Merge pull request #2420 from samikroy/master

Removing second to minute conversion as selected unit is in second

Workbooks/WorkspaceUsage.json

@@ -2938,7 +2938,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "//\r\n// Add enrichment information about selected Tables\r\n//\r\nlet enrich = datatable (TableName:string,Information:string,link:string)\r\n    [\r\n    \"Usage\",\"This is common Usage data in all Workspaces\",\"https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage\",\r\n    \"Operation\",\"This is common Operations data in all Workspaces\",\"\",\r\n    \"OfficeActivity\",\"This is a PUSH data source, typically <30mins (max ~1day)\",\"https://docs.microsoft.com/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#what-is-the-maximum-time-i-will-have-to-wait-before-a-notification-is-sent-about-a-given-office-365-event\",\r\n    \"Perf\",\"Operational Data source, this can have limited value to Azure Sentinel\",\"https://docs.microsoft.com/azure/azure-monitor/platform/agent-data-sources\",\r\n    \"Event\",\"Windows Server Event Logs\",\"https://docs.microsoft.com/azure/azure-monitor/platform/agent-data-sources\",\r\n    \"Syslog\", \"Syslog messages using Common Event Format (CEF) streamed from variety of security solutions.Learn more\",\"https://docs.microsoft.com/azure/sentinel/connect-data-sources\",\r\n    \"SecurityAlert\",\"Security Alerts from various sources\",\"https://docs.microsoft.com/azure/sentinel/connect-data-sources\",\r\n    \"Alert\",\"Alerts from Azure Monitor sources\",\"\",\r\n    \"AWSCloudTrail\",\"Azure Sentinel: AWS Cloud trail connector\",\"\",\r\n    \"Anomalies\",\"Azure Sentinel: This table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel.\",\"\",\r\n    \"AADNonInteractiveUserSignInLogs\",\"Non-interactive Azure Active Directory sign-in logs from user\",\"\",\r\n      \"SecurityEvent\",\"Data from Azure Security Center or Azure Sentinel\",\"https://docs.microsoft.com/azure/sentinel/connect-data-sources\",\r\n    \"CommonSecurityLog\",\"CEF data for Azure Sentinel, from multiple vendors\",\"https://docs.microsoft.com/azure/sentinel/connect-data-sources\",\r\n    \"SecurityIncident\",\"Incident events from Azure Sentinel, also see SecurityAlert\",\"\",\r\n    \"Heartbeat\", \"MMA info from Log Analytics agents\",\"\",\r\n    \"LAQueryLogs\",\"Auditing of the workspace has been set\",\"https://docs.microsoft.com/azure/azure-monitor/log-query/query-audit\",\r\n    \"VMConnection\",\"Azure Monitor for VMs or Service Map\",\"https://docs.microsoft.com/azure/azure-monitor/reference/tables/vmconnection\",\r\n    \"KubeServices\",\"AKS data sources\",\"\",\r\n    \"Update\",\"Patching info\",\"\",    \r\n    \"ThreatIntelligenceIndicator\",\"Azure Sentinel TI data\",\"\", \r\n    \"AuditLogs\",\"Azure AAD audit information\",\"\", \r\n    \"SigninLogs\",\"Azure AAD Signin information\",\"\", \r\n    \"AzureActivity\",\"Azure Activity Logs\",\"\",\r\n    \"HuntingBookmark\",\"Azure Sentinel - Hunting book mark data\",\"\",  \r\n    \"UserPeerAnalytics\",\"Azure Sentinel - UEBA\",\"\",  \r\n    \"UserAccessAnalytics\",\"Azure Sentinel - UEBA\",\"\",  \r\n    \"IdentityInfo\",\"Azure Sentinel - UEBA\",\"\",  \r\n    \"BehaviorAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n    \"DeviceEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection.\",\"\",\r\n    \"DeviceFileEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains File creation, modification, and other file system events.\",\"\",  \r\n    \"DeviceImageLoadEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains DLL loading events\",\"\",  \r\n    \"DeviceInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Machine information, including OS information.\",\"\",  \r\n    \"DeviceLogonEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Sign-ins and other authentication events\",\"\",  \r\n    \"DeviceNetworkEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network connection and related events.\",\"\",  \r\n    \"DeviceNetworkInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains.\",\"\", \r\n    \"DeviceProcessEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Process creation and related events.\",\"\", \r\n    \"DeviceRegistryEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Creation and modification of registry entries.\",\"\",             \r\n    \"DnsInventory\",\"DNS Analytics (Preview)\",\"\",     \r\n    \"W3CIISLog\",\"IIS log data from Azure Monitor Logs\",\"\"\r\n    ]\r\n; \r\n// Gather and calculate Latency information\r\nunion withsource = TableName1 *\r\n| summarize \r\n      ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 ),2)\r\n    , ['minimun E2E IngestionLatency'] = round(min(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 ),2) \r\n    , ['maximum E2E IngestionLatency'] = round(max(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 ),2)\r\n  by TableName = TableName1\r\n| sort by ['average E2E IngestionLatency'] desc\r\n// join to enrichment and remove unwanted columns \r\n| join kind= fullouter (enrich) on TableName\r\n| where isnotempty(TableName)\r\n| project-away TableName1\r\n",
