extend Port = case(\r\n ClientIP has \".\" and ClientIP has \":\", (split(ClientIP, \":\")[1]),\r\n ClientIP has \".\" and ClientIP has \"-\", (split(ClientIP, \"-\")[1]),\r\n ClientIP has \"[\" and ClientIP has \":\", tostring(split(ClientIP, \"]:\")[1]),\r\n ClientIP has \"[\" and ClientIP has \"-\", tostring(split(ClientIP, \"]-\")[1]),\r\n ClientIP\r\n )\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results93",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "dc33037c-0615-4f66-98b8-35e450068f1e",
- "version": "KqlParameterItem/1.0",
- "name": "Results94",
- "type": 1,
- "query": "// a threshold can be enabled, see commented line below for PrevSeenCount\r\nlet threshold = 1;\r\n// Reserved FileNames/Extension for Windows\r\nlet Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']);\r\nlet starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where TimeGenerated >= ago(endtime)\r\n| where isnotempty(SourceFileExtension)\r\n| where SourceFileName !~ SourceFileExtension\r\n| where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\r\n| where UserAgent !has \"Mac OS\" \r\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName, SourceFileExtension \r\n| join kind= leftanti (\r\n OfficeActivity\r\n | where TimeGenerated between (ago(starttime)..ago(endtime))\r\n | where isnotempty(SourceFileExtension)\r\n | where SourceFileName !~ SourceFileExtension\r\n | where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\r\n | where UserAgent !has \"Mac OS\" \r\n | summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId), SourceFileName = make_set(SourceFileName), PrevSeenCount = count() by SourceFileExtension\r\n // To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\r\n //| where PrevSeenCount > threshold\r\n | mvexpand SourceRelativeUrl, UserId, SourceFileName\r\n | extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId), SourceFileName = tostring(SourceFileName)\r\n )\r\n on SourceFileExtension\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results94",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "3d9de6bf-6bf9-42dd-9ed5-9e03ee5e48af",
- "version": "KqlParameterItem/1.0",
- "name": "Results95",
- "type": 1,
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where (Operation =~ \"Set-Mailbox\" and Parameters contains 'ForwardingSmtpAddress') \r\n or (Operation =~ 'New-InboxRule' and Parameters contains 'ForwardTo')\r\n| extend parsed=parse_json(Parameters)\r\n| extend fwdingDestination_initial = (iif(Operation =~ \"Set-Mailbox\", tostring(parsed[1].Value), tostring(parsed[2].Value)))\r\n| where isnotempty(fwdingDestination_initial)\r\n| extend fwdingDestination = iff(fwdingDestination_initial has \"smtp\", (split(fwdingDestination_initial, \":\")[1]), fwdingDestination_initial)\r\n| parse fwdingDestination with * '@' ForwardedtoDomain \r\n| parse UserId with *'@' UserDomain\r\n| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.')[0]))\r\n| where ForwardedtoDomain !contains subDomain\r\n| extend Result = iff(ForwardedtoDomain != UserDomain, \"Mailbox rule created to forward to External Domain\", \"Forward rule for Internal domain\")\r\n| extend ClientIPAddress = case(ClientIP has \".\", tostring(split(ClientIP, \":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \"]\")[0]))), ClientIP)\r\n| extend Port = case(\r\n ClientIP has \".\", (split(ClientIP, \":\")[1]),\r\n ClientIP has \"[\", tostring(split(ClientIP, \"]:\")[1]),\r\n ClientIP\r\n )\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "0",
- "name": "Results95",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "e3a6793b-d24b-4e69-922a-6bce21138d10",
- "version": "KqlParameterItem/1.0",
- "name": "Results98",
- "type": 1,
- "query": "// Adjust this value to change how many teams a user is made owner of before detecting\r\nlet max_owner_count = 3;\r\n// Change this value to adjust how larger timeframe the query is run over.\r\nlet high_owner_count = (OfficeActivity\r\n | where OfficeWorkload =~ \"MicrosoftTeams\"\r\n | where Operation =~ \"MemberRoleChanged\"\r\n | extend Member = tostring(parse_json(Members)[0].UPN) \r\n | extend NewRole = toint(parse_json(Members)[0].Role) \r\n | where NewRole == 2\r\n | summarize dcount(TeamName) by Member\r\n | where dcount_TeamName > max_owner_count\r\n | project Member);\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where OfficeWorkload =~ \"MicrosoftTeams\"\r\n| where Operation =~ \"MemberRoleChanged\"\r\n| extend Member = tostring(parse_json(Members)[0].UPN) \r\n| extend NewRole = toint(parse_json(Members)[0].Role) \r\n| where NewRole == 2\r\n| where Member in (high_owner_count)\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results98",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "982af542-16a2-429f-9414-2de706b1daf8",
- "version": "KqlParameterItem/1.0",
- "name": "Results99",
- "type": 1,
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where UserType in~ (\"Admin\",\"DcAdmin\") \r\n// Only admin or global-admin can disable audit logging\r\n| where Operation =~ \"Set-AdminAuditLogConfig\" \r\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\r\n| where AdminAuditLogEnabledValue =~ \"False\" \r\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "10",
- "name": "Results99",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "c385b319-e2bb-48de-ac7b-2456aa884b60",
- "version": "KqlParameterItem/1.0",
- "name": "Results100",
- "type": 1,
- "query": "//Add Keywords for Emails as needed\r\nlet Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where Operation =~ \"New-InboxRule\"\r\n| where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" \r\n| extend Events=todynamic(Parameters)\r\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\r\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\r\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\r\n| where SubjectContainsWords has_any (Keywords)\r\n or BodyContainsWords has_any (Keywords)\r\n or SubjectOrBodyContainsWords has_any (Keywords)\r\n| extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\r\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\r\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\')[-1]))\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "50",
- "name": "Results100"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "776847fb-789e-45e6-a314-7cfed84e4f03",
- "version": "KqlParameterItem/1.0",
- "name": "Results101",
- "type": 1,
- "query": "let opList = OfficeActivity \r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| summarize by Operation\r\n//| where Operation startswith \"Remove-\" or Operation startswith \"Disable-\"\r\n| where Operation has_any (\"Remove\", \"Disable\")\r\n| where Operation contains \"AntiPhish\" or Operation contains \"SafeAttachment\" or Operation contains \"SafeLinks\" or Operation contains \"Dlp\" or Operation contains \"Audit\"\r\n| summarize make_set(Operation);\r\nOfficeActivity\r\n// Only admin or global-admin can disable/remove policy\r\n| where RecordType =~ \"ExchangeAdmin\"\r\n| where UserType in~ (\"Admin\",\"DcAdmin\")\r\n// Pass in interesting Operation list\r\n| where Operation in~ (opList)\r\n| extend ClientIPOnly = case( \r\nClientIP has \".\", tostring(split(ClientIP,\":\")[0]), \r\nClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\r\nClientIP\r\n) \r\n| extend Port = case(\r\nClientIP has \".\", (split(ClientIP,\":\")[1]),\r\nClientIP has \"[\", tostring(split(ClientIP,\"]:\")[1]),\r\nClientIP\r\n)\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "value": null
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "40",
- "name": "Results101"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where Operation contains \"file\"\r\n| extend Path = OfficeObjectId\r\n| summarize count() by UserId, Operation\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "File Activity Actions",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 4,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results80",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results80",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where Operation contains \"file\"\r\n| extend Path = OfficeObjectId\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Operation\r\n| render timechart\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "File Activity Actions over Time",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results80",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results80b",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where Operation contains \"file\"\r\n| summarize count() by UserId, SourceFileName, SourceFileExtension, OfficeObjectId \r\n| sort by count_ desc\r\n| limit 100",
- "size": 1,
- "showAnalytics": true,
- "title": "Most Frequently Accessed Files",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "SourceFileName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "info",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeObjectId",
- "formatter": 7,
- "formatOptions": {
- "linkTarget": "Url"
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results80",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results80d",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\n//let startTime = {TimeRange:grain}; // Adjust as needed\r\nOfficeActivity\r\n//| where TimeGenerated >= startTime\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where EventSource == \"SharePoint\" and OfficeWorkload has_any(\"SharePoint\", \"OneDrive\") and Operation has_any (\"FileDownloaded\", \"FileSyncDownloadedFull\", \"FileSyncUploadedFull\", \"FileUploaded\")\r\n| summarize UploadedFiles = count() by bin(TimeGenerated, 1h), UserId\r\n| order by TimeGenerated asc\r\n| render timechart\r\n",
- "size": 0,
- "title": "File Transfer Activity by User Over Time",
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results81",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "query - 47",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| where ExternalAccess == \"True\"\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "File activity by external users",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 4,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results83",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results83",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nlet historicalActivity=\r\n OfficeActivity\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | where RecordType == \"ExchangeAdmin\" \r\n | summarize historicalCount=count() by UserId;\r\nlet recentActivity = OfficeActivity\r\n | where UserId in ({UserPrincipalName})\r\n | where TimeGenerated > ago(endtime)\r\n | summarize recentCount=count() by UserId;\r\nrecentActivity\r\n| join kind = leftanti (\r\n historicalActivity\r\n )\r\n on UserId\r\n| project UserId, recentCount\r\n| order by recentCount asc, UserId\r\n| join kind = rightsemi \r\n (OfficeActivity \r\n | where TimeGenerated >= ago(endtime) \r\n | where RecordType == \"ExchangeAdmin\")\r\n on UserId\r\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by RecordType, Operation, UserType, UserId, OriginatingServer, ResultStatus\r\n| sort by count_ desc\r\n| take 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Previously Unseen Exchange Admin Operations (Last 1 Day)",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results85",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results85",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nlet starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nlet historicalActivity=\r\n OfficeActivity\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | summarize historicalCount=count() by ClientIP;\r\nlet recentActivity = OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated > ago(endtime);\r\nrecentActivity\r\n| join kind= leftanti (\r\n historicalActivity \r\n )\r\n on ClientIP\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| summarize count() by UserId, ClientIP\r\n| sort by count_ desc\r\n| take 100",
