diff --git a/Solutions/BloodHound Enterprise/Package/3.2.2.zip b/Solutions/BloodHound Enterprise/Package/3.2.2.zip index 80e6abeb1d1..b2d430071ca 100644 Binary files a/Solutions/BloodHound Enterprise/Package/3.2.2.zip and b/Solutions/BloodHound Enterprise/Package/3.2.2.zip differ diff --git a/Solutions/BloodHound Enterprise/Package/mainTemplate.json b/Solutions/BloodHound Enterprise/Package/mainTemplate.json index 8e875f58c93..2013e4144cc 100644 --- a/Solutions/BloodHound Enterprise/Package/mainTemplate.json +++ b/Solutions/BloodHound Enterprise/Package/mainTemplate.json @@ -875,7 +875,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f0dfd85a-6c9c-4dab-91d7-d67cb23b1fb2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL\\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"f0dfd85a-6c9c-4dab-91d7-d67cb23b1fb2\",\"timeContextFromParameter\":\"time\"},{\"id\":\"390213b5-e0d3-476c-99ca-89c76f417e7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL\\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"390213b5-e0d3-476c-99ca-89c76f417e7a\",\"timeContextFromParameter\":\"time\"},{\"id\":\"3d301840-15be-455d-bb48-d2ca8e3d4c2f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"finding_type\",\"label\":\"Attack Path Types\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL \\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| extend CleanPathTitle = trim(\\\" \\\", replace_string(replace_string(PathTitle, \\\"\\\\n\\\", \\\"\\\"), \\\"\\\\'\\\", \\\"\\\"))\\n| distinct CleanPathTitle\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"3d301840-15be-455d-bb48-d2ca8e3d4c2f\",\"timeContextFromParameter\":\"time\"},{\"id\":\"9e7a3119-3a53-4df7-8878-d2b56a948732\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"severity\",\"label\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL\\r\\n| where isnotempty(Severity)\\r\\n| where tenant_url in~ ({bhe_tenant})\\r\\n| where domain_name in~ ({domain_name})\\r\\n| distinct Severity\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"9e7a3119-3a53-4df7-8878-d2b56a948732\",\"timeContextFromParameter\":\"time\"},{\"id\":\"7e02e873-7550-447e-88aa-fc99dc923c14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time\",\"label\":\"Time Range Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000},\"key\":\"7e02e873-7550-447e-88aa-fc99dc923c14\"}],\"style\":\"pills\"},\"name\":\"parameters - 3\",\"id\":\"8773eb3e-9066-4dde-8447-fd0939000edc\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| summarize arg_max(TimeGenerated, *) by id, domain_name\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| extend CleanPathTitle = trim(\\\" \\\", replace_string(PathTitle, \\\"\\\\n\\\", \\\"\\\"))\\n| where CleanPathTitle in~ ({finding_type})\\n| extend \\n NonTierZeroPrincipalDistinguishedName = tostring(parse_json(NonTierZeroPrincipalProps).distinguishedname),\\n NonTierZeroPrincipalSAMAccountName = tostring(parse_json(NonTierZeroPrincipalProps).samaccountname),\\n NonTierZeroPrincipalLastLogon = todatetime(unixtime_seconds_todatetime(tolong(parse_json(NonTierZeroPrincipalProps).lastlogon))),\\n NonTierZeroPrincipalLastLogonTimestamp = todatetime(unixtime_seconds_todatetime(tolong(parse_json(NonTierZeroPrincipalProps).lastlogontimestamp))),\\n NonTierZeroPrincipalCreated = todatetime(unixtime_seconds_todatetime(tolong(parse_json(NonTierZeroPrincipalProps).whencreated))),\\n IsTierZero = case(\\n tostring(parse_json(ImpactedPrincipalProps).system_tags) contains \\\"admin_tier_0\\\", true,\\n false\\n )\\n| project \\n [\\\"Non Tier Zero Principal\\\"] = NonTierZeroPrincipalName,\\n [\\\"Non Tier Zero Principal Type\\\"] = NonTierZeroPrincipalKind,\\n [\\\"Impacted Principal\\\"] = ImpactedPrincipalName,\\n [\\\"Impacted Principal Type\\\"] = ImpactedPrincipalKind,\\n [\\\"Finding Type\\\"] = PathTitle,\\n [\\\"Finding Key\\\"] = Finding,\\n [\\\"Environment (domain)\\\"] = domain_name,\\n [\\\"Severity\\\"] = Severity,\\n [\\\"Impact %\\\"] = round(todouble(ImpactPercentage), 0),\\n [\\\"Impact Count\\\"] = toint(ImpactCount),\\n [\\\"Exposure %\\\"] = round(todouble(ExposurePercentage), 0),\\n [\\\"Exposure Count\\\"] = toint(ExposureCount),\\n [\\\"First Seen\\\"] = todatetime(created_at),\\n [\\\"Last Updated\\\"] = todatetime(updated_at),\\n [\\\"Impacted Distinguished Name\\\"] = NonTierZeroPrincipalDistinguishedName,\\n [\\\"SAM Account Name\\\"] = NonTierZeroPrincipalSAMAccountName,\\n [\\\"Impacted ObjectID\\\"] = ImpactedPrincipal\\n| order by [\\\"Last Updated\\\"] desc\\n\\n\\n\\n\\n\\n\",\"size\":0,\"title\":\"Principals\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"id\":\"8537bfa2-797b-4341-b7ec-d92db2901627\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsTimelineData_CL\\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where created_at {time}\\n| extend CleanPathTitle = trim(\\\" \\\", replace_string(path_title, \\\"\\\\n\\\", \\\"\\\"))\\n| where CleanPathTitle in~ ({finding_type})\\n| extend event_day = format_datetime(todatetime(updated_at), \\\"yyyy-MM-dd\\\")\\n| summarize arg_max(updated_at, *) by event_day, tenant_url, domain_name, CleanPathTitle\\n| extend _time = todatetime(event_day)\\n| extend CompositeRisk = round(todouble(CompositeRisk), 2)\\n| summarize LatestCompositeRisk = max(CompositeRisk) by bin(_time, 1d)\\n| order by _time asc\\n\",\"size\":0,\"aggregation\":2,\"title\":\"Maximum Exposure Percentage\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 4\",\"id\":\"27480ded-ba27-4733-bf00-9157dd53c578\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsTimelineData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| extend CleanPathTitle = trim(\\\" \\\", replace_string(path_title, \\\"\\\\n\\\", \\\"\\\"))\\n| where created_at {time}\\n| where CleanPathTitle in~ ({finding_type})\\n| extend _time = todatetime(updated_at)\\n| where isnotnull(_time)\\n| summarize arg_max(TimeGenerated, *) by Finding, domain_name, tenant_url\\n| summarize SumFindingCount = sum(toint(FindingCount)) by bin(_time, 1d)\\n| order by _time asc\\n\",\"size\":0,\"title\":\"Total Number of Findings\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"name\":\"query - 6\",\"id\":\"02021bd8-8939-4b21-a9d1-f7dc4405cd4b\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f0dfd85a-6c9c-4dab-91d7-d67cb23b1fb2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL\\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"390213b5-e0d3-476c-99ca-89c76f417e7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL\\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3d301840-15be-455d-bb48-d2ca8e3d4c2f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"finding_type\",\"label\":\"Attack Path Types\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL \\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| extend CleanPathTitle = trim(\\\" \\\", replace_string(replace_string(PathTitle, \\\"\\\\n\\\", \\\"\\\"), \\\"\\\\'\\\", \\\"\\\"))\\n| distinct CleanPathTitle\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"9e7a3119-3a53-4df7-8878-d2b56a948732\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"severity\",\"label\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL\\r\\n| where isnotempty(Severity)\\r\\n| where tenant_url in~ ({bhe_tenant})\\r\\n| where domain_name in~ ({domain_name})\\r\\n| distinct Severity\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7e02e873-7550-447e-88aa-fc99dc923c14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time\",\"label\":\"Time Range Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000},\"key\":\"7e02e873-7550-447e-88aa-fc99dc923c14\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| summarize arg_max(TimeGenerated, *) by id, domain_name\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| extend CleanPathTitle = trim(\\\" \\\", replace_string(PathTitle, \\\"\\\\n\\\", \\\"\\\"))\\n| where CleanPathTitle in~ ({finding_type})\\n| extend \\n NonTierZeroPrincipalDistinguishedName = tostring(parse_json(NonTierZeroPrincipalProps).distinguishedname),\\n NonTierZeroPrincipalSAMAccountName = tostring(parse_json(NonTierZeroPrincipalProps).samaccountname),\\n NonTierZeroPrincipalLastLogon = todatetime(unixtime_seconds_todatetime(tolong(parse_json(NonTierZeroPrincipalProps).lastlogon))),\\n NonTierZeroPrincipalLastLogonTimestamp = todatetime(unixtime_seconds_todatetime(tolong(parse_json(NonTierZeroPrincipalProps).lastlogontimestamp))),\\n NonTierZeroPrincipalCreated = todatetime(unixtime_seconds_todatetime(tolong(parse_json(NonTierZeroPrincipalProps).whencreated))),\\n IsTierZero = case(\\n tostring(parse_json(ImpactedPrincipalProps).system_tags) contains \\\"admin_tier_0\\\", true,\\n false\\n )\\n| project \\n [\\\"Non Tier Zero Principal\\\"] = NonTierZeroPrincipalName,\\n [\\\"Non Tier Zero Principal Type\\\"] = NonTierZeroPrincipalKind,\\n [\\\"Impacted Principal\\\"] = ImpactedPrincipalName,\\n [\\\"Impacted Principal Type\\\"] = ImpactedPrincipalKind,\\n [\\\"Finding Type\\\"] = PathTitle,\\n [\\\"Finding Key\\\"] = Finding,\\n [\\\"Environment (domain)\\\"] = domain_name,\\n [\\\"Severity\\\"] = Severity,\\n [\\\"Impact %\\\"] = round(todouble(ImpactPercentage), 0),\\n [\\\"Impact Count\\\"] = toint(ImpactCount),\\n [\\\"Exposure %\\\"] = round(todouble(ExposurePercentage), 0),\\n [\\\"Exposure Count\\\"] = toint(ExposureCount),\\n [\\\"First Seen\\\"] = todatetime(created_at),\\n [\\\"Last Updated\\\"] = todatetime(updated_at),\\n [\\\"Impacted Distinguished Name\\\"] = NonTierZeroPrincipalDistinguishedName,\\n [\\\"SAM Account Name\\\"] = NonTierZeroPrincipalSAMAccountName,\\n [\\\"Impacted ObjectID\\\"] = ImpactedPrincipal\\n| order by [\\\"Last Updated\\\"] desc\\n\\n\\n\\n\\n\\n\",\"size\":0,\"title\":\"Principals\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsTimelineData_CL\\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where created_at {time}\\n| extend CleanPathTitle = trim(\\\" \\\", replace_string(path_title, \\\"\\\\n\\\", \\\"\\\"))\\n| where CleanPathTitle in~ ({finding_type})\\n| extend event_day = format_datetime(todatetime(updated_at), \\\"yyyy-MM-dd\\\")\\n| summarize arg_max(updated_at, *) by event_day, tenant_url, domain_name, CleanPathTitle\\n| extend _time = todatetime(event_day)\\n| extend CompositeRisk = round(todouble(CompositeRisk), 2)\\n| summarize LatestCompositeRisk = max(CompositeRisk) by bin(_time, 1d)\\n| order by _time asc\\n\",\"size\":0,\"aggregation\":2,\"title\":\"Maximum Exposure Percentage\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsTimelineData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| extend CleanPathTitle = trim(\\\" \\\", replace_string(path_title, \\\"\\\\n\\\", \\\"\\\"))\\n| where created_at {time}\\n| where CleanPathTitle in~ ({finding_type})\\n| extend _time = todatetime(updated_at)\\n| where isnotnull(_time)\\n| summarize arg_max(TimeGenerated, *) by Finding, domain_name, tenant_url\\n| summarize SumFindingCount = sum(toint(FindingCount)) by bin(_time, 1d)\\n| order by _time asc\\n\",\"size\":0,\"title\":\"Total Number of Findings\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"name\":\"query - 6\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -963,7 +963,7 @@ }, "properties": { "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6de26de7-0eec-4312-b568-9fbbaf5c7f71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL \\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"6de26de7-0eec-4312-b568-9fbbaf5c7f71\",\"timeContextFromParameter\":\"time\"},{\"id\":\"cb118fcd-4473-4470-ac89-28c6ea644d5d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL \\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"key\":\"cb118fcd-4473-4470-ac89-28c6ea644d5d\",\"timeContextFromParameter\":\"time\"},{\"id\":\"9e7a3119-3a53-4df7-8878-d2b56a948732\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"severity\",\"label\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL\\r\\n| where isnotempty(Severity)\\r\\n| where tenant_url in~ ({bhe_tenant})\\r\\n| where domain_name in~ ({domain_name})\\r\\n| distinct Severity\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"9e7a3119-3a53-4df7-8878-d2b56a948732\",\"timeContextFromParameter\":\"time\"},{\"id\":\"dafad90f-2d00-41cd-9463-efbe87d3888f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time\",\"label\":\"Time Range Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000},\"key\":\"dafad90f-2d00-41cd-9463-efbe87d3888f\"}],\"style\":\"pills\"},\"name\":\"parameters - 2\",\"id\":\"411d55f1-a1a9-401f-94e3-099311400cb5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| summarize TotalAttackPathsFindings = dcount(id) by DomainName = domain_name\\n| sort by TotalAttackPathsFindings desc\",\"size\":1,\"title\":\"Total Attack Paths Findings per Domain\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"DomainName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"TotalAttackPathsFindings\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 2\",\"id\":\"a2a75d1b-0822-4cbe-b834-8873bb80b72d\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| summarize Count = dcount(id) by Severity\\n| sort by Count desc\\n\",\"size\":0,\"title\":\"Severity Breakdown\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"query - 5\",\"id\":\"98a3ac6b-a667-4950-af14-d83b28a75f65\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id\\n| where isnotempty(NonTierZeroPrincipalName)\\n| summarize FindingsCount = count() by NonTierZeroPrincipalName, domain_name\\n| project-rename Environment = domain_name\\n| sort by FindingsCount desc\\n| take 5\\n\",\"size\":1,\"aggregation\":2,\"title\":\"Top 5 Non-Tier Zero Principals Involved in Findings\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"chartSettings\":{\"xAxis\":\"FindingsCount\",\"yAxis\":[\"FindingsCount\"],\"showLegend\":true}},\"name\":\"query - 7\",\"id\":\"06ca7136-8db4-41a3-b09e-1cf692baa8eb\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| summarize Frequency = dcount(id) by Finding\\n| project-rename [\\\"Finding Key\\\"] = Finding\\n| sort by Frequency desc\\n| take 5\\n\",\"size\":1,\"title\":\"Top 5 Most Common Findings (Finding Keys)\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Frequency\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 9\",\"id\":\"39e36309-ece3-4752-8b4b-7999e64da85d\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| partition by domain_name\\n(\\n summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| summarize Frequency = dcount(id) by domain_name, Finding\\n| sort by Frequency desc\\n| take 5\\n)\\n| sort by Frequency desc\",\"size\":0,\"title\":\"Top 5 Most Common Findings (Finding Keys) per Environment\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Frequency\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"domain_name\"],\"expandTopLevel\":true},\"labelSettings\":[{\"columnId\":\"domain_name\",\"label\":\"Environment\"}]},\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 9 - Copy\",\"id\":\"36dd9f9d-913e-47da-a9c7-e43398bf5a0e\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| extend exposure_val = toreal(ExposurePercentage),\\n impact_val = toreal(ImpactPercentage)\\n| extend exposure_pct = iif(isnull(exposure_val), round(impact_val, 2), round(exposure_val, 2))\\n| extend impact_pct = round(impact_val, 2)\\n| summarize \\n ExposurePercent = max(exposure_pct),\\n ImpactPercent = max(impact_pct),\\n Count = count()\\n by Environment = domain_name, AttackPath = PathTitle, Severity\\n| project Environment, AttackPath, Severity, Count, ['Exposure (%)'] = ExposurePercent, ['Impact (%)'] = ImpactPercent\\n| sort by ['Exposure (%)'] desc\\n\",\"size\":0,\"title\":\"All Attack Paths List\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":500}},\"name\":\"query - 11\",\"id\":\"7b4a8d14-420a-4097-b2ae-a3c76f45fb1f\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6de26de7-0eec-4312-b568-9fbbaf5c7f71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL \\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cb118fcd-4473-4470-ac89-28c6ea644d5d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL \\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e7a3119-3a53-4df7-8878-d2b56a948732\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"severity\",\"label\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAttackPathsData_CL\\r\\n| where isnotempty(Severity)\\r\\n| where