+              "query": "//\r\n// Add enrichment information about selected Tables\r\n//\r\nlet enrich = datatable (TableName:string,Information:string,link:string)\r\n    [\r\n    \"Usage\",\"This is common Usage data in all Workspaces\",\"https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage\",\r\n    \"Operation\",\"This is common Operations data in all Workspaces\",\"\",\r\n    \"OfficeActivity\",\"This is a PUSH data source, typically <30mins (max ~1day)\",\"https://docs.microsoft.com/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#what-is-the-maximum-time-i-will-have-to-wait-before-a-notification-is-sent-about-a-given-office-365-event\",\r\n    \"Perf\",\"Operational Data source, this can have limited value to Azure Sentinel\",\"https://docs.microsoft.com/azure/azure-monitor/platform/agent-data-sources\",\r\n    \"Event\",\"Windows Server Event Logs\",\"https://docs.microsoft.com/azure/azure-monitor/platform/agent-data-sources\",\r\n    \"Syslog\", \"Syslog messages using Common Event Format (CEF) streamed from variety of security solutions.Learn more\",\"https://docs.microsoft.com/azure/sentinel/connect-data-sources\",\r\n    \"SecurityAlert\",\"Security Alerts from various sources\",\"https://docs.microsoft.com/azure/sentinel/connect-data-sources\",\r\n    \"Alert\",\"Alerts from Azure Monitor sources\",\"\",\r\n    \"AWSCloudTrail\",\"Azure Sentinel: AWS Cloud trail connector\",\"\",\r\n    \"Anomalies\",\"Azure Sentinel: This table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel.\",\"\",\r\n    \"AADNonInteractiveUserSignInLogs\",\"Non-interactive Azure Active Directory sign-in logs from user\",\"\",\r\n      \"SecurityEvent\",\"Data from Azure Security Center or Azure Sentinel\",\"https://docs.microsoft.com/azure/sentinel/connect-data-sources\",\r\n    \"CommonSecurityLog\",\"CEF data for Azure Sentinel, from multiple vendors\",\"https://docs.microsoft.com/azure/sentinel/connect-data-sources\",\r\n    \"SecurityIncident\",\"Incident events from Azure Sentinel, also see SecurityAlert\",\"\",\r\n    \"Heartbeat\", \"MMA info from Log Analytics agents\",\"\",\r\n    \"LAQueryLogs\",\"Auditing of the workspace has been set\",\"https://docs.microsoft.com/azure/azure-monitor/log-query/query-audit\",\r\n    \"VMConnection\",\"Azure Monitor for VMs or Service Map\",\"https://docs.microsoft.com/azure/azure-monitor/reference/tables/vmconnection\",\r\n    \"KubeServices\",\"AKS data sources\",\"\",\r\n    \"Update\",\"Patching info\",\"\",    \r\n    \"ThreatIntelligenceIndicator\",\"Azure Sentinel TI data\",\"\", \r\n    \"AuditLogs\",\"Azure AAD audit information\",\"\", \r\n    \"SigninLogs\",\"Azure AAD Signin information\",\"\", \r\n    \"AzureActivity\",\"Azure Activity Logs\",\"\",\r\n    \"HuntingBookmark\",\"Azure Sentinel - Hunting book mark data\",\"\",  \r\n    \"UserPeerAnalytics\",\"Azure Sentinel - UEBA\",\"\",  \r\n    \"UserAccessAnalytics\",\"Azure Sentinel - UEBA\",\"\",  \r\n    \"IdentityInfo\",\"Azure Sentinel - UEBA\",\"\",  \r\n    \"BehaviorAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n    \"DeviceEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection.\",\"\",\r\n    \"DeviceFileEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains File creation, modification, and other file system events.\",\"\",  \r\n    \"DeviceImageLoadEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains DLL loading events\",\"\",  \r\n    \"DeviceInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Machine information, including OS information.\",\"\",  \r\n    \"DeviceLogonEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Sign-ins and other authentication events\",\"\",  \r\n    \"DeviceNetworkEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network connection and related events.\",\"\",  \r\n    \"DeviceNetworkInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains.\",\"\", \r\n    \"DeviceProcessEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Process creation and related events.\",\"\", \r\n    \"DeviceRegistryEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Creation and modification of registry entries.\",\"\",             \r\n    \"DnsInventory\",\"DNS Analytics (Preview)\",\"\",     \r\n    \"W3CIISLog\",\"IIS log data from Azure Monitor Logs\",\"\"\r\n    ]\r\n; \r\n// Gather and calculate Latency information\r\nunion withsource = TableName1 *\r\n| summarize \r\n      ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated)) ),2)\r\n    , ['minimun E2E IngestionLatency'] = round(min(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated)) ),2) \r\n    , ['maximum E2E IngestionLatency'] = round(max(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated)) ),2)\r\n  by TableName = TableName1\r\n| sort by ['average E2E IngestionLatency'] desc\r\n// join to enrichment and remove unwanted columns \r\n| join kind= fullouter (enrich) on TableName\r\n| where isnotempty(TableName)\r\n| project-away TableName1\r\n",
               "size": 0,
               "timeContext": {
                 "durationMs": 2592000000