- "size": 0,
- "showAnalytics": true,
- "title": "SharePoint File Operations by Users from Previously Unseen IPs",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results86",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results86",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nlet starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nlet historicalActivity=\r\n OfficeActivity\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | summarize historicalCount=count() by UserAgent, RecordType;\r\nlet recentActivity = OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where Operation in (\"FileDownloaded\", \"FileUploaded\")\r\n | where TimeGenerated > ago(endtime);\r\nrecentActivity\r\n| join kind = leftanti (\r\n historicalActivity \r\n )\r\n on UserAgent, RecordType\r\n| where SourceFileName has_any (PurviewClassifiedFiles)\r\n| summarize count() by UserId, UserAgent, RecordType\r\n| sort by count_ desc\r\n| take 100",
- "size": 0,
- "showAnalytics": true,
- "title": "SharePointFileOperation via Devices with Previously Unseen User Agents",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results87",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results87",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where Operation == \"MailboxLogin\" and Logon_Type != \"Owner\" \r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| take 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Non-Owner Mailbox Login Activity",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results88",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results88",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where Operation == \"MailboxLogin\"\r\n| where ClientInfoString == \"Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client\"\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| take 100",
- "size": 0,
- "showAnalytics": true,
- "title": "PowerShell or Non-Browser Mailbox Sign-In Activity",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results89",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results89",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "// Adjust this value to change how many Teams should be deleted before including\r\nlet max_delete = 3;\r\nlet deleting_users = (\r\n OfficeActivity\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n | where OfficeWorkload =~ \"MicrosoftTeams\"\r\n | where Operation =~ \"TeamDeleted\"\r\n | summarize count() by UserId\r\n | where count_ > max_delete\r\n | project UserId);\r\nOfficeActivity\r\n| where OfficeWorkload =~ \"MicrosoftTeams\"\r\n| where Operation =~ \"TeamDeleted\"\r\n| where UserId in (deleting_users)\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| take 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Multiple Teams Deleted by a Single User",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results90",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results90",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let PurviewClassifiedFiles = \r\nPurviewDataSensitivityLogs\r\n| where \"{Classifications:label}\" == \"All\" or Classification has_any ({Classifications})\r\n| where \"{SensitivityLabels:label}\" == \"All\" or SensitivityLabel has_any ({SensitivityLabels})\r\n| summarize by AssetName;\r\nlet threshold = 1m;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where OfficeWorkload =~ \"MicrosoftTeams\"\r\n| where Operation == \"MemberAdded\"\r\n| extend TeamName = iff(isempty(TeamName), Members[0].UPN, TeamName)\r\n| project TimeGenerated, UserId, UploaderID=UserId, TeamName\r\n| join (\r\n OfficeActivity\r\n | where RecordType == \"SharePointFileOperation\"\r\n | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\r\n | where Operation == \"FileUploaded\"\r\n | where SourceFileName has_any (PurviewClassifiedFiles)\r\n | project UserId, UploadTime=TimeGenerated, UploaderID=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName\r\n )\r\n on UploaderID\r\n| where UploadTime > TimeGenerated and UploadTime < TimeGenerated + threshold\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n| take 100",
- "size": 0,
- "showAnalytics": true,
- "title": "User Added to Team and Immediately Uploads File",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results91",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results91",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let known_ext = dynamic([\"lnk\", \"log\", \"option\", \"config\", \"manifest\", \"partial\"]);\r\nlet excluded_users = dynamic([\"app@sharepoint\"]);\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where RecordType =~ \"SharePointFileOperation\" and isnotempty(SourceFileName)\r\n| where OfficeObjectId has \".exe.\" and SourceFileExtension !in~ (known_ext)\r\n| extend Extension = extract(\"[^.]*.[^.]*$\", 0, OfficeObjectId)\r\n| join kind= leftouter ( \r\n OfficeActivity\r\n | where RecordType =~ \"SharePointFileOperation\" and (Operation =~ \"FileDownloaded\" or Operation =~ \"FileAccessed\") \r\n | where SourceFileExtension !in~ (known_ext)\r\n )\r\n on OfficeObjectId \r\n| where UserId1 !in~ (excluded_users)\r\n| extend userBag = pack(UserId1, ClientIP1) \r\n| summarize makeset(UserId1), make_bag(userBag), Start=max(TimeGenerated), End=min(TimeGenerated) by UserId, OfficeObjectId, SourceFileName, Extension \r\n| extend NumberOfUsers = array_length(bag_keys(bag_userBag))\r\n| project UploadTime=Start, Uploader=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, Extension, NumberOfUsers\r\n| extend timestamp = UploadTime, Uploader",
- "size": 0,
- "showAnalytics": true,
- "title": "Executable with Double File Extension and Acces Summary",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results92",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results92",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where OfficeWorkload == \"Exchange\"\r\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\r\n| extend p = parse_json(Parameters)\r\n| extend RuleName = case(\r\n Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\r\n Operation =~ \"New-TransportRule\", tostring(p[1].Value),\r\n \"Unknown\"\r\n ) \r\n| mvexpand p\r\n| where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") and isnotempty(p.Value)\r\n| extend RedirectTo = p.Value\r\n| extend ClientIPOnly = case( \r\n ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP, \":\")[0]), \r\n ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP, \"-\")[0]), \r\n ClientIP has \"[\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \"]\")[0]))),\r\n ClientIP\r\n ) \r\n| extend Port = case(\r\n ClientIP has \".\" and ClientIP has \":\", (split(ClientIP, \":\")[1]),\r\n ClientIP has \".\" and ClientIP has \"-\", (split(ClientIP, \"-\")[1]),\r\n ClientIP has \"[\" and ClientIP has \":\", tostring(split(ClientIP, \"]:\")[1]),\r\n ClientIP has \"[\" and ClientIP has \"-\", tostring(split(ClientIP, \"]-\")[1]),\r\n ClientIP\r\n )\r\n| summarize count() by UserId\r\n| sort by count_ desc\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "Mail Redirect via Exchange Transport Rules",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 4,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results93",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results93",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "// a threshold can be enabled, see commented line below for PrevSeenCount\r\nlet threshold = 1;\r\n// Reserved FileNames/Extension for Windows\r\nlet Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']);\r\nlet starttime = {TimeRange:grain};\r\nlet endtime = 1d;\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where TimeGenerated >= ago(endtime)\r\n| where isnotempty(SourceFileExtension)\r\n| where SourceFileName !~ SourceFileExtension\r\n| where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\r\n| where UserAgent !has \"Mac OS\" \r\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName, SourceFileExtension \r\n| join kind= leftanti (\r\n OfficeActivity\r\n | where TimeGenerated between (ago(starttime)..ago(endtime))\r\n | where isnotempty(SourceFileExtension)\r\n | where SourceFileName !~ SourceFileExtension\r\n | where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved)\r\n | where UserAgent !has \"Mac OS\" \r\n | summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId), SourceFileName = make_set(SourceFileName), PrevSeenCount = count() by SourceFileExtension\r\n // To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\r\n //| where PrevSeenCount > threshold\r\n | mvexpand SourceRelativeUrl, UserId, SourceFileName\r\n | extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId), SourceFileName = tostring(SourceFileName)\r\n )\r\n on SourceFileExtension\r\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\r\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\.', '_', UserId))\r\n// identify when UserId is not a match to the specific site url personal folder reference\r\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true, false) \r\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation), UserAgents = make_list(UserAgent), \r\n OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\r\n by OfficeWorkload, RecordType, UserType, UserKey, UserId, ClientIP, Site_Url, SourceFileExtension, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder",
- "size": 0,
- "showAnalytics": true,
