diff --git a/Solutions/Fortinet FortiNDR Cloud/Package/3.0.3.zip b/Solutions/Fortinet FortiNDR Cloud/Package/3.0.3.zip index 2e76aabf62b..cb541b8ebaf 100644 Binary files a/Solutions/Fortinet FortiNDR Cloud/Package/3.0.3.zip and b/Solutions/Fortinet FortiNDR Cloud/Package/3.0.3.zip differ diff --git a/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json b/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json index 2e2b8dbb654..841755903ec 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json +++ b/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json @@ -481,7 +481,7 @@ "resources": [ { "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -546,7 +546,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "[variables('parserObject1')._parserName1]", "location": "[parameters('workspace-location')]", "properties": { @@ -622,7 +622,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## FortiNDR Cloud workbook\\n---\\n>**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Parsers/Fortinet_FortiNDR_Cloud.md) to create the Kusto function alias **Fortinet_FortiNDR_Cloud**.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"29a65c20-978d-447b-b11c-f437f6c7fd7e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Main Dashboard\",\"subTarget\":\"Main\",\"style\":\"link\"},{\"id\":\"514047f6-4d61-4f59-9f79-6c22c20645c0\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Suricata Dashboard\",\"subTarget\":\"Suricata\",\"style\":\"link\"},{\"id\":\"f20fabf1-3a44-417d-9e97-3d62d1990c8d\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Observation Dashboard\",\"subTarget\":\"Observation\",\"style\":\"link\"},{\"id\":\"392a41e1-a18c-4a6d-8144-c51e27a8bf4e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Detection Dashboard\",\"subTarget\":\"Detection\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"50650aa0-d12f-49ad-ba0d-e7a6a10b0a85\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by su_sig_category\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suricata Counts By Category\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-Suricata\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by ob_observation_title\",\"size\":0,\"showAnalytics\":true,\"title\":\"Observation Counts by Title\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-observation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_severity\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-detections-s\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_confidence\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-detections-s - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Main\"},\"name\":\"Main Dashboard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b566fdf-c574-466d-8a25-eec9e314f560\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"0ce88674-9bf5-4c52-8286-28d3cf030e18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\",\"styleSettings\":{\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| summarize Count=count() by su_sig_category, bin(su_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5d5a54f3-6fca-4368-aea2-a2d0326daa62\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"03cace3a-c0d6-4184-a1aa-346c67578b6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"},{\"id\":\"0eea038f-b090-4021-9998-3b85c1abe20b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Name\",\"label\":\"Signature Name\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_signature_s\\n| order by alert_signature_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d60df3de-0e80-4f12-8234-bb8a4ea27cfb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensorID\",\"label\":\"Sensor ID\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| where isempty('{Name}') or (su_sig_name == '{Name}')\\n| where isempty('{SensorID}') or (su_sensor_id == '{SensorID}')\\n| project-away ob_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"observation_title\",\"formatter\":5},{\"columnMatch\":\"confidence\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"class\",\"formatter\":5},{\"columnMatch\":\"context\",\"formatter\":5},{\"columnMatch\":\"evidence_iql\",\"formatter\":5},{\"columnMatch\":\"evidence_end_timestamp\",\"formatter\":5},{\"columnMatch\":\"evidence_start_timestamp\",\"formatter\":5},{\"columnMatch\":\"description\",\"formatter\":5},{\"columnMatch\":\"observation_uuid\",\"formatter\":5},{\"columnMatch\":\"sensor_ids\",\"formatter\":5},{\"columnMatch\":\"device_ip\",\"formatter\":5},{\"columnMatch\":\"status\",\"formatter\":5},{\"columnMatch\":\"indicators\",\"formatter\":5},{\"columnMatch\":\"last_seen\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"su_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"su_event_type\",\"label\":\"event_type\"},{\"columnId\":\"su_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"su_src_port\",\"label\":\"src_port\"},{\"columnId\":\"su_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"su_dst_port\",\"label\":\"dst_port\"},{\"columnId\":\"su_intel\",\"label\":\"intel\"},{\"columnId\":\"su_sig_name\",\"label\":\"sig_name\"},{\"columnId\":\"su_sig_id\",\"label\":\"sig_id\"},{\"columnId\":\"su_sig_rev\",\"label\":\"sig_rev\"},{\"columnId\":\"su_sig_category\",\"label\":\"sig_category\"},{\"columnId\":\"su_sig_severity\",\"label\":