tenant_url in~ ({bhe_tenant})\\r\\n| where domain_name in~ ({domain_name})\\r\\n| distinct Severity\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"dafad90f-2d00-41cd-9463-efbe87d3888f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time\",\"label\":\"Time Range Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000},\"key\":\"dafad90f-2d00-41cd-9463-efbe87d3888f\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| summarize TotalAttackPathsFindings = dcount(id) by DomainName = domain_name\\n| sort by TotalAttackPathsFindings desc\",\"size\":1,\"title\":\"Total Attack Paths Findings per Domain\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"DomainName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"TotalAttackPathsFindings\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| summarize Count = dcount(id) by Severity\\n| sort by Count desc\\n\",\"size\":0,\"title\":\"Severity Breakdown\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id\\n| where isnotempty(NonTierZeroPrincipalName)\\n| summarize FindingsCount = count() by NonTierZeroPrincipalName, domain_name\\n| project-rename Environment = domain_name\\n| sort by FindingsCount desc\\n| take 5\\n\",\"size\":1,\"aggregation\":2,\"title\":\"Top 5 Non-Tier Zero Principals Involved in Findings\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"chartSettings\":{\"xAxis\":\"FindingsCount\",\"yAxis\":[\"FindingsCount\"],\"showLegend\":true}},\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| summarize Frequency = dcount(id) by Finding\\n| project-rename [\\\"Finding Key\\\"] = Finding\\n| sort by Frequency desc\\n| take 5\\n\",\"size\":1,\"title\":\"Top 5 Most Common Findings (Finding Keys)\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Frequency\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| partition by domain_name\\n(\\n summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| summarize Frequency = dcount(id) by domain_name, Finding\\n| sort by Frequency desc\\n| take 5\\n)\\n| sort by Frequency desc\",\"size\":0,\"title\":\"Top 5 Most Common Findings (Finding Keys) per Environment\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Frequency\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"domain_name\"],\"expandTopLevel\":true},\"labelSettings\":[{\"columnId\":\"domain_name\",\"label\":\"Environment\"}]},\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 9 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAttackPathsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where Severity in~ ({severity})\\n| where updated_at {time}\\n| summarize arg_max(TimeGenerated, *) by id, domain_name, tenant_url\\n| extend exposure_val = toreal(ExposurePercentage),\\n impact_val = toreal(ImpactPercentage)\\n| extend exposure_pct = iif(isnull(exposure_val), round(impact_val, 2), round(exposure_val, 2))\\n| extend impact_pct = round(impact_val, 2)\\n| summarize \\n ExposurePercent = max(exposure_pct),\\n ImpactPercent = max(impact_pct),\\n Count = count()\\n by Environment = domain_name, AttackPath = PathTitle, Severity\\n| project Environment, AttackPath, Severity, Count, ['Exposure (%)'] = ExposurePercent, ['Impact (%)'] = ImpactPercent\\n| sort by ['Exposure (%)'] desc\\n\",\"size\":0,\"title\":\"All Attack Paths List\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":500}},\"name\":\"query - 11\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1051,7 +1051,7 @@ }, "properties": { "displayName": "[parameters('workbook3-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b8d3205b-b903-4db7-8c7a-f82bacd94242\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAuditLogsData_CL\\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"b8d3205b-b903-4db7-8c7a-f82bacd94242\",\"timeContextFromParameter\":\"time\"},{\"id\":\"752a2195-64fc-402e-b80f-c7c4fb9b49bd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"event_type\",\"label\":\"Event Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAuditLogsData_CL\\n| where isnotempty(action)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct action\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"752a2195-64fc-402e-b80f-c7c4fb9b49bd\",\"timeContextFromParameter\":\"time\"},{\"id\":\"5de91703-b999-47c1-98e3-648bb4724abf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"actor_name\",\"label\":\"Actor name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAuditLogsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where action in~ ({event_type})\\n| distinct actor_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"5de91703-b999-47c1-98e3-648bb4724abf\",\"timeContextFromParameter\":\"time\"},{\"id\":\"705413e9-2968-4485-975f-a782991db8df\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time\",\"label\":\"Time Range Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000},\"key\":\"705413e9-2968-4485-975f-a782991db8df\"}],\"style\":\"pills\"},\"name\":\"parameters - 2\",\"id\":\"a3898d6c-4920-4197-96ae-c00c3a6642ef\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAuditLogsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where action in~ ({event_type})\\n| where actor_name in~ ({actor_name})\\n| where created_at {time}\\n| summarize arg_max(created_at, *) by created_at\\n| project-away _ResourceId, created_at1\\n| order by TimeGenerated desc\\n| project [\\\"Created At\\\"] = created_at, \\n [\\\"Ingestion Time\\\"] = IngestionTime,\\n Id = id,\\n [\\\"Actor Id\\\"] = actor_id,\\n [\\\"Actor Name\\\"] = actor_name,\\n [\\\"Action\\\"] = action,\\n [\\\"Fields\\\"] = fields,\\n [\\\"Request Id\\\"] = request_id,\\n [\\\"Source IP Address\\\"] = source_ip_address,\\n [\\\"Status\\\"] = status,\\n [\\\"Commit Id\\\"] = commit_id,\\n [\\\"Tenant URL\\\"] = tenant_url,\\n [\\\"Tenant ID\\\"] = TenantId,\\n [\\\"Type\\\"] = Type\\n\\n\\n\\n\\n\",\"size\":3,\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"id\":\"1f14cdc2-d692-4f28-ba58-7e920cfd104b\"}],\"isLocked\":false,\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b8d3205b-b903-4db7-8c7a-f82bacd94242\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAuditLogsData_CL\\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"752a2195-64fc-402e-b80f-c7c4fb9b49bd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"event_type\",\"label\":\"Event Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAuditLogsData_CL\\n| where isnotempty(action)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct action\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5de91703-b999-47c1-98e3-648bb4724abf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"actor_name\",\"label\":\"Actor name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEAuditLogsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where action in~ ({event_type})\\n| distinct actor_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"705413e9-2968-4485-975f-a782991db8df\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time\",\"label\":\"Time Range Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000},\"key\":\"705413e9-2968-4485-975f-a782991db8df\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEAuditLogsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where action in~ ({event_type})\\n| where actor_name in~ ({actor_name})\\n| where created_at {time}\\n| summarize arg_max(created_at, *) by created_at\\n| project-away _ResourceId, created_at1\\n| order by TimeGenerated desc\\n| project [\\\"Created At\\\"] = created_at, \\n [\\\"Ingestion Time\\\"] = IngestionTime,\\n Id = id,\\n [\\\"Actor Id\\\"] = actor_id,\\n [\\\"Actor Name\\\"] = actor_name,\\n [\\\"Action\\\"] = action,\\n [\\\"Fields\\\"] = fields,\\n [\\\"Request Id\\\"] = request_id,\\n [\\\"Source IP Address\\\"] = source_ip_address,\\n [\\\"Status\\\"] = status,\\n [\\\"Commit Id\\\"] = commit_id,\\n [\\\"Tenant URL\\\"] = tenant_url,\\n [\\\"Tenant ID\\\"] = TenantId,\\n [\\\"Type\\\"] = Type\\n\\n\\n\\n\\n\",\"size\":3,\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1139,7 +1139,7 @@ }, "properties": { "displayName": "[parameters('workbook4-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"87db674f-0507-4481-a57b-0bf202e968b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHETierZeroAssetsData_CL \\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"87db674f-0507-4481-a57b-0bf202e968b2\"},{\"id\":\"a4cadb58-5551-4279-9a60-3b4e46b3ddf9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHETierZeroAssetsData_CL \\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"a4cadb58-5551-4279-9a60-3b4e46b3ddf9\"},{\"id\":\"98c37fb8-534d-4661-b8cf-2ce60a74b67a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"kind_type\",\"label\":\"Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHETierZeroAssetsData_CL \\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where isnotempty(kindType)\\n| distinct kindType\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"98c37fb8-534d-4661-b8cf-2ce60a74b67a\"}],\"style\":\"pills\"},\"name\":\"parameters - 2\",\"id\":\"070dd276-740f-4feb-939f-3a03b1a19679\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHETierZeroAssetsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where kindType in~ ({kind_type})\\n| summarize arg_max(TimeGenerated, *) by objectId, owner_objectid\\n| project Name = name,\\n Environment = domain_name,\\n Type = kindType,\\n [\\\"Object Id\\\"] = objectId\",\"size\":0,\"title\":\"Tier Zero Asset List\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"id\":\"45e1e2fb-b6e1-44f8-b2dd-695e2b11258a\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nBHETierZeroAssetsData_CL\\n| where tenant_url in~ ({bhe_tenant}) \\n| where domain_name in~ ({domain_name})\\n| where kindType in~ ({kind_type})\\n| where isnotempty(objectId)\\n| extend domain_name = toupper(domain_name)\\n| summarize arg_max(TimeGenerated, *) by objectId // dedup objectid, keep latest\\n| summarize Count = count() by kindType, domain_name, tenant_url\\n| project [\\\"kind\\\"] = kindType, domain_name, Count, tenant_url\\n| order by Count desc\\n\\n\",\"size\":0,\"title\":\"Tier Zero Asset Distribution\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"kind\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"kind\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"rightContent\":{\"columnMatch\":\"domain_name\"},\"bottomContent\":{\"columnMatch\":\"tenant_url\"},\"nodeIdField\":\"kind\",\"sourceIdField\":\"domain_name\",\"targetIdField\":\"Count\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"xAxis\":\"domain_name\",\"group\":\"kind\",\"showLegend\":true,\"xSettings\":{\"label\":\"Kind Type\"},\"ySettings\":{\"label\":\"Count\"}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 4\",\"id\":\"1768910c-ab25-4c1d-bb79-51167f9efd1b\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"87db674f-0507-4481-a57b-0bf202e968b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHETierZeroAssetsData_CL \\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a4cadb58-5551-4279-9a60-3b4e46b3ddf9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHETierZeroAssetsData_CL \\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"98c37fb8-534d-4661-b8cf-2ce60a74b67a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"kind_type\",\"label\":\"Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHETierZeroAssetsData_CL \\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where isnotempty(kindType)\\n| distinct kindType\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHETierZeroAssetsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where kindType in~ ({kind_type})\\n| summarize arg_max(TimeGenerated, *) by objectId, owner_objectid\\n| project Name = name,\\n Environment = domain_name,\\n Type = kindType,\\n [\\\"Object Id\\\"] = objectId\",\"size\":0,\"title\":\"Tier Zero Asset List\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nBHETierZeroAssetsData_CL\\n| where tenant_url in~ ({bhe_tenant}) \\n| where domain_name in~ ({domain_name})\\n| where kindType in~ ({kind_type})\\n| where isnotempty(objectId)\\n| extend domain_name = toupper(domain_name)\\n| summarize arg_max(TimeGenerated, *) by objectId // dedup objectid, keep latest\\n| summarize Count = count() by kindType, domain_name, tenant_url\\n| project [\\\"kind\\\"] = kindType, domain_name, Count, tenant_url\\n| order by Count desc\\n\\n\",\"size\":0,\"title\":\"Tier Zero Asset Distribution\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"kind\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"kind\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"rightContent\":{\"columnMatch\":\"domain_name\"},\"bottomContent\":{\"columnMatch\":\"tenant_url\"},\"nodeIdField\":\"kind\",\"sourceIdField\":\"domain_name\",\"targetIdField\":\"Count\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"xAxis\":\"domain_name\",\"group\":\"kind\",\"showLegend\":true,\"xSettings\":{\"label\":\"Kind Type\"},\"ySettings\":{\"label\":\"Count\"}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1227,7 +1227,7 @@ }, "properties": { "displayName": "[parameters('workbook5-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b5affbc4-b123-4844-bab6-a352911dcd05\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEFindingTrendsData_CL \\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"b5affbc4-b123-4844-bab6-a352911dcd05\"},{\"id\":\"511679f9-e193-414d-9d06-c778e0372a69\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEFindingTrendsData_CL\\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"511679f9-e193-414d-9d06-c778e0372a69\"},{\"id\":\"56999a28-3611-436b-8b96-98bd48de863a\",\"key\":\"56999a28-3611-436b-8b96-98bd48de863a\",\"name\":\"category\",\"label\":\"Finding Category\",\"value\":[\"value::all\"],\"type\":2,\"isRequired\":true,\"version\":\"\",\"multiSelect\":true,\"queryType\":0,\"query\":\"BHEFindingTrendsData_CL\\r\\n| where isnotempty(domain_name)\\r\\n| where tenant_url in~ ({bhe_tenant})\\r\\n| where domain_name in~ ({domain_name})\\r\\n| where period == \\\"{period}\\\"\\r\\n| extend display_type = replace_string(display_type, \\\" Attack Paths\\\", \\\"\\\")\\r\\n| distinct display_type\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\"},\"timeContext\":{\"durationMs\":604800000},\"defaultValue\":\"value::all\",\"quote\":\"'\",\"delimiter\":\",\"},{\"id\":\"bfad7f56-9fd7-4cc1-9386-5be8422b9eeb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"period\",\"label\":\"Time Period\",\"type\":2,\"isRequired\":true,\"query\":\"BHEFindingTrendsData_CL\\r\\n| where tenant_url in~ ({bhe_tenant})\\r\\n| where domain_name in~ ({domain_name})\\r\\n| distinct period\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"defaultValue\":\"value::1\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"key\":\"bfad7f56-9fd7-4cc1-9386-5be8422b9eeb\",\"value\":\"value::1\"}],\"style\":\"pills\",\"title\":\"\"},\"name\":\"parameters - 2\",\"id\":\"e49a6a11-fecf-4e83-9833-3a152812fbe8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEFindingTrendsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where period == \\\"{period}\\\"\\n| extend display_type = replace_string(display_type, \\\" Attack Paths\\\", \\\"\\\")\\n| summarize arg_max(TimeGenerated, *) by display_title, finding\\n| where display_type in~ ({category})\\n| extend count = finding_count_end\\n| extend change = finding_count_increase - finding_count_decrease\\n| project \\n [\\\"Name\\\"] = display_title,\\n [\\\"Finding Category\\\"] = display_type,\\n [\\\"Count\\\"] = count,\\n [\\\"Initial Findings\\\"] = finding_count_start,\\n [\\\"New Findings\\\"] = finding_count_increase,\\n [\\\"Resolved Findings\\\"] = finding_count_decrease,\\n [\\\"Change\\\"] = change,\\n [\\\"Period\\\"] = period\\n\\n\\n\",\"size\":0,\"title\":\"Attack Path Trends\",\"noDataMessageStyle\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"createOtherGroup\":20,\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"TotalImpactCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"TotalImpactCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"TotalImpactCount\",\"heatmapPalette\":\"greenRed\"}},\"timeContext\":{\"durationMs\":604800000}},\"name\":\"query - 3 - Copy\",\"id\":\"e56e8666-1f73-4ca4-8237-49a077fd32b0\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b5affbc4-b123-4844-bab6-a352911dcd05\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEFindingTrendsData_CL \\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"511679f9-e193-414d-9d06-c778e0372a69\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEFindingTrendsData_CL\\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bfad7f56-9fd7-4cc1-9386-5be8422b9eeb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"period\",\"label\":\"Time Period\",\"type\":2,\"isRequired\":true,\"query\":\"BHEFindingTrendsData_CL\\r\\n| where tenant_url in~ ({bhe_tenant})\\r\\n| where domain_name in~ ({domain_name})\\r\\n| distinct period\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::1\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"key\":\"bfad7f56-9fd7-4cc1-9386-5be8422b9eeb\"},{\"id\":\"56999a28-3611-436b-8b96-98bd48de863a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"category\",\"label\":\"Finding Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEFindingTrendsData_CL\\r\\n| where isnotempty(domain_name)\\r\\n| where tenant_url in~ ({bhe_tenant})\\r\\n| where domain_name in~ ({domain_name})\\r\\n| where period == \\\"{period}\\\"\\r\\n| extend display_type = replace_string(display_type, \\\" Attack Paths\\\", \\\"\\\")\\r\\n| distinct display_type\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEFindingTrendsData_CL\\n| where tenant_url in~ ({bhe_tenant})\\n| where domain_name in~ ({domain_name})\\n| where period == \\\"{period}\\\"\\n| extend display_type = replace_string(display_type, \\\" Attack Paths\\\", \\\"\\\")\\n| summarize arg_max(TimeGenerated, *) by display_title, finding\\n| where display_type in~ ({category})\\n| extend count = finding_count_end\\n| extend change = finding_count_increase - finding_count_decrease\\n| project \\n [\\\"Name\\\"] = display_title,\\n [\\\"Finding Category\\\"] = display_type,\\n [\\\"Count\\\"] = count,\\n [\\\"Initial Findings\\\"] = finding_count_start,\\n [\\\"New Findings\\\"] = finding_count_increase,\\n [\\\"Resolved Findings\\\"] = finding_count_decrease,\\n [\\\"Change\\\"] = change,\\n [\\\"Period\\\"] = period\\n\\n\\n\",\"size\":0,\"title\":\"Attack Path Trends\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"createOtherGroup\":20,\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"TotalImpactCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"TotalImpactCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"TotalImpactCount\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 3 - Copy\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1315,7 +1315,7 @@ }, "properties": { "displayName": "[parameters('workbook6-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4422263-5b38-4e1b-96bf-010956675fe7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEPostureHistoryData_CL\\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"a4422263-5b38-4e1b-96bf-010956675fe7\",\"timeContextFromParameter\":\"time\"},{\"id\":\"627c2e6a-326c-479e-a0aa-9a5c0354c719\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEPostureHistoryData_CL\\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"key\":\"627c2e6a-326c-479e-a0aa-9a5c0354c719\",\"timeContextFromParameter\":\"time\"},{\"id\":\"2318e21e-11ac-4959-8c09-8e2f0cce91c7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time\",\"label\":\"Time Range Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000},\"key\":\"2318e21e-11ac-4959-8c09-8e2f0cce91c7\"}],\"style\":\"pills\"},\"name\":\"parameters - 2\",\"id\":\"99f208c9-917d-4b7e-ac81-a3a6cb561707\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEPostureHistoryData_CL\\n| where data_type == \\\"exposure\\\"\\n| where domain_name in~ ({domain_name}) and tenant_url in~ ({bhe_tenant})\\n| where metric_date {time}\\n| extend metric_ts = todatetime(metric_date)\\n| summarize avg_exposure = avg(todouble(value)) by bin(metric_ts, 1d), domain_name, tenant_url\\n| extend avg_exposure = round(avg_exposure, 3) * 100\\n| order by metric_ts asc\\n\",\"size\":0,\"title\":\"Exposure Percentage\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 3\",\"id\":\"85e6b990-8ee4-4ce2-9e97-a9b9958cafb5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEPostureHistoryData_CL\\n| where data_type == \\\"findings\\\"\\n| where domain_name in~ ({domain_name}) and tenant_url in~ ({bhe_tenant})\\n| where metric_date {time}\\n| extend metric_ts = todatetime(metric_date)\\n| summarize avg_findings = avg(todouble(value)) by bin(metric_ts, 1d), domain_name, tenant_url\\n| extend avg_findings = round(avg_findings, 3)\\n| order by metric_ts asc\\n\",\"size\":0,\"aggregation\":2,\"title\":\"Findings Trend Over Time\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showLegend\":true,\"group\":\"domain_name\"}},\"name\":\"Findings Trend Over Time\",\"id\":\"2b821f70-01e3-4962-be20-860c50905ab8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEPostureHistoryData_CL\\r\\n| where data_type == \\\"attack-paths\\\"\\r\\n| where domain_name in~ ({domain_name}) and tenant_url in~ ({bhe_tenant})\\r\\n| where metric_date {time}\\r\\n| extend metric_ts = todatetime(metric_date)\\r\\n| summarize avg_findings = avg(todouble(value)) by bin(metric_ts, 1d), domain_name, tenant_url\\r\\n| extend avg_findings = round(avg_findings, 3)\\r\\n| order by metric_ts asc\\r\\n\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"title\":\"Total Attack Paths\",\"timeContextFromParameter\":\"time\"},\"name\":\"query - 4\",\"id\":\"2a11a65c-1e6a-46b3-918a-84748f809ff0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEPostureHistoryData_CL\\n| where data_type == \\\"assets\\\"\\n| where domain_name in~ ({domain_name}) and tenant_url in~ ({bhe_tenant})\\n| where metric_date {time}\\n| extend metric_ts = todatetime(metric_date)\\n| summarize avg_assets = avg(todouble(value)) by bin(metric_ts, 1d), domain_name, tenant_url\\n| extend avg_assets = round(avg_assets, 3)\\n| order by metric_ts asc\\n\",\"size\":0,\"aggregation\":2,\"title\":\"Assets Trend Over Time\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 4\",\"id\":\"94d835c2-c01c-4473-bc85-9e2de3d5d58e\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4422263-5b38-4e1b-96bf-010956675fe7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"bhe_tenant\",\"label\":\"BHE Tenant\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEPostureHistoryData_CL\\n| where isnotempty(tenant_url)\\n| summarize arg_max(TimeGenerated, *) by tenant_url\\n| extend display_name = replace_string(tenant_url, @\\\"https://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"http://\\\", \\\"\\\")\\n| extend display_name = replace_string(display_name, @\\\"/\\\", \\\"\\\") \\n| project tenant_url, display_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"627c2e6a-326c-479e-a0aa-9a5c0354c719\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"domain_name\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BHEPostureHistoryData_CL\\n| where isnotempty(domain_name)\\n| where tenant_url in~ ({bhe_tenant})\\n| distinct domain_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2318e21e-11ac-4959-8c09-8e2f0cce91c7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time\",\"label\":\"Time Range Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEPostureHistoryData_CL\\n| where data_type == \\\"exposure\\\"\\n| where domain_name in~ ({domain_name}) and tenant_url in~ ({bhe_tenant})\\n| where metric_date {time}\\n| extend metric_ts = todatetime(metric_date)\\n| summarize avg_exposure = avg(todouble(value)) by bin(metric_ts, 1d), domain_name, tenant_url\\n| extend avg_exposure = round(avg_exposure, 3) * 100\\n| order by metric_ts asc\\n\",\"size\":0,\"title\":\"Exposure Percentage\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEPostureHistoryData_CL\\n| where data_type == \\\"findings\\\"\\n| where domain_name in~ ({domain_name}) and tenant_url in~ ({bhe_tenant})\\n| where metric_date {time}\\n| extend metric_ts = todatetime(metric_date)\\n| summarize avg_findings = avg(todouble(value)) by bin(metric_ts, 1d), domain_name, tenant_url\\n| extend avg_findings = round(avg_findings, 3)\\n| order by metric_ts asc\\n\",\"size\":0,\"aggregation\":2,\"title\":\"Findings Trend Over Time\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showLegend\":true,\"group\":\"domain_name\"}},\"name\":\"Findings