Logged By Service Trend

Workbooks/AzureActiveDirectoryAuditLogs.json

@@ -12,8 +12,6 @@
       "type": 9,
       "content": {
         "version": "KqlParameterItem/1.0",
-        "query": "",
-        "crossComponentResources": [],
         "parameters": [
           {
             "id": "bc372bf5-2dcd-4efa-aa85-94b6e6fafe14",
@@ -166,15 +164,14 @@
         "version": "KqlItem/1.0",
         "query": "let data = AuditLogs\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| where initiatingUserPrincipalName != \"\" \r\n| where \"{User:lable}\" == \"All\" or initiatingUserPrincipalName in ({User});\r\ndata\r\n| summarize Count = count() by Category\r\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\r\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\r\n| join kind = inner (data\r\n    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\r\n    on Category\r\n| project-away Category1, TimeGenerated\r\n| extend Category = Category\r\n| union (\r\n    data \r\n    | summarize Count = count() \r\n    | extend jkey = 1\r\n    | join kind=inner (data\r\n        | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n        | extend jkey = 1) on jkey\r\n    | extend Category = 'All', Categorys = '*'    \r\n)\r\n| order by Count desc\r\n| take 10",
         "size": 4,
-        "exportFieldName": "Category",
-        "exportParameterName": "CategoryFIlter",
-        "exportDefaultValue": "All",
-        "exportToExcelOptions": "visible",
         "title": "Categories volume",
         "timeContext": {
-          "durationMs": 0
+          "durationMs": 7776000000
         },
         "timeContextFromParameter": "TimeRange",
+        "exportFieldName": "Category",
+        "exportParameterName": "CategoryFIlter",
+        "exportDefaultValue": "All",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "visualization": "tiles",
@@ -221,16 +218,15 @@
         "version": "KqlItem/1.0",
         "query": "let data = AuditLogs\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n| where \"{User:lable}\" == \"All\" or initiator in ({User})\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \"All\";\r\nlet appData = data\r\n| summarize TotalCount = count() by OperationName, Category\r\n| join kind=inner (data\r\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\r\n    | project-away TimeGenerated) on OperationName\r\n| order by TotalCount desc, OperationName asc\r\n| project OperationName, TotalCount, Trend, Category\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\"), Category, OperationName\r\n| join kind=inner (data\r\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n    | project-away TimeGenerated) on OperationName, initiator\r\n| order by TotalCount desc, OperationName asc\r\n| project OperationName, initiator, TotalCount, Category, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on OperationName\r\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\r\n| union (appData \r\n    | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\r\n| order by ['Operations Count'] desc, Name asc",
         "size": 0,
-        "exportParameterName": "UserInfo",
-        "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}",
         "showAnalytics": true,
-        "showExportToExcel": true,
-        "exportToExcelOptions": "visible",
         "title": "User activities",
         "timeContext": {
           "durationMs": 0
         },
         "timeContextFromParameter": "TimeRange",
+        "exportParameterName": "UserInfo",
+        "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}",
+        "showExportToExcel": true,
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "gridSettings": {
@@ -242,13 +238,6 @@
                 "showIcon": true
               }
             },
-            {
-              "columnMatch": "Name",
-              "formatter": 0,
-              "formatOptions": {
-                "showIcon": true
-              }
-            },
             {
               "columnMatch": "Type",
               "formatter": 5,
@@ -286,13 +275,6 @@
                 }
               }
             },
-            {
-              "columnMatch": "Category",
-              "formatter": 0,
-              "formatOptions": {
-                "showIcon": true
-              }
-            },
             {
               "columnMatch": "ParentId",
               "formatter": 5,
@@ -308,8 +290,7 @@
             "parentColumn": "ParentId",
             "treeType": 0,
             "expanderColumn": "Name"
-          },
-          "labelSettings": []
+          }
         }
       },
       "customWidth": "70",
@@ -322,10 +303,9 @@
         "version": "KqlItem/1.0",