- "title": "Windows Reserved Filenames Staged on Office File Services",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results94",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results94",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where (Operation contains 'Forward') \r\n or (Parameters contains 'ForwardTo')\r\n| extend parsed=parse_json(Parameters)\r\n| extend fwdingDestination_initial = (iif(Operation =~ \"Set-Mailbox\", tostring(parsed[1].Value), tostring(parsed[2].Value)))\r\n| where isnotempty(fwdingDestination_initial)\r\n| extend fwdingDestination = iff(fwdingDestination_initial has \"smtp\", (split(fwdingDestination_initial, \":\")[1]), fwdingDestination_initial)\r\n| parse fwdingDestination with * '@' ForwardedtoDomain \r\n| parse UserId with *'@' UserDomain\r\n| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.')[0]))\r\n| where ForwardedtoDomain !contains subDomain\r\n| extend Result = iff(ForwardedtoDomain != UserDomain, \"Mailbox rule created to forward to External Domain\", \"Forward rule for Internal domain\")\r\n| extend ClientIPAddress = case(ClientIP has \".\", tostring(split(ClientIP, \":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]', tostring(split(ClientIP, \"]\")[0]))), ClientIP)\r\n| extend Port = case(\r\n ClientIP has \".\", (split(ClientIP, \":\")[1]),\r\n ClientIP has \"[\", tostring(split(ClientIP, \"]:\")[1]),\r\n ClientIP\r\n )\r\n| summarize count() by UserId, fwdingDestination, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Email Forwarding",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "fwdingDestination",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "warning",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results95",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results95",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "// Adjust this value to change how many teams a user is made owner of before detecting\r\nlet max_owner_count = 3;\r\n// Change this value to adjust how larger timeframe the query is run over.\r\nlet high_owner_count = (OfficeActivity\r\n | where OfficeWorkload =~ \"MicrosoftTeams\"\r\n | where Operation =~ \"MemberRoleChanged\"\r\n | extend Member = tostring(parse_json(Members)[0].UPN) \r\n | extend NewRole = toint(parse_json(Members)[0].Role) \r\n | where NewRole == 2\r\n | summarize dcount(TeamName) by Member\r\n | where dcount_TeamName > max_owner_count\r\n | project Member);\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where OfficeWorkload =~ \"MicrosoftTeams\"\r\n| where Operation =~ \"MemberRoleChanged\"\r\n| extend Member = tostring(parse_json(Members)[0].UPN) \r\n| extend NewRole = toint(parse_json(Members)[0].Role) \r\n| where NewRole == 2\r\n| where Member in (high_owner_count)\r\n| summarize count() by UserId\r\n| sort by count_ desc",
- "size": 0,
- "showAnalytics": true,
- "title": "User Added as Owner of Multiple Teams",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results98",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results98",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "OfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where UserType in~ (\"Admin\",\"DcAdmin\") \r\n// Only admin or global-admin can disable audit logging\r\n| where Operation =~ \"Set-AdminAuditLogConfig\" \r\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\r\n| where AdminAuditLogEnabledValue =~ \"False\" \r\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\r\n| summarize count() by UserId\r\n| sort by count_ desc",
- "size": 0,
- "showAnalytics": true,
- "title": "Exchange Audit Log Disabled",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results99",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results99",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "//Add Keywords for Emails as needed\r\nlet Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\r\nOfficeActivity\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| where Operation =~ \"New-InboxRule\"\r\n| where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" \r\n| extend Events=todynamic(Parameters)\r\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\r\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\r\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\r\n| where SubjectContainsWords has_any (Keywords)\r\n or BodyContainsWords has_any (Keywords)\r\n or SubjectOrBodyContainsWords has_any (Keywords)\r\n| extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\r\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\r\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\')[-1]))\r\n| summarize count() by UserId\r\n| sort by count_ desc",
- "size": 0,
- "showAnalytics": true,
- "title": "Malicious Inbox Rule: Removing Helpdesk/Security Warning Emails",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results100",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results100",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let opList = OfficeActivity \r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| summarize by Operation\r\n//| where Operation startswith \"Remove-\" or Operation startswith \"Disable-\"\r\n| where Operation has_any (\"Remove\", \"Disable\")\r\n| where Operation contains \"AntiPhish\" or Operation contains \"SafeAttachment\" or Operation contains \"SafeLinks\" or Operation contains \"Dlp\" or Operation contains \"Audit\"\r\n| summarize make_set(Operation);\r\nOfficeActivity\r\n// Only admin or global-admin can disable/remove policy\r\n| where RecordType =~ \"ExchangeAdmin\"\r\n| where UserType in~ (\"Admin\",\"DcAdmin\")\r\n// Pass in interesting Operation list\r\n| where Operation in~ (opList)\r\n| extend ClientIPOnly = case( \r\nClientIP has \".\", tostring(split(ClientIP,\":\")[0]), \r\nClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\r\nClientIP\r\n) \r\n| extend Port = case(\r\nClientIP has \".\", (split(ClientIP,\":\")[1]),\r\nClientIP has \"[\", tostring(split(ClientIP,\"]:\")[1]),\r\nClientIP\r\n)\r\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\r\n| summarize count() by UserId\r\n| sort by count_ desc",
- "size": 0,
- "showAnalytics": true,
- "title": "Office Policy Tampering",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "redBright"
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results101",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results101",
- "styleSettings": {
- "maxWidth": "50"
- }
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "isM365ActivityVisible",
- "comparison": "isEqualTo",
- "value": "true"
- },
- "name": "Office Activity Group"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "7afa304d-b448-4d6c-8c54-69e51a7249a9",
- "version": "KqlParameterItem/1.0",
- "name": "Results46",
- "type": 1,
- "query": "SigninLogs\r\n| where Location <> \"\"\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results46",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "e7de4575-c167-4818-8820-ec17513a02b2",
- "version": "KqlParameterItem/1.0",
- "name": "Results47",
- "type": 1,
- "query": "let nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status);\r\nlet data = \r\nunion SigninLogs,nonInteractive\r\n|extend errorCode = Status.errorCode\r\n|extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\");\r\ndata\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where IsInteractive == true\r\n| summarize Count = count() by SigninStatus\r\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\r\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\r\n on SigninStatus\r\n| project-away SigninStatus1, TimeGenerated\r\n| extend Status = SigninStatus\r\n| union (\r\n data \r\n | summarize Count = count()\r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend SigninStatus = 'All Sign-ins', Status = '*' \r\n)\r\n| where SigninStatus <> \"All Sign-ins\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results47",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "e62c1567-e61e-4acd-9731-d6a2c59bf3a0",
- "version": "KqlParameterItem/1.0",
- "name": "Results48",
- "type": 1,
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where ResultType == 0 and AppDisplayName != \"\"\r\n| summarize count() by AppDisplayName\r\n| join (\r\nSigninLogs\r\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \r\n) on AppDisplayName\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results48",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "48559d4f-7025-4580-b316-2134c07b7ad7",
- "version": "KqlParameterItem/1.0",
- "name": "Results49",
- "type": 1,
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where IsInteractive == true\r\n| extend city_ = tostring(LocationDetails.city)\r\n| extend state_ = tostring(LocationDetails.state)\r\n| where state_ <> \"\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results49",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "88a39c54-0e1f-4f7f-b7f7-a3e798a26b4e",
- "version": "KqlParameterItem/1.0",
- "name": "Results51",
- "type": 1,
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results51",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "08ed6d78-dbc0-4d10-84da-e37fae50ba4e",
- "version": "KqlParameterItem/1.0",
- "name": "Results52",
- "type": 1,
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend browser_ = tostring(DeviceDetail.browser)\r\n| extend operatingSystem_ = tostring(DeviceDetail.operatingSystem)\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results52",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "66899fa7-9a59-4fee-882c-3d182a726a49",
- "version": "KqlParameterItem/1.0",
- "name": "Results53",
- "type": 1,
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n// Forces Log Analytics to recognize that the query should be run over full time range\r\n| extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", \r\n tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]), \";\") \r\n| project TimeGenerated, AppDisplayName, UserPrincipalName, locationString \r\n// Create time series \r\n| make-series dLocationCount = dcount(locationString)\r\n on TimeGenerated\r\n step 1d\r\n by UserPrincipalName, AppDisplayName \r\n// Compute best fit line for each entry \r\n| extend (RSquare, Slope, Variance, RVariance, Interception, LineFit) = series_fit_line(dLocationCount) \r\n// Chart the 3 most interesting lines \r\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results53",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "82dfffd6-7e78-4412-a69b-5d3d096a4e94",
- "version": "KqlParameterItem/1.0",
- "name": "Results54",
- "type": 1,
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n// 50126 - Invalid username or password, or invalid on-premises username or password.\r\n// 50020? - The user doesn't exist in the tenant.\r\n| where ResultType in (\"50126\", \"50020\")\r\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\r\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\r\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\r\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = makeset(IPAddress), DistinctIPCount = dcount(IPAddress), \r\n makeset(OS), makeset(Browser), makeset(City), AttemptCount = count() \r\n by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results54",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "3b974333-5ea4-4a64-9067-0d206e3d91fd",
- "version": "KqlParameterItem/1.0",
- "name": "Results55",
- "type": 1,