Trend Over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEPostureHistoryData_CL\\r\\n| where data_type == \\\"attack-paths\\\"\\r\\n| where domain_name in~ ({domain_name}) and tenant_url in~ ({bhe_tenant})\\r\\n| where metric_date {time}\\r\\n| extend metric_ts = todatetime(metric_date)\\r\\n| summarize avg_findings = avg(todouble(value)) by bin(metric_ts, 1d), domain_name, tenant_url\\r\\n| extend avg_findings = round(avg_findings, 3)\\r\\n| order by metric_ts asc\\r\\n\",\"size\":0,\"title\":\"Total Attack Paths\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BHEPostureHistoryData_CL\\n| where data_type == \\\"assets\\\"\\n| where domain_name in~ ({domain_name}) and tenant_url in~ ({bhe_tenant})\\n| where metric_date {time}\\n| extend metric_ts = todatetime(metric_date)\\n| summarize avg_assets = avg(todouble(value)) by bin(metric_ts, 1d), domain_name, tenant_url\\n| extend avg_assets = round(avg_assets, 3)\\n| order by metric_ts asc\\n\",\"size\":0,\"aggregation\":2,\"title\":\"Assets Trend Over Time\",\"timeContextFromParameter\":\"time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-BloodHoundEnterprise\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1413,21 +1413,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -1515,21 +1515,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -1617,21 +1617,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -1719,21 +1719,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -1821,21 +1821,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -1923,21 +1923,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2025,21 +2025,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2127,21 +2127,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2229,21 +2229,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2331,21 +2331,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2433,21 +2433,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2535,21 +2535,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2637,21 +2637,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2739,21 +2739,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2841,21 +2841,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -2943,21 +2943,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3045,21 +3045,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3147,21 +3147,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3249,21 +3249,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3351,21 +3351,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3453,21 +3453,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3555,21 +3555,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3657,21 +3657,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3759,21 +3759,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3861,21 +3861,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -3963,21 +3963,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4065,21 +4065,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4167,21 +4167,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4269,21 +4269,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4371,21 +4371,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4473,21 +4473,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4575,21 +4575,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4677,21 +4677,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4779,21 +4779,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4881,21 +4881,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -4983,21 +4983,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -5085,21 +5085,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -5187,21 +5187,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -5289,21 +5289,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -5391,21 +5391,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -5493,21 +5493,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -5595,21 +5595,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -5697,21 +5697,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -5799,21 +5799,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -5901,21 +5901,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6003,21 +6003,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6105,21 +6105,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6207,21 +6207,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6309,21 +6309,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6411,21 +6411,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6513,21 +6513,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6615,21 +6615,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6717,21 +6717,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6819,21 +6819,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -6921,21 +6921,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7023,21 +7023,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7125,21 +7125,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7227,21 +7227,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7329,21 +7329,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7431,21 +7431,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7533,21 +7533,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7635,21 +7635,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7737,21 +7737,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7839,21 +7839,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -7941,21 +7941,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8043,21 +8043,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8145,21 +8145,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8247,21 +8247,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8349,21 +8349,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8451,21 +8451,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8553,21 +8553,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8655,21 +8655,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8757,21 +8757,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8859,21 +8859,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -8961,21 +8961,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9063,21 +9063,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9165,21 +9165,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9267,21 +9267,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9369,21 +9369,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9471,21 +9471,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9573,21 +9573,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9675,21 +9675,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9777,21 +9777,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9879,21 +9879,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -9981,21 +9981,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -10083,21 +10083,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -10185,21 +10185,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -10287,21 +10287,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -10389,21 +10389,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -10491,21 +10491,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -10593,21 +10593,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -10695,21 +10695,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -10797,21 +10797,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -10899,21 +10899,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -11001,21 +11001,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -11103,21 +11103,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -11205,21 +11205,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -11307,21 +11307,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -11409,21 +11409,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -11511,21 +11511,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -11613,21 +11613,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { @@ -11715,21 +11715,21 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BloodHoundEnterprise", "dataTypes": [ "BHEAttackPathsData_CL" - ] + ], + "connectorId": "BloodHoundEnterprise" } ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "domain_name" } - ] + ], + "entityType": "URL" } ], "customDetails": { diff --git a/Solutions/BloodHound Enterprise/ReleaseNotes.md b/Solutions/BloodHound Enterprise/ReleaseNotes.md index 431799dd1bb..c006efff91e 100644 --- a/Solutions/BloodHound Enterprise/ReleaseNotes.md +++ b/Solutions/BloodHound Enterprise/ReleaseNotes.md @@ -1,6 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------------------------------------------| -| 3.2.2 | 20-05-2026 | Updated **Data Connector** documentation, API credential instructions, and metric queries; updated Azure deployment URL, solution/connector IDs, and custom table definitions.