         "query": "let details = dynamic({UserInfo});\r\nAuditLogs\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n//| where initiatingUserPrincipalName != \"\" \r\n| where \"{User:lable}\" == \"All\" or initiatingUserPrincipalName in ({User})\r\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\r\n| summarize Activities = count() by initiatingUserPrincipalName\r\n| sort by Activities desc nulls last ",
         "size": 0,
-        "exportToExcelOptions": "visible",
         "title": "Top active users",
         "timeContext": {
-          "durationMs": 0
+          "durationMs": 7776000000
         },
         "timeContextFromParameter": "TimeRange",
         "queryType": 0,
@@ -341,85 +321,60 @@
         "version": "KqlItem/1.0",
         "query": "let details = dynamic({UserInfo});\r\nlet data = AuditLogs\r\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| where \"{User:lable}\" == \"All\" or initiator in ({User});\r\nlet appData = data\r\n| summarize TotalCount = count() by Result\r\n| join kind=inner (data\r\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\r\n    | project-away TimeGenerated) on Result\r\n| order by TotalCount desc, Result asc\r\n| project Result, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by OperationName, Result\r\n| join kind=inner (data\r\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\r\n    | project-away TimeGenerated) on Result, OperationName\r\n| order by TotalCount desc, Result asc\r\n| project Result, OperationName, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on Result\r\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n    | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\r\n| order by ['Results Count'] desc, Name asc",
         "size": 0,
-        "exportParameterName": "ResultInfo",
-        "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}",
-        "exportToExcelOptions": "visible",
         "title": "Result status",
         "timeContext": {
           "durationMs": 0
         },
         "timeContextFromParameter": "TimeRange",
+        "exportParameterName": "ResultInfo",
+        "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "gridSettings": {
           "formatters": [
             {
               "columnMatch": "Id",
-              "formatter": 5,
-              "formatOptions": {
-                "showIcon": true
-              }
-            },
-            {
-              "columnMatch": "Name",
-              "formatter": 0,
-              "formatOptions": {
-                "showIcon": true
-              }
+              "formatter": 5
             },
             {
               "columnMatch": "Type",
-              "formatter": 5,
-              "formatOptions": {
-                "showIcon": true
-              }
+              "formatter": 5
             },
             {
               "columnMatch": "Results Count",
               "formatter": 8,
               "formatOptions": {
                 "min": 0,
-                "palette": "grayBlue",
-                "showIcon": true
+                "palette": "grayBlue"
               }
             },
             {
               "columnMatch": "Trend",
               "formatter": 9,
               "formatOptions": {
-                "palette": "greenDark",
-                "showIcon": true
+                "palette": "greenDark"
               }
             },
             {
               "columnMatch": "ParentId",
-              "formatter": 5,
-              "formatOptions": {
-                "showIcon": true
-              }
-            },
-            {
-              "columnMatch": "Category",
-              "formatter": 0,
-              "formatOptions": {
-                "showIcon": true
-              }
+              "formatter": 5
             }
           ],
           "hierarchySettings": {
             "idColumn": "Id",
             "parentColumn": "ParentId",
             "treeType": 0,
             "expanderColumn": "Name"
-          },
-          "labelSettings": []
+          }
         }
       },
       "customWidth": "70",
       "name": "query - 5"
     }
   ],
-  "styleSettings": {},
+  "fallbackResourceIds": [
+    ""
+  ],
   "fromTemplateId": "sentinel-AzureActiveDirectoryAuditLogs",
   "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
+}

Workbooks/WorkbooksMetadata.json

@@ -188,7 +188,7 @@
     "dataTypesDependencies": [ "AuditLogs" ],
     "dataConnectorsDependencies": [ "AzureActiveDirectory" ],
     "previewImagesFileNames": [ "AzureADAuditLogsBlack1.png", "AzureADAuditLogsWhite1.png" ],
-    "version": "1.1",
+    "version": "1.2",
     "title": "Azure AD Audit logs",
     "templateRelativePath": "AzureActiveDirectoryAuditLogs.json",
     "subtitle": "",