- "query": "let failureCountThreshold = 5;\r\nlet successCountThreshold = 1;\r\nlet authenticationWindow = 20m;\r\nlet aadFunc = (tableName: string) {\r\n table(tableName)\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n | extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\r\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\r\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\r\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\r\n // Split out failure versus non-failure types\r\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\r\n make_set(State), make_set(Region), make_set(ResultType), FailureCount = countif(FailureOrSuccess == \"Failure\"), SuccessCount = countif(FailureOrSuccess == \"Success\") \r\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\r\n | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\r\n | mvexpand IPAddress\r\n | extend IPAddress = tostring(IPAddress)\r\n };\r\nlet aadSignin = aadFunc(\"SigninLogs\");\r\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\r\nunion isfuzzy=true aadSignin, aadNonInt\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results55",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "6ae59cc4-9e9a-4392-b946-89e77025f3b3",
- "version": "KqlParameterItem/1.0",
- "name": "Results56",
- "type": 1,
- "query": "let timeFrame = {TimeRange:grain};\r\nlet logonDiff = 1m;\r\nlet Success = SigninLogs \r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n | where TimeGenerated >= timeFrame \r\n | where ResultType == \"0\" \r\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\", \"Office 365 SharePoint Online\")\r\n | project SuccessLogonTime = TimeGenerated, UserPrincipalName, IPAddress, SuccessAppDisplayName = AppDisplayName;\r\nlet Fail = SigninLogs \r\n | where TimeGenerated >= timeFrame \r\n | where ResultType !in (\"0\", \"50140\") \r\n | where ResultDescription !~ \"Other\" \r\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\", \"Office 365 SharePoint Online\")\r\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, IPAddress, FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription;\r\nlet InitialDataSet = \r\n Success\r\n | join kind= inner (\r\n Fail\r\n )\r\n on UserPrincipalName, IPAddress \r\n | where isnotempty(FailedAppDisplayName)\r\n | where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and SuccessAppDisplayName != FailedAppDisplayName;\r\nlet InitialHits = \r\n InitialDataSet\r\n | summarize FailedLogonTime = min(FailedLogonTime), SuccessLogonTime = min(SuccessLogonTime) \r\n by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName, IPAddress, ResultType, ResultDescription;\r\n// Only take hits where there is 5 or less distinct AppDisplayNames on the success side as this limits highly active applications where failures occur more regularly\r\nlet Distribution =\r\n InitialDataSet\r\n | summarize count(SuccessAppDisplayName) by SuccessAppDisplayName, ResultType\r\n | where count_SuccessAppDisplayName <= 5;\r\nInitialHits\r\n| join (\r\n Distribution \r\n )\r\n on SuccessAppDisplayName, ResultType\r\n| project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription \r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "0",
- "name": "Results56",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "b297d67a-c87f-469d-b50a-df226179f729",
- "version": "KqlParameterItem/1.0",
- "name": "Results57",
- "type": 1,
- "query": "let signIns = SigninLogs\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n | extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\",\r\n tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n | where locationString != \"//\" \r\n // filter out signins associated with top 100 signin locations \r\n | join kind=anti (\r\n SigninLogs\r\n | extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", \r\n tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n | where locationString != \"//\"\r\n | summarize count() by locationString\r\n | order by count_ desc\r\n | take 100)\r\n on locationString; // TODO - make this threshold percentage-based\r\n// We will perform a time window join to identify signins from multiple locations within a 10-minute period\r\nlet lookupWindow = 10m;\r\nlet lookupBin = lookupWindow / 2.0; // lookup bin = equal to 1/2 of the lookup window\r\nsignIns \r\n| project-rename Start=TimeGenerated \r\n| extend TimeKey = bin(Start, lookupBin)\r\n| join kind = inner (\r\n signIns \r\n | project-rename End=TimeGenerated, EndLocationString=locationString \r\n // TimeKey on the right side of the join - emulates this authentication appearing several times\r\n | extend TimeKey = range(bin(End - lookupWindow, lookupBin),\r\n bin(End, lookupBin), lookupBin)\r\n | mvexpand TimeKey to typeof(datetime) // translate TimeKey arrange range to a column\r\n )\r\n on Identity, TimeKey\r\n| where End > Start\r\n| project timeSpan = End - Start, Identity, locationString, EndLocationString, tostring(Start), tostring(End), UserPrincipalName\r\n| where locationString != EndLocationString\r\n| summarize by timeSpan, Identity, locationString, EndLocationString, Start, End, UserPrincipalName\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results57",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "909d0019-23cb-43ad-8285-9f1dca1cd1be",
- "version": "KqlParameterItem/1.0",
- "name": "Results58",
- "type": 1,
- "query": "let IP_Data = (externaldata(network: string)\r\n [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv\"] with (format=\"csv\"));\r\nSigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where ResultType == 0\r\n| extend additionalDetails = tostring(Status.additionalDetails)\r\n| evaluate ipv4_lookup(IP_Data, IPAddress, network, return_unmatched = false)\r\n| summarize make_set(additionalDetails), min(TimeGenerated), max(TimeGenerated) by IPAddress, UserPrincipalName\r\n// Uncomment the remaining lines to only see logons from VPS providers with token only logons.\r\n//| where array_length(set_additionalDetails) == 2\r\n//| where (set_additionalDetails[1] == \"MFA requirement satisfied by claim in the token\" and set_additionalDetails[0] == \"MFA requirement satisfied by claim provided by external provider\") or (set_additionalDetails[0] == \"MFA requirement satisfied by claim in the token\" and set_additionalDetails[1] == \"MFA requirement satisfied by claim provided by external provider\")\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "20",
- "name": "Results58",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "d345cda2-03ae-4e98-a859-60e04b4f3750",
- "version": "KqlParameterItem/1.0",
- "name": "blankspace",
- "type": 1,
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 86400000
- }
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "50",
- "name": "parameters - 27"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 1,
- "content": {
- "json": "# [Sign-Ins (Entra ID)](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins)\n---\n\nThis section provides visibility into **user authentication events and access patterns**, supporting GDPR requirements for **integrity and confidentiality of personal data (Art. 5(1)(f))** and **security of processing (Art. 32)**. Monitoring sign-ins helps ensure that only authorized individuals access systems processing personal data, and that suspicious authentication activity is detected quickly. \n\nKey objectives of this section: \n- Track **sign-ins by geolocation and over time** to spot unusual or high-risk access locations \n- Monitor **failed sign-in attempts and brute-force activity** to identify potential account compromise \n- Detect **anomalous patterns** such as cross-application anomalies, sign-in bursts, or VPN-based logins \n- Review **application and client usage trends** to confirm that personal data is accessed only through approved channels \n- Provide auditors with evidence of **access control enforcement and monitoring** \n\nBy analyzing these metrics, analysts can verify that **access to personal data is properly secured**, and that the enterprise maintains the ability to **detect, investigate, and remediate suspicious sign-in activity** in line with GDPR obligations.\n\n\n\n"
- },
- "name": "text - 2"
- }
- ]
- },
- "customWidth": "40",
- "name": "group - 32"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "10",
- "name": "text - 29"
- },
- {
- "type": 1,
- "content": {
- "json": "| Sign-Ins (Entra ID) | - | - |\r\n|:--| :--| :--| \r\n| Sign-Ins by Geolocation | Authentication Details | Sign-In Locations Over Time |\r\n| Sign-Ins Count By Application Name | Applications Access Count By Users | Client Application Count by Users |\r\n| Anomalous Sign-in & App Access | Entra ID Failed Sign-in Attempts | Entra ID Brute Force Sign-in Attempts |\r\n|Cross-App Sign-in Anomaly (Success then Failure) | Sign-In Burst From Multiple Locations | Sign-in From VPN |\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown."
- },
- "customWidth": "40",
- "name": "SI OV"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "SigninLogs\r\n| where Location <> \"\"\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\r\n| extend city_ = tostring(LocationDetails.city)\r\n| project latitude_,longitude_,city_",
- "size": 3,
- "showAnalytics": true,
- "title": "Sign-Ins by Geolocation",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "map",
- "mapSettings": {
- "locInfo": "LatLong",
- "locInfoColumn": "Location",
- "latitude": "latitude_",
- "longitude": "longitude_",
- "sizeSettings": "city_",
- "sizeAggregation": "Count",
- "labelSettings": "city_",
- "legendMetric": "city_",
- "numberOfMetrics": 100,
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "state_",
- "colorAggregation": "Count",
- "type": "heatmap",
- "heatmapPalette": "coldHot"
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results46",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results46"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status);\r\nlet data = \r\nunion SigninLogs,nonInteractive\r\n|extend errorCode = toint(Status.errorCode)\r\n| extend SigninStatus = case(\r\n errorCode == 0, \"Success\",\r\n errorCode in (50055,50058,50072,50074,50125,50127,50129,50140,50143,50144,51006,52004,65001,16000,16001,16003,81010,81012,81014), \"Pending user action\",\r\n \"Failure\"\r\n);\r\ndata\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where IsInteractive == true\r\n| summarize Count = count() by SigninStatus\r\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\r\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\r\n on SigninStatus\r\n| project-away SigninStatus1, TimeGenerated\r\n| extend Status = SigninStatus\r\n| union (\r\n data \r\n | summarize Count = count()\r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend SigninStatus = 'All Sign-ins', Status = '*' \r\n)\r\n| where SigninStatus <> \"All Sign-ins\"\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "Authentication Details",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "tiles",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "User",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "info",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Activities",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "LatLong",
- "locInfoColumn": "Location",
- "latitude": "latitude_",
- "longitude": "longitude_",
- "sizeSettings": "city_",
- "sizeAggregation": "Count",
- "labelSettings": "city_",
- "legendMetric": "city_",
- "numberOfMetrics": 100,
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "state_",
- "colorAggregation": "Count",
- "type": "heatmap",
- "heatmapPalette": "coldHot"