Updated BloodHound Enterprise solution **logo** (`BHE_Logo.svg`) to align with current branding. | +| 3.2.2 | 12-06-2026 | Updated **Data Connector** documentation, API credential instructions, and metric queries; updated Azure deployment URL, solution/connector IDs, and custom table definitions.
Updated BloodHound Enterprise solution **logo** (`BHE_Logo.svg`) to align with current branding.
Enhanced **Workbooks** by adding a 30-day `timeContext` to parameter queries, replacing default values that caused queries to fail. | | 3.2.1 | 13-01-2026 | Updated WEBSITE_RUN_FROM_PACKAGE to use Microsoft-managed aka.ms URL | | 3.2.0 | 15-09-2025 | Added two extra **Workbooks** (Finding Trends & Posture History). Upgraded **Data Connector** to Azure Function. | | 3.1.2 | 25-02-2025 | Bump version for portal deployment | diff --git a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathDetails.json b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathDetails.json index db825714e8e..a82ea03a063 100644 --- a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathDetails.json +++ b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathDetails.json @@ -23,13 +23,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "f0dfd85a-6c9c-4dab-91d7-d67cb23b1fb2", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "390213b5-e0d3-476c-99ca-89c76f417e7a", @@ -48,14 +47,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "390213b5-e0d3-476c-99ca-89c76f417e7a", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "3d301840-15be-455d-bb48-d2ca8e3d4c2f", @@ -74,13 +71,14 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "value": [ "value::all" - ], - "key": "3d301840-15be-455d-bb48-d2ca8e3d4c2f", - "timeContextFromParameter": "time" + ] }, { "id": "9e7a3119-3a53-4df7-8878-d2b56a948732", @@ -99,14 +97,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "9e7a3119-3a53-4df7-8878-d2b56a948732", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "7e02e873-7550-447e-88aa-fc99dc923c14", @@ -170,10 +166,11 @@ "key": "7e02e873-7550-447e-88aa-fc99dc923c14" } ], - "style": "pills" + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - "name": "parameters - 3", - "id": "8773eb3e-9066-4dde-8447-fd0939000edc" + "name": "parameters - 3" }, { "type": 3, @@ -190,8 +187,7 @@ "filter": true } }, - "name": "query - 2", - "id": "8537bfa2-797b-4341-b7ec-d92db2901627" + "name": "query - 2" }, { "type": 3, @@ -209,8 +205,7 @@ "showBorder": false } }, - "name": "query - 4", - "id": "27480ded-ba27-4733-bf00-9157dd53c578" + "name": "query - 4" }, { "type": 3, @@ -224,10 +219,10 @@ "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "areachart" }, - "name": "query - 6", - "id": "02021bd8-8939-4b21-a9d1-f7dc4405cd4b" + "name": "query - 6" } ], + "fallbackResourceIds": [], "fromTemplateId": "sentinel-BloodHoundEnterprise", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file diff --git a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathOverview.json b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathOverview.json index f0c0ab4c144..b8fd5ea7b02 100644 --- a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathOverview.json +++ b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathOverview.json @@ -23,13 +23,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "6de26de7-0eec-4312-b568-9fbbaf5c7f71", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "cb118fcd-4473-4470-ac89-28c6ea644d5d", @@ -48,11 +47,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "key": "cb118fcd-4473-4470-ac89-28c6ea644d5d", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "9e7a3119-3a53-4df7-8878-d2b56a948732", @@ -71,14 +71,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "9e7a3119-3a53-4df7-8878-d2b56a948732", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "dafad90f-2d00-41cd-9463-efbe87d3888f", @@ -142,10 +140,11 @@ "key": "dafad90f-2d00-41cd-9463-efbe87d3888f" } ], - "style": "pills" + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - "name": "parameters - 2", - "id": "411d55f1-a1a9-401f-94e3-099311400cb5" + "name": "parameters - 2" }, { "type": 3, @@ -180,8 +179,7 @@ "showLegend": true } }, - "name": "query - 2", - "id": "a2a75d1b-0822-4cbe-b834-8873bb80b72d" + "name": "query - 2" }, { "type": 3, @@ -195,8 +193,7 @@ "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, - "name": "query - 5", - "id": "98a3ac6b-a667-4950-af14-d83b28a75f65" + "name": "query - 5" }, { "type": 3, @@ -218,8 +215,7 @@ "showLegend": true } }, - "name": "query - 7", - "id": "06ca7136-8db4-41a3-b09e-1cf692baa8eb" + "name": "query - 7" }, { "type": 3, @@ -247,8 +243,7 @@ "showLegend": true } }, - "name": "query - 9", - "id": "39e36309-ece3-4752-8b4b-7999e64da85d" + "name": "query - 9" }, { "type": 3, @@ -289,8 +284,7 @@ "showLegend": true } }, - "name": "query - 9 - Copy", - "id": "36dd9f9d-913e-47da-a9c7-e43398bf5a0e" + "name": "query - 9 - Copy" }, { "type": 3, @@ -307,10 +301,10 @@ "rowLimit": 500 } }, - "name": "query - 11", - "id": "7b4a8d14-420a-4097-b2ae-a3c76f45fb1f" + "name": "query - 11" } ], + "fallbackResourceIds": [], "fromTemplateId": "sentinel-BloodHoundEnterprise", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file diff --git a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAuditLogs.json b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAuditLogs.json index 9a57a4f29cd..286fa8b5ba0 100644 --- a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAuditLogs.json +++ b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAuditLogs.json @@ -23,13 +23,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "b8d3205b-b903-4db7-8c7a-f82bacd94242", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "752a2195-64fc-402e-b80f-c7c4fb9b49bd", @@ -48,14 +47,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "752a2195-64fc-402e-b80f-c7c4fb9b49bd", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "5de91703-b999-47c1-98e3-648bb4724abf", @@ -74,13 +71,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "5de91703-b999-47c1-98e3-648bb4724abf", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "705413e9-2968-4485-975f-a782991db8df", @@ -144,10 +140,11 @@ "key": "705413e9-2968-4485-975f-a782991db8df" } ], - "style": "pills" + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - "name": "parameters - 2", - "id": "a3898d6c-4920-4197-96ae-c00c3a6642ef" + "name": "parameters - 2" }, { "type": 3, @@ -158,25 +155,12 @@ "timeContextFromParameter": "time", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "sortBy": [ - { - "itemKey": "TimeGenerated", - "sortOrder": 2 - } - ] - }, - "sortBy": [ - { - "itemKey": "TimeGenerated", - "sortOrder": 2 - } - ] + "sortBy": [] }, - "name": "query - 2", - "id": "1f14cdc2-d692-4f28-ba58-7e920cfd104b" + "name": "query - 2" } ], - "isLocked": false, - "fromTemplateId": "sentinel-BloodHoundEnterprise" + "fallbackResourceIds": [], + "fromTemplateId": "sentinel-BloodHoundEnterprise", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file diff --git a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseTierZeroSearch.json b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseTierZeroSearch.json index fc191033cf0..b6a57be3c31 100644 --- a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseTierZeroSearch.json +++ b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseTierZeroSearch.json @@ -25,14 +25,11 @@ "showDefault": false }, "timeContext": { - "durationMs": 604800000 + "durationMs": 2592000000 }, + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "87db674f-0507-4481-a57b-0bf202e968b2" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "a4cadb58-5551-4279-9a60-3b4e46b3ddf9", @@ -52,15 +49,11 @@ "showDefault": false }, "timeContext": { - "durationMs": 604800000 + "durationMs": 2592000000 }, "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "a4cadb58-5551-4279-9a60-3b4e46b3ddf9" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "98c37fb8-534d-4661-b8cf-2ce60a74b67a", @@ -80,21 +73,18 @@ "showDefault": false }, "timeContext": { - "durationMs": 604800000 + "durationMs": 2592000000 }, "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "98c37fb8-534d-4661-b8cf-2ce60a74b67a" + "resourceType": "microsoft.operationalinsights/workspaces" } ], - "style": "pills" + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - "name": "parameters - 2", - "id": "070dd276-740f-4feb-939f-3a03b1a19679" + "name": "parameters - 2" }, { "type": 3, @@ -113,8 +103,7 @@ "filter": true } }, - "name": "query - 2", - "id": "45e1e2fb-b6e1-44f8-b2dd-695e2b11258a" + "name": "query - 2" }, { "type": 3, @@ -206,10 +195,10 @@ } } }, - "name": "query - 4", - "id": "1768910c-ab25-4c1d-bb79-51167f9efd1b" + "name": "query - 4" } ], + "fallbackResourceIds": [], "fromTemplateId": "sentinel-BloodHoundEnterprise", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file diff --git a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundFindingTrends.json b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundFindingTrends.json index 4066ed7fb8d..5122419e42f 100644 --- a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundFindingTrends.json +++ b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundFindingTrends.json @@ -24,14 +24,11 @@ "showDefault": false }, "timeContext": { - "durationMs": 604800000 + "durationMs": 2592000000 }, + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "b5affbc4-b123-4844-bab6-a352911dcd05" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "511679f9-e193-414d-9d06-c778e0372a69", @@ -51,71 +48,65 @@ "showDefault": false }, "timeContext": { - "durationMs": 604800000 + "durationMs": 2592000000 }, + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "511679f9-e193-414d-9d06-c778e0372a69" + "resourceType": "microsoft.operationalinsights/workspaces" }, { - "id": "56999a28-3611-436b-8b96-98bd48de863a", - "key": "56999a28-3611-436b-8b96-98bd48de863a", - "name": "category", - "label": "Finding Category", - "value": [ - "value::all" - ], + "id": "bfad7f56-9fd7-4cc1-9386-5be8422b9eeb", + "version": "KqlParameterItem/1.0", + "name": "period", + "label": "Time Period", "type": 2, "isRequired": true, - "version": "", - "multiSelect": true, - "queryType": 0, - "query": "BHEFindingTrendsData_CL\r\n| where isnotempty(domain_name)\r\n| where tenant_url in~ ({bhe_tenant})\r\n| where domain_name in~ ({domain_name})\r\n| where period == \"{period}\"\r\n| extend display_type = replace_string(display_type, \" Attack Paths\", \"\")\r\n| distinct display_type", + "query": "BHEFindingTrendsData_CL\r\n| where tenant_url in~ ({bhe_tenant})\r\n| where domain_name in~ ({domain_name})\r\n| distinct period\r\n", "typeSettings": { "additionalResourceOptions": [ - "value::all" + "value::1" ], - "selectAllValue": "" + "showDefault": false }, "timeContext": { - "durationMs": 604800000 + "durationMs": 2592000000 }, - "defaultValue": "value::all", - "quote": "'", - "delimiter": "," + "defaultValue": "value::1", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "key": "bfad7f56-9fd7-4cc1-9386-5be8422b9eeb" }, { - "id": "bfad7f56-9fd7-4cc1-9386-5be8422b9eeb", + "id": "56999a28-3611-436b-8b96-98bd48de863a", "version": "KqlParameterItem/1.0", - "name": "period", - "label": "Time Period", + "name": "category", + "label": "Finding Category", "type": 2, "isRequired": true, - "query": "BHEFindingTrendsData_CL\r\n| where tenant_url in~ ({bhe_tenant})\r\n| where domain_name in~ ({domain_name})\r\n| distinct period\r\n", + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "BHEFindingTrendsData_CL\r\n| where isnotempty(domain_name)\r\n| where tenant_url in~ ({bhe_tenant})\r\n| where domain_name in~ ({domain_name})\r\n| where period == \"{period}\"\r\n| extend display_type = replace_string(display_type, \" Attack Paths\", \"\")\r\n| distinct display_type", "typeSettings": { "additionalResourceOptions": [ - "value::1" + "value::all" ], + "selectAllValue": "", "showDefault": false }, "timeContext": { - "durationMs": 604800000 + "durationMs": 2592000000 }, - "defaultValue": "value::1", + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "key": "bfad7f56-9fd7-4cc1-9386-5be8422b9eeb", - "value": "value::1" + "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "pills", - "title": "" + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - "name": "parameters - 2", - "id": "e49a6a11-fecf-4e83-9833-3a152812fbe8" + "name": "parameters - 2" }, { "type": 3, @@ -125,6 +116,9 @@ "size": 0, "title": "Attack Path Trends", "noDataMessageStyle": 2, + "timeContext": { + "durationMs": 604800000 + }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", @@ -150,15 +144,12 @@ "nodeColorField": "TotalImpactCount", "heatmapPalette": "greenRed" } - }, - "timeContext": { - "durationMs": 604800000 } }, - "name": "query - 3 - Copy", - "id": "e56e8666-1f73-4ca4-8237-49a077fd32b0" + "name": "query - 3 - Copy" } ], + "fallbackResourceIds": [], "fromTemplateId": "sentinel-BloodHoundEnterprise", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file diff --git a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundPostureHistory.json b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundPostureHistory.json index 76b13a3a354..54ff9f129dd 100644 --- a/Solutions/BloodHound Enterprise/Workbooks/BloodHoundPostureHistory.json +++ b/Solutions/BloodHound Enterprise/Workbooks/BloodHoundPostureHistory.json @@ -23,13 +23,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "a4422263-5b38-4e1b-96bf-010956675fe7", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "627c2e6a-326c-479e-a0aa-9a5c0354c719", @@ -48,13 +47,12 @@ ], "showDefault": false }, + "timeContext": { + "durationMs": 2592000000 + }, + "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "value": [ - "value::all" - ], - "key": "627c2e6a-326c-479e-a0aa-9a5c0354c719", - "timeContextFromParameter": "time" + "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "2318e21e-11ac-4959-8c09-8e2f0cce91c7", @@ -114,14 +112,14 @@ }, "value": { "durationMs": 604800000 - }, - "key": "2318e21e-11ac-4959-8c09-8e2f0cce91c7" + } } ], - "style": "pills" + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - "name": "parameters - 2", - "id": "99f208c9-917d-4b7e-ac81-a3a6cb561707" + "name": "parameters - 2" }, { "type": 3, @@ -138,8 +136,7 @@ "showLegend": true } }, - "name": "query - 3", - "id": "85e6b990-8ee4-4ce2-9e97-a9b9958cafb5" + "name": "query - 3" }, { "type": 3, @@ -158,8 +155,7 @@ "group": "domain_name" } }, - "name": "Findings Trend Over Time", - "id": "2b821f70-01e3-4962-be20-860c50905ab8" + "name": "Findings Trend Over Time" }, { "type": 3, @@ -167,14 +163,13 @@ "version": "KqlItem/1.0", "query": "BHEPostureHistoryData_CL\r\n| where data_type == \"attack-paths\"\r\n| where domain_name in~ ({domain_name}) and tenant_url in~ ({bhe_tenant})\r\n| where metric_date {time}\r\n| extend metric_ts = todatetime(metric_date)\r\n| summarize avg_findings = avg(todouble(value)) by bin(metric_ts, 1d), domain_name, tenant_url\r\n| extend avg_findings = round(avg_findings, 3)\r\n| order by metric_ts asc\r\n", "size": 0, + "title": "Total Attack Paths", + "timeContextFromParameter": "time", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "title": "Total Attack Paths", - "timeContextFromParameter": "time" + "visualization": "areachart" }, - "name": "query - 4", - "id": "2a11a65c-1e6a-46b3-918a-84748f809ff0" + "name": "query - 4" }, { "type": 3, @@ -192,10 +187,10 @@ "showLegend": true } }, - "name": "query - 4", - "id": "94d835c2-c01c-4473-bc85-9e2de3d5d58e" + "name": "query - 4" } ], + "fallbackResourceIds": [], "fromTemplateId": "sentinel-BloodHoundEnterprise", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file