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results47",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results47"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where IsInteractive == true\r\n| extend city_ = tostring(LocationDetails.city)\r\n| extend state_ = tostring(LocationDetails.state)\r\n| where state_ <> \"\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by state_\r\n| render timechart",
- "size": 0,
- "showAnalytics": true,
- "title": "Sign-In Locations Over Time",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "city_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "state_",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "SigninStatus",
- "formatter": 1
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "palette": "blue"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "Trend",
- "formatter": 9,
- "formatOptions": {
- "palette": "green"
- }
- },
- "showBorder": false
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "conditionalVisibility": {
- "parameterName": "Results49",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results49"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where ResultType == 0 and AppDisplayName != \"\"\r\n| summarize count() by AppDisplayName\r\n| join (\r\nSigninLogs\r\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \r\n) on AppDisplayName\r\n| top 10 by count_ desc",
- "size": 4,
- "showAnalytics": true,
- "title": "Sign-Ins Count By Application Name",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "visualization": "tiles",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "User",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "info",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Activities",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- },
- "tileSettings": {
- "titleContent": {
- "columnMatch": "AppDisplayName",
- "formatter": 1,
- "formatOptions": {
- "showIcon": true
- }
- },
- "leftContent": {
- "columnMatch": "count_",
- "formatter": 12,
- "formatOptions": {
- "palette": "auto",
- "showIcon": true
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "maximumSignificantDigits": 3,
- "maximumFractionDigits": 2
- }
- }
- },
- "secondaryContent": {
- "columnMatch": "TrendList",
- "formatter": 9,
- "formatOptions": {
- "showIcon": true
- }
- },
- "showBorder": false
- },
- "graphSettings": {
- "type": 0,
- "topContent": {
- "columnMatch": "AppDisplayName",
- "formatter": 1
- },
- "centerContent": {
- "columnMatch": "count_",
- "formatter": 1,
- "numberFormat": {
- "unit": 17,
- "options": {
- "maximumSignificantDigits": 3,
- "maximumFractionDigits": 2
- }
- }
- }
- },
- "mapSettings": {
- "locInfo": "LatLong",
- "locInfoColumn": "Location",
- "latitude": "latitude_",
- "longitude": "longitude_",
- "sizeSettings": "city_",
- "sizeAggregation": "Count",
- "labelSettings": "city_",
- "legendMetric": "city_",
- "numberOfMetrics": 100,
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "state_",
- "colorAggregation": "Count",
- "type": "heatmap",
- "heatmapPalette": "coldHot"
- }
- }
- },
- "conditionalVisibility": {
- "parameterName": "Results48",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results48"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize Count=count() by UserPrincipalName, AppDisplayName\r\n| sort by Count desc\r\n| limit 250",
- "size": 0,
- "showAnalytics": true,
- "title": "Applications Access Count By Users",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "AppDisplayName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "trendup",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "IPAddress",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results51",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results51",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| extend Browser = tostring(DeviceDetail.browser)\r\n| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)\r\n| summarize Count=count() by UserPrincipalName, Browser, OperatingSystem\r\n| sort by Count desc\r\n| limit 250\r\n\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "Client Application Count by Users",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- },
- {
- "columnMatch": "UserAgent",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "1",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "ClientAppUsed",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "trenddown",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "AppDisplayName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "trendup",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "IPAddress",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "uninitialized",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results52",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results52",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n// Forces Log Analytics to recognize that the query should be run over full time range\r\n| extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", \r\n tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]), \";\") \r\n| project TimeGenerated, AppDisplayName, UserPrincipalName, locationString \r\n// Create time series \r\n| make-series dLocationCount = dcount(locationString)\r\n on TimeGenerated\r\n step 1d\r\n by UserPrincipalName, AppDisplayName \r\n// Compute best fit line for each entry \r\n| extend (RSquare, Slope, Variance, RVariance, Interception, LineFit) = series_fit_line(dLocationCount) \r\n// Filter for truly anomalous patterns:\r\n// - abs(Slope) > 0.5 → exclude stable users; keeps those with growing/shrinking location diversity\r\n// - Variance > 2 → exclude trivial fluctuations; ensures location counts are inconsistent\r\n// - RSquare > 0.5 → exclude poor fits; ensures the slope represents a real trend, not random noise\r\n| where abs(Slope) > 0.5 and Variance > 2 and RSquare > 0.5\r\n| project UserPrincipalName, AppDisplayName, Slope, Variance, RSquare\r\n| order by abs(Slope) desc\r\n| limit 50",
- "size": 0,
- "showAnalytics": true,
- "title": "Anomalous Sign-in Location by User Account and Authenticating Application",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results53",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results53",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "SigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n// 50126 - Invalid username or password, or invalid on-premises username or password.\r\n// 50020 - The user doesn't exist in the tenant.\r\n// 50076 → MFA required but not satisfied\r\n// 50053 → Account locked due to repeated sign-in attempts\r\n| where ResultType in (\"50126\", \"50020\", \"50076\", \"50053\")\r\n| summarize Count=count() by UserPrincipalName, AppDisplayName\r\n| sort by Count desc\r\n| limit 250",
- "size": 0,
- "showAnalytics": true,
- "title": "Entra ID Failed Sign-in Attempts",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results54",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results54",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let failureCountThreshold = 5;\r\nlet successCountThreshold = 1;\r\nlet authenticationWindow = 20m;\r\nlet aadFunc = (tableName: string) {\r\n table(tableName)\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n | extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\r\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\r\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\r\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\r\n // Split out failure versus non-failure types\r\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\"), \"Success\", \"Failure\")\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\r\n make_set(State), make_set(Region), make_set(ResultType), FailureCount = countif(FailureOrSuccess == \"Failure\"), SuccessCount = countif(FailureOrSuccess == \"Success\") \r\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\r\n | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\r\n | mvexpand IPAddress\r\n | extend IPAddress = tostring(IPAddress)\r\n };\r\nlet aadSignin = aadFunc(\"SigninLogs\");\r\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\r\nunion isfuzzy=true aadSignin, aadNonInt\r\n| summarize AttemptWindows = count(), TotalFailures = sum(FailureCount), TotalSuccesses = sum(SuccessCount) by UserPrincipalName, AppDisplayName\r\n| order by AttemptWindows desc\r\n| limit 250",
- "size": 0,
- "showAnalytics": true,
- "title": "Entra ID Brute Force Sign-in Attempts",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results55",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results55",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let timeFrame = {TimeRange:grain};\r\nlet logonDiff = 1m;\r\nlet Success = SigninLogs \r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n | where TimeGenerated >= timeFrame \r\n | where ResultType == \"0\" \r\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\", \"Office 365 SharePoint Online\")\r\n | project SuccessLogonTime = TimeGenerated, UserPrincipalName, IPAddress, SuccessAppDisplayName = AppDisplayName;\r\nlet Fail = SigninLogs \r\n | where TimeGenerated >= timeFrame \r\n | where ResultType !in (\"0\", \"50140\") \r\n | where ResultDescription !~ \"Other\" \r\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\", \"Office 365 SharePoint Online\")\r\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, IPAddress, FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription;\r\nlet InitialDataSet = \r\n Success\r\n | join kind= inner (\r\n Fail\r\n )\r\n on UserPrincipalName, IPAddress \r\n | where isnotempty(FailedAppDisplayName)\r\n | where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and SuccessAppDisplayName != FailedAppDisplayName;\r\nlet InitialHits = \r\n InitialDataSet\r\n | summarize FailedLogonTime = min(FailedLogonTime), SuccessLogonTime = min(SuccessLogonTime) \r\n by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName, IPAddress, ResultType, ResultDescription;\r\n// Only take hits where there is 5 or less distinct AppDisplayNames on the success side as this limits highly active applications where failures occur more regularly\r\nlet Distribution =\r\n InitialDataSet\r\n | summarize count(SuccessAppDisplayName) by SuccessAppDisplayName, ResultType\r\n | where count_SuccessAppDisplayName <= 5;\r\nInitialHits\r\n| join (\r\n Distribution \r\n )\r\n on SuccessAppDisplayName, ResultType\r\n| project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription \r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName, SuccessAppDisplayName, FailedAppDisplayName\r\n| sort by count_ desc\r\n| limit 250\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "Cross-App Sign-in Anomaly (Success then Failure)",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "SuccessAppDisplayName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "success",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "FailedAppDisplayName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "failed",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results56",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results56",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let signIns = SigninLogs\r\n | where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n | extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\",\r\n tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n | where locationString != \"//\" \r\n // filter out signins associated with top 100 signin locations \r\n | join kind=anti (\r\n SigninLogs\r\n | extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", \r\n tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\r\n | where locationString != \"//\"\r\n | summarize count() by locationString\r\n | order by count_ desc\r\n | take 100)\r\n on locationString; // TODO - make this threshold percentage-based\r\n// We will perform a time window join to identify signins from multiple locations within a 10-minute period\r\nlet lookupWindow = 10m;\r\nlet lookupBin = lookupWindow / 2.0; // lookup bin = equal to 1/2 of the lookup window\r\nsignIns \r\n| project-rename Start=TimeGenerated \r\n| extend TimeKey = bin(Start, lookupBin)\r\n| join kind = inner (\r\n signIns \r\n | project-rename End=TimeGenerated, EndLocationString=locationString \r\n // TimeKey on the right side of the join - emulates this authentication appearing several times\r\n | extend TimeKey = range(bin(End - lookupWindow, lookupBin),\r\n bin(End, lookupBin), lookupBin)\r\n | mvexpand TimeKey to typeof(datetime) // translate TimeKey arrange range to a column\r\n )\r\n on Identity, TimeKey\r\n| where End > Start\r\n| project timeSpan = End - Start, Identity, locationString, EndLocationString, tostring(Start), tostring(End), UserPrincipalName\r\n| where locationString != EndLocationString\r\n| summarize by timeSpan, Identity, locationString, EndLocationString, Start, End, UserPrincipalName\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName, locationString, EndLocationString\r\n| sort by count_ desc\r\n| limit 250\r\n",
- "size": 0,
- "showAnalytics": true,
- "title": "Sign-In Burst From Multiple Locations",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results57",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results57",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let IP_Data = (externaldata(network: string)\r\n [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv\"] with (format=\"csv\"));\r\nSigninLogs\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| where ResultType == 0\r\n| extend additionalDetails = tostring(Status.additionalDetails)\r\n| evaluate ipv4_lookup(IP_Data, IPAddress, network, return_unmatched = false)\r\n| summarize count() by UserPrincipalName, AppDisplayName, network\r\n| sort by count_ desc\r\n| limit 250",
- "size": 0,
- "showAnalytics": true,
- "title": "Sign-Ins From VPNs",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- },
- "mapSettings": {
- "locInfo": "CountryRegion",
- "locInfoColumn": "Location",
- "latitude": "SourceIPLocation",
- "longitude": "SourceIPLocation",
- "sizeSettings": "Location",
- "sizeAggregation": "Count",
- "legendMetric": "Location",
- "legendAggregation": "Count",
- "itemColorSettings": {
- "nodeColorField": "Location",
- "colorAggregation": "Count",
- "type": "thresholds",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blueDark"
- }
- ]
- }
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results58",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results58",
- "styleSettings": {
- "maxWidth": "50"
- }
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "isSignInsVisible",
- "comparison": "isEqualTo",
- "value": "true"
- },
- "name": "Sign-Ins"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "658caef7-b6e6-4d04-92be-b7ff5cc8910e",
- "version": "KqlParameterItem/1.0",
- "name": "Results103",
- "type": 1,
- "query": "let action = dynamic([\"change \", \"changed \", \"reset \"]);\r\nlet pWord = dynamic([\"password \", \"credentials \"]);\r\n(union isfuzzy=true\r\n (SecurityEvent\r\n | where EventID in (4723, 4724)\r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(Activity), ActionCount = count() by Resource = Computer, OperationName = strcat(\"TargetAccount: \", TargetUserName), UserId = Account, Type\r\n ),\r\n (AuditLogs\r\n | where OperationName has_any (pWord) and OperationName has_any (action)\r\n | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) \r\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) \r\n | where ResultDescription != \"None\" \r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by OperationName = strcat(Category, \" - \", OperationName, \" - \", Result), Resource, UserId = TargetUserPrincipalName, Type\r\n | extend ResultDescriptions = tostring(ResultDescriptions)\r\n ),\r\n (OfficeActivity\r\n | where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\r\n | extend ResultDescriptions = case(\r\n OfficeWorkload =~ \"AzureActiveDirectory\", tostring(ExtendedProperties),\r\n OfficeWorkload has_any (\"Exchange\", \"OneDrive\"), OfficeObjectId,\r\n RecordType) \r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescriptions), ActionCount = count() by Resource = OfficeWorkload, OperationName = strcat(Operation, \" - \", ResultStatus), IPAddress = ClientIP, UserId, Type\r\n ),\r\n (Syslog\r\n | where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(SyslogMessage), ActionCount = count() by Resource = HostName, OperationName = Facility, IPAddress = HostIP, ProcessName, Type\r\n ),\r\n (SigninLogs\r\n | where OperationName =~ \"Sign-in activity\" and ResultType has_any (\"50125\", \"50133\")\r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, \" - \", ResultType), IPAddress, UserId = UserPrincipalName, Type\r\n )\r\n)\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "0",
- "name": "Results103",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "e3a0cfd9-ab9d-479d-b355-f3db4d09b084",
- "version": "KqlParameterItem/1.0",
- "name": "Results104",
- "type": 1,
- "query": "// Extend this list with items to search for\r\nlet keywords = dynamic([\"password\", \"pwd\", \"creds\", \"credentials\", \"secret\"]);\r\n// To exclude key phrases or tables to exclude add to these lists\r\nlet table_exclusions = dynamic([\"AuditLogs\", \"SigninLogs\", \"LAQueryLogs\", \"SecurityEvent\"]);\r\nlet keyword_exclusion = dynamic([\"reset user password\", \"change user password\"]);\r\nLAQueryLogs\r\n| where RequestClientApp != 'Sentinel-General'\r\n| extend querytext_lower = tolower(QueryText)\r\n| where querytext_lower has_any(keywords)\r\n| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget, ResponseCode, ResponseRowCount, ResponseDurationMs, CorrelationId\r\n| extend timestamp = TimeGenerated, UserPrincipalName = AADEmail\r\n| join kind=leftanti (LAQueryLogs\r\n | where RequestClientApp != 'Sentinel-General'\r\n | extend querytext_lower = tolower(QueryText)\r\n | where QueryText has_any(table_exclusions) or querytext_lower has_any(keyword_exclusion))\r\n on CorrelationId\r\n | where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "0",
- "name": "Results104",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "4d0cfde6-5b30-4824-97bb-37487f260b0b",
- "version": "KqlParameterItem/1.0",
- "name": "Results105",
- "type": 1,
- "query": "let recentWindow = 1d; // Accounts that logged in recently\r\nlet historyWindow = 30d; // Look back period for prior logins\r\nlet newAccountWindow = 7d; // Exclude accounts created in last 7 days\r\n// Step 1: Recent successful logins\r\nlet recentLogins = SigninLogs\r\n| where TimeGenerated >= ago(recentWindow)\r\n| where ResultType == 0\r\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), loginCountRecent = count() \r\n by UserPrincipalName, Identity;\r\n// Step 2: Exclude accounts that had successful logins in the historical period\r\nlet historicalLogins = SigninLogs\r\n| where TimeGenerated between (ago(historyWindow) .. ago(recentWindow))\r\n| where ResultType == 0\r\n| summarize by UserPrincipalName, Identity;\r\nlet dormantLogins = recentLogins\r\n| join kind=leftanti (historicalLogins) on UserPrincipalName;\r\n// Step 3: Exclude newly created accounts\r\nlet newAccounts = AuditLogs\r\n| where TimeGenerated >= ago(newAccountWindow)\r\n| where OperationName == \"Add user\"\r\n| extend NewUserPrincipalName = tolower(extractjson(\"$.userPrincipalName\", tostring(TargetResources[0]), typeof(string)));\r\ndormantLogins\r\n| join kind=leftanti (newAccounts) on $left.UserPrincipalName == $right.NewUserPrincipalName\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "0",
- "name": "Results105",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "4f1e1636-66f4-42ab-ba63-f0046df90e09",
- "version": "KqlParameterItem/1.0",
- "name": "Results107",
- "type": 1,
- "query": "let current = 1d;\r\nlet auditLookback = {TimeRange:grain};\r\nlet propertyIgnoreList = dynamic([\"TargetId.UserType\", \"StsRefreshTokensValidFrom\", \"LastDirSyncTime\", \"DeviceOSVersion\", \"CloudDeviceOSVersion\", \"DeviceObjectVersion\"]);\r\nlet AuditTrail = AuditLogs\r\n | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\r\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\r\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\r\n | extend ModProps = TargetResources.[0].modifiedProperties\r\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\r\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\r\n | mv-expand ModProps\r\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\r\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \"Action Client Name\" and newValue !~ \"DirectorySync\") and (PropertyName !~ \"Included Updated Properties\" and newValue !~ \"LastDirSyncTime\")\r\n | summarize count() by OperationName, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, PropertyName, TargetResourceName;\r\nlet AccountMods = AuditLogs \r\n | where TimeGenerated >= ago(current)\r\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\r\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\r\n | extend ModProps = TargetResources.[0].modifiedProperties\r\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\r\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\r\n | mv-expand ModProps\r\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\r\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \"Action Client Name\" and newValue !~ \"DirectorySync\") and (PropertyName !~ \"Included Updated Properties\" and newValue !~ \"LastDirSyncTime\")\r\n | extend ModifiedProps = pack(\"PropertyName\", PropertyName, \"newValue\", newValue, \"Id\", Id, \"CorrelationId\", CorrelationId) \r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Activity = make_bag(ModifiedProps) by Type, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, Category, OperationName, PropertyName, TargetResourceName;\r\nlet RareAudits = AccountMods\r\n | join kind= leftanti (\r\n AuditTrail \r\n )\r\n on OperationName, InitiatedByUser, InitiatedByIPAddress;//, TargetUserPrincipalName, PropertyName; //uncomment if you want to see Rare Property changes to a given TargetUserPrincipalName.\r\nRareAudits \r\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), make_set(Activity), make_set(PropertyName) by Type, InitiatedByUser, InitiatedByIPAddress, OperationName, TargetUserPrincipalName, TargetResourceName\r\n| extend timestamp = StartTime, UserPrincipalName = InitiatedByUser, HostName = iff(set_PropertyName has_any ('DeviceOSType', 'CloudDeviceOSType'), TargetResourceName, '')\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "0",
- "name": "Results107",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "75c81ac6-d658-48ee-85b0-8bce3559128a",
- "version": "KqlParameterItem/1.0",
- "name": "Results108",
- "type": 1,
- "query": "let auditLookback = {TimeRange:grain};\r\n// Setting threshold to 3 as a default, change as needed. Any operation that has been initiated by a user or app more than 3 times in the past 30 days will be exluded\r\nlet threshold = 3;\r\n// Helper function to extract relevant fields from AuditLog events\r\nlet auditLogEvents = view (startTimeSpan: timespan) {\r\n AuditLogs\r\n | where TimeGenerated >= ago(auditLookback)\r\n | extend ModProps = TargetResources.[0].modifiedProperties\r\n | extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \r\n tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\r\n | extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \r\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\r\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\r\n | mvexpand ModProps\r\n | extend PropertyName = tostring(ModProps.displayName), newValue = replace('\\\"', \"\", tostring(ModProps.newValue));\r\n};\r\n// Get just the InitiatedBy and CorrleationId so we can look at associated audit activity\r\n// 2 other operations that can be part of malicious activity in this situation are \r\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", replace the below if you are interested in those as starting points for OperationName\r\nlet HistoricalConsent = auditLogEvents(auditLookback) \r\n | where OperationName == \"Consent to application\"\r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() \r\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\r\n// Remove comment below to only include operations initiated by a user or app that is above the threshold for the last 30 days\r\n//| where OperationCount > threshold\r\n;\r\nlet Correlate = HistoricalConsent \r\n | summarize by InitiatedBy, CorrelationId;\r\n// 2 other operations that can be part of malicious activity in this situation are \r\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", replace the below if you changed the starting OperationName above\r\nlet allOtherEvents = auditLogEvents(auditLookback) \r\n | where OperationName != \"Consent to application\";\r\n// Gather associated activity based on audit activity for \"Consent to application\" and InitiatedBy and CorrleationId\r\nlet CorrelatedEvents = Correlate \r\n | join allOtherEvents on InitiatedBy, CorrelationId\r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \r\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\r\n;\r\n// Union the results\r\nlet Results = union isfuzzy=true HistoricalConsent, CorrelatedEvents;\r\n// newValues that are simple semi-colon separated, make those dynamic for easy viewing and Aggregate into the PropertyUpdate set based on CorrelationId and Id(DirectoryId)\r\nResults\r\n| extend newValue = split(newValue, \";\")\r\n| extend PropertyUpdate = pack(PropertyName, newValue, \"Id\", Id)\r\n// Extract scope requested\r\n| extend perms = tostring(parse_json(tostring(PropertyUpdate.[\"ConsentAction.Permissions\"]))[0])\r\n| extend scope = extract('Scope:\\\\s*([^,\\\\]]*)', 1, perms)\r\n// Filter out some common openid, and low privilege request scopes - uncomment line below to filter out where no scope is requested\r\n//| where isnotempty(scope)\r\n| where scope !contains 'openid' and scope !in ('user_impersonation', 'User.Read')\r\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate), make_set(scope)\r\n by InitiatedBy, IpAddress, TargetResourceName, OperationName, CorrelationId\r\n| extend timestamp = StartTime, UserPrincipalName = InitiatedBy\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "customWidth": "0",
- "name": "Results108",
- "styleSettings": {
- "maxWidth": "0"
- }
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "parameters": [
- {
- "id": "d0f5e554-de83-438a-9c4a-be05649f8d1f",
- "version": "KqlParameterItem/1.0",
- "name": "Results112",
- "type": 1,
- "isRequired": true,
- "query": "(union isfuzzy=true\r\n(\r\nAuditLogs\r\n| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| where OperationName =~ \"Set federation settings on domain\"\r\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\r\n| mv-expand TargetResources\r\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\r\n| mv-expand modifiedProperties\r\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\r\n| mv-expand AdditionalDetails\r\n),\r\n(\r\nAuditLogs\r\n| where OperationName =~ \"Set domain authentication\"\r\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\r\n| mv-expand TargetResources\r\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\r\n| mv-expand modifiedProperties\r\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\r\n| where NewDomainValue has \"Federated\"\r\n))\r\n| where UserPrincipalName in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "Results112"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 1,
- "content": {
- "json": "# 📝 [Audit Logs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs)\n---\n\nThis section provides accountability and traceability for **administrative and user activities** across cloud services. It directly supports GDPR requirements for **records of processing activities (Art. 30)**, **security of processing (Art. 32)**, and **accountability (Art. 5(2))** by ensuring that all actions related to personal data can be tracked, reviewed, and evidenced. \n\nKey objectives of this section: \n- Detect **risky administrative actions** such as password resets, consent grants, or policy changes \n- Identify **suspicious logins** from inactive accounts or unusual sources that may indicate misuse of personal data \n- Monitor for **rare or unexpected audit events** that could signal attempts to bypass controls \n- Provide a reliable record of **who accessed what, when, and with what privileges** \n- Supply auditors with verifiable evidence of **control enforcement, activity logging, and retention** \n\nBy reviewing these metrics, analysts can confirm that **all processing activities are logged and monitored**, supporting GDPR requirements for transparency, oversight, and demonstrable compliance.\n"
- },
- "name": "text - 2"
- }
- ]
- },
- "customWidth": "40",
- "name": "group - 27"
- },
- {
- "type": 1,
- "content": {
- "json": ""
- },
- "customWidth": "10",
- "name": "text - 26"
- },
- {
- "type": 1,
- "content": {
- "json": "| Audit Log (Entra ID)) | - | - |\r\n|:--| :--| :--|\r\n| Changing Passwords Across Multiple Cloud Accounts | Credential & Secret Search Activity by Users | Unexpected Logins From Inactive Accounts |\r\n| Rare Audit Activity Initiated |Suspicious Consent to Application Discovery |\r\n\r\nPanels in this section are dynamically rendered based on the selected Subscription, Workspace, Time range and User. Only panels with data are shown."
- },
- "customWidth": "40",
- "name": "SI OV"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let action = dynamic([\"change \", \"changed \", \"reset \"]);\r\nlet pWord = dynamic([\"password \", \"credentials \"]);\r\n(union isfuzzy=true\r\n (SecurityEvent\r\n | where EventID in (4723, 4724)\r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(Activity),\r\n ActionCount = count()\r\n by\r\n Resource = Computer,\r\n OperationName = strcat(\"TargetAccount: \", TargetUserName),\r\n UserId = Account,\r\n Type\r\n ),\r\n (AuditLogs\r\n | where OperationName has_any (pWord) and OperationName has_any (action)\r\n | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) \r\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) \r\n | where ResultDescription != \"None\" \r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(ResultDescription),\r\n CorrelationIds = makeset(CorrelationId),\r\n ActionCount = count()\r\n by\r\n OperationName = strcat(Category, \" - \", OperationName, \" - \", Result),\r\n Resource,\r\n UserId = TargetUserPrincipalName,\r\n Type\r\n | extend ResultDescriptions = tostring(ResultDescriptions)\r\n ),\r\n (OfficeActivity\r\n | where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\r\n | extend ResultDescriptions = case(\r\n OfficeWorkload =~ \"AzureActiveDirectory\",\r\n tostring(ExtendedProperties),\r\n OfficeWorkload has_any (\"Exchange\", \"OneDrive\"),\r\n OfficeObjectId,\r\n RecordType\r\n ) \r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(ResultDescriptions),\r\n ActionCount = count()\r\n by\r\n Resource = OfficeWorkload,\r\n OperationName = strcat(Operation, \" - \", ResultStatus),\r\n IPAddress = ClientIP,\r\n UserId,\r\n Type\r\n ),\r\n (Syslog\r\n | where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(SyslogMessage),\r\n ActionCount = count()\r\n by\r\n Resource = HostName,\r\n OperationName = Facility,\r\n IPAddress = HostIP,\r\n ProcessName,\r\n Type\r\n ),\r\n (SigninLogs\r\n | where OperationName =~ \"Sign-in activity\" and ResultType has_any (\"50125\", \"50133\")\r\n | summarize\r\n StartTimeUtc = min(TimeGenerated),\r\n EndTimeUtc = max(TimeGenerated),\r\n ResultDescriptions = makeset(ResultDescription),\r\n CorrelationIds = makeset(CorrelationId),\r\n ActionCount = count()\r\n by\r\n Resource,\r\n OperationName = strcat(OperationName, \" - \", ResultType),\r\n IPAddress,\r\n UserId = UserPrincipalName,\r\n Type\r\n )\r\n)\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserId in ({UserPrincipalName})\r\n| summarize LogSource=make_set(Type), ActionCount=sum(ActionCount) by UserId\r\n| sort by ActionCount desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Changing Passwords Across Multiple Cloud Accounts",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results103",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results103",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "// Extend this list with items to search for\r\nlet keywords = dynamic([\"password\", \"pwd\", \"creds\", \"credentials\", \"secret\"]);\r\n// To exclude key phrases or tables to exclude add to these lists\r\nlet table_exclusions = dynamic([\"AuditLogs\", \"SigninLogs\", \"LAQueryLogs\", \"SecurityEvent\"]);\r\nlet keyword_exclusion = dynamic([\"reset user password\", \"change user password\"]);\r\nLAQueryLogs\r\n| where RequestClientApp != 'Sentinel-General'\r\n| extend querytext_lower = tolower(QueryText)\r\n| where querytext_lower has_any(keywords)\r\n| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget, ResponseCode, ResponseRowCount, ResponseDurationMs, CorrelationId\r\n| extend timestamp = TimeGenerated, Username = AADEmail\r\n| join kind=leftanti (LAQueryLogs\r\n | where RequestClientApp != 'Sentinel-General'\r\n | extend querytext_lower = tolower(QueryText)\r\n | where QueryText has_any(table_exclusions) or querytext_lower has_any(keyword_exclusion))\r\n on CorrelationId\r\n| where isnotempty(Username) and ResponseRowCount > 0\r\n| where \"{UserPrincipalName:label}\" == \"All\" or Username in ({UserPrincipalName})\r\n| summarize count() by Username\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Credential & Secret Search Activity by Users",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Username",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results104",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results104",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let recentWindow = 1d; // Accounts that logged in recently\r\nlet historyWindow = 30d; // Look back period for prior logins\r\nlet newAccountWindow = 7d; // Exclude accounts created in last 7 days\r\n// Step 1: Recent successful logins\r\nlet recentLogins = SigninLogs\r\n| where TimeGenerated >= ago(recentWindow)\r\n| where ResultType == 0\r\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), loginCountRecent = count() \r\n by UserPrincipalName, Identity;\r\n// Step 2: Exclude accounts that had successful logins in the historical period\r\nlet historicalLogins = SigninLogs\r\n| where TimeGenerated between (ago(historyWindow) .. ago(recentWindow))\r\n| where ResultType == 0\r\n| summarize by UserPrincipalName, Identity;\r\nlet dormantLogins = recentLogins\r\n| join kind=leftanti (historicalLogins) on UserPrincipalName;\r\n// Step 3: Exclude newly created accounts\r\nlet newAccounts = AuditLogs\r\n| where TimeGenerated >= ago(newAccountWindow)\r\n| where OperationName == \"Add user\"\r\n| extend NewUserPrincipalName = tolower(extractjson(\"$.userPrincipalName\", tostring(TargetResources[0]), typeof(string)));\r\ndormantLogins\r\n| join kind=leftanti (newAccounts) on $left.UserPrincipalName == $right.NewUserPrincipalName\r\n| where \"{UserPrincipalName:label}\" == \"All\" or UserPrincipalName in ({UserPrincipalName})\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Unexpected Logins From Inactive Accounts",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserPrincipalName",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "Person",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- }
- ],
- "filter": true
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results105",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results105",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let current = 1d;\r\nlet auditLookback = {TimeRange:grain};\r\nlet propertyIgnoreList = dynamic([\"TargetId.UserType\", \"StsRefreshTokensValidFrom\", \"LastDirSyncTime\", \"DeviceOSVersion\", \"CloudDeviceOSVersion\", \"DeviceObjectVersion\"]);\r\nlet AuditTrail = AuditLogs\r\n | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\r\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\r\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\r\n | extend ModProps = TargetResources.[0].modifiedProperties\r\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\r\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\r\n | mv-expand ModProps\r\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\r\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \"Action Client Name\" and newValue !~ \"DirectorySync\") and (PropertyName !~ \"Included Updated Properties\" and newValue !~ \"LastDirSyncTime\")\r\n | summarize count() by OperationName, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, PropertyName, TargetResourceName;\r\nlet AccountMods = AuditLogs \r\n | where TimeGenerated >= ago(current)\r\n | where isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\r\n | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n | extend InitiatedByIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\r\n | extend ModProps = TargetResources.[0].modifiedProperties\r\n | extend TargetUserPrincipalName = tolower(tostring(TargetResources.[0].userPrincipalName))\r\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\r\n | mv-expand ModProps\r\n | extend PropertyName = tostring(ModProps.displayName), newValue = tostring(parse_json(tostring(ModProps.newValue))[0])\r\n | where PropertyName !in~ (propertyIgnoreList) and (PropertyName !~ \"Action Client Name\" and newValue !~ \"DirectorySync\") and (PropertyName !~ \"Included Updated Properties\" and newValue !~ \"LastDirSyncTime\")\r\n | extend ModifiedProps = pack(\"PropertyName\", PropertyName, \"newValue\", newValue, \"Id\", Id, \"CorrelationId\", CorrelationId) \r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Activity = make_bag(ModifiedProps) by Type, InitiatedByUser, InitiatedByIPAddress, TargetUserPrincipalName, Category, OperationName, PropertyName, TargetResourceName;\r\nlet RareAudits = AccountMods\r\n | join kind= leftanti (\r\n AuditTrail \r\n )\r\n on OperationName, InitiatedByUser, InitiatedByIPAddress;//, TargetUserPrincipalName, PropertyName; //uncomment if you want to see Rare Property changes to a given TargetUserPrincipalName.\r\nRareAudits \r\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), make_set(Activity), make_set(PropertyName) by Type, InitiatedByUser, InitiatedByIPAddress, OperationName, TargetUserPrincipalName, TargetResourceName\r\n| extend StartTime, InitiatedByUser, Hostname = iff(set_PropertyName has_any ('DeviceOSType', 'CloudDeviceOSType'), TargetResourceName, ''), InitiatedByIPAddress\r\n| where \"{UserPrincipalName:label}\" == \"All\" or InitiatedByUser in ({UserPrincipalName})\r\n| distinct InitiatedByUser, OperationName, StartTime\r\n| sort by StartTime desc\r\n| limit 100",
- "size": 0,
- "showAnalytics": true,
- "title": "Rare Audit Activity Initiated",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "InitiatedByUser",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "pending",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ],
- "filter": true
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results107",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results107",
- "styleSettings": {
- "maxWidth": "50"
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "let auditLookback = {TimeRange:grain};\r\n// Setting threshold to 3 as a default, change as needed. Any operation that has been initiated by a user or app more than 3 times in the past 30 days will be exluded\r\nlet threshold = 3;\r\n// Helper function to extract relevant fields from AuditLog events\r\nlet auditLogEvents = view (startTimeSpan: timespan) {\r\n AuditLogs\r\n | where TimeGenerated >= ago(auditLookback)\r\n | extend ModProps = TargetResources.[0].modifiedProperties\r\n | extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \r\n tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\r\n | extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \r\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\r\n | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\r\n | mvexpand ModProps\r\n | extend PropertyName = tostring(ModProps.displayName), newValue = replace('\\\"', \"\", tostring(ModProps.newValue));\r\n};\r\n// Get just the InitiatedBy and CorrleationId so we can look at associated audit activity\r\n// 2 other operations that can be part of malicious activity in this situation are \r\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", replace the below if you are interested in those as starting points for OperationName\r\nlet HistoricalConsent = auditLogEvents(auditLookback) \r\n | where OperationName == \"Consent to application\"\r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() \r\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\r\n// Remove comment below to only include operations initiated by a user or app that is above the threshold for the last 30 days\r\n//| where OperationCount > threshold\r\n;\r\nlet Correlate = HistoricalConsent \r\n | summarize by InitiatedBy, CorrelationId;\r\n// 2 other operations that can be part of malicious activity in this situation are \r\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", replace the below if you changed the starting OperationName above\r\nlet allOtherEvents = auditLogEvents(auditLookback) \r\n | where OperationName != \"Consent to application\";\r\n// Gather associated activity based on audit activity for \"Consent to application\" and InitiatedBy and CorrleationId\r\nlet CorrelatedEvents = Correlate \r\n | join allOtherEvents on InitiatedBy, CorrelationId\r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \r\n by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id\r\n;\r\n// Union the results\r\nlet Results = union isfuzzy=true HistoricalConsent, CorrelatedEvents;\r\n// newValues that are simple semi-colon separated, make those dynamic for easy viewing and Aggregate into the PropertyUpdate set based on CorrelationId and Id(DirectoryId)\r\nResults\r\n| extend newValue = split(newValue, \";\")\r\n| extend PropertyUpdate = pack(PropertyName, newValue, \"Id\", Id)\r\n// Extract scope requested\r\n| extend perms = tostring(parse_json(tostring(PropertyUpdate.[\"ConsentAction.Permissions\"]))[0])\r\n| extend scope = extract('Scope:\\\\s*([^,\\\\]]*)', 1, perms)\r\n// Filter out some common openid, and low privilege request scopes - uncomment line below to filter out where no scope is requested\r\n//| where isnotempty(scope)\r\n| where scope !contains 'openid' and scope !in ('user_impersonation', 'User.Read')\r\n| summarize StartTime = min(StartTimeUtc), EndTime = max(EndTimeUtc), PropertyUpdateSet = make_bag(PropertyUpdate), make_set(scope)\r\n by InitiatedBy, IpAddress, TargetResourceName, OperationName, CorrelationId\r\n| extend StartTime, InitiatedBy, IpAddress\r\n| where \"{UserPrincipalName:label}\" == \"All\" or InitiatedBy in ({UserPrincipalName})\r\n| summarize count() by InitiatedBy\r\n| sort by count_ desc",
- "size": 0,
- "showAnalytics": true,
- "title": "Suspicious Consent to Application Discovery",
- "timeContextFromParameter": "TimeRange",
- "showExportToExcel": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "{Workspace}"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "UserId",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "Operation",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "OfficeWorkload",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "icons",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "resource",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "count_",
- "formatter": 8,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ]
- }
- },
- "customWidth": "50",
- "conditionalVisibility": {
- "parameterName": "Results108",
- "comparison": "isEqualTo",
- "value": "Yes"
- },
- "name": "Results108",
- "styleSettings": {
- "maxWidth": "50"
- }
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "isAuditLogsVisible",
- "comparison": "isEqualTo",
- "value": "true"
- },
- "name": "Audit Logs Group"
+ "name": "Audit Logs Group",
+ "id": "b1147b29-3f12-46fc-a7b6-db44288a5990"
+ }
+ ],
+ "isLocked": true,
+ "fallbackResourceIds": [
+ ],
+ "fromTemplateId": "sentinel-UserWorkbook",
+ "context": {
+ "ownerId": ""
}
- ],
- "fallbackResourceIds": [
- ],
- "fromTemplateId": "",
- "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
+}
\ No newline at end of file