\"sig_severity\"},{\"columnId\":\"su_payload\",\"label\":\"payload\"},{\"columnId\":\"su_source\",\"label\":\"source\"},{\"columnId\":\"su_proto\",\"label\":\"proto\"},{\"columnId\":\"su_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"su_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"su_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"su_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"su_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"su_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"su_src_geo_city\",\"label\":\"src_geo_city\"},{\"columnId\":\"su_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"su_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"su_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"su_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"su_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"su_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"su_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"su_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"su_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"su_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"su_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"su_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"su_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"su_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"su_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"su_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"su_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"su_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"su_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"su_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"su_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"su_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"su_dst_annotations_locations\",\"label\":\"dst_annotations_locations\"},{\"columnId\":\"su_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"su_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"su_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"su_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"su_http_status\",\"label\":\"http_status\"},{\"columnId\":\"su_http_protocol\",\"label\":\"http_protocol\"},{\"columnId\":\"su_http_url\",\"label\":\"http_url\"},{\"columnId\":\"su_http_hostname\",\"label\":\"http_hostname\"},{\"columnId\":\"su_http_host_internal\",\"label\":\"http_host_internal\"},{\"columnId\":\"su_http_host_geo_lat\",\"label\":\"http_host_geo_lat\"},{\"columnId\":\"su_http_host_geo_lon\",\"label\":\"http_host_geo_lon\"},{\"columnId\":\"su_http_host_geo_country\",\"label\":\"http_host_geo_country\"},{\"columnId\":\"su_http_host_geo_subdivision\",\"label\":\"http_host_geo_subdivision\"},{\"columnId\":\"su_http_host_geo_city\",\"label\":\"http_host_geo_city\"},{\"columnId\":\"su_http_host_asn_asn\",\"label\":\"http_host_asn_asn\"},{\"columnId\":\"su_http_host_asn_org\",\"label\":\"http_host_asn_org\"},{\"columnId\":\"su_http_host_asn_isp\",\"label\":\"http_host_asn_isp\"},{\"columnId\":\"su_http_host_asn_asn_org\",\"label\":\"http_host_asn_asn_org\"},{\"columnId\":\"su_http_host_annotations_applications\",\"label\":\"http_host_annotations_applications\"},{\"columnId\":\"su_http_host_annotations_environments\",\"label\":\"http_host_annotations_environments\"},{\"columnId\":\"su_http_host_annotations_locations\",\"label\":\"http_host_annotations_locations\"},{\"columnId\":\"su_http_host_annotations_owners\",\"label\":\"http_host_annotations_owners\"},{\"columnId\":\"su_http_host_annotations_roles\",\"label\":\"http_host_annotations_roles\"},{\"columnId\":\"su_http_host_annotations_tags\",\"label\":\"http_host_annotations_tags\"},{\"columnId\":\"su_http_host_domain_entropy\",\"label\":\"http_host_domain_entropy\"},{\"columnId\":\"su_http_length\",\"label\":\"http_length\"},{\"columnId\":\"su_http_method\",\"label\":\"http_method\"},{\"columnId\":\"su_http_content_type\",\"label\":\"http_content_type\"},{\"columnId\":\"su_http_refer\",\"label\":\"http_refer\"},{\"columnId\":\"su_http_user_agent\",\"label\":\"http_user_agent\"},{\"columnId\":\"su_http_redirect\",\"label\":\"http_redirect\"},{\"columnId\":\"su_http_xtf\",\"label\":\"http_xtf\"},{\"columnId\":\"su_uuid\",\"label\":\"uuid\"},{\"columnId\":\"su_customer_id\",\"label\":\"customer_id\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"FNC Suricata List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Suricata\"},\"name\":\"Suricata\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fcd15fc8-790a-448e-8a61-1a1ec5f70e05\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"fd7ebd99-2ba4-4240-86de-1c109bc10fba\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Observation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| summarize Count = count() by ob_observation_title, bin(ob_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"High\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"High\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"High\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"55ad269b-ead8-4f61-b429-669d632b53e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"43131f54-c638-41a3-a54c-d8768c2df468\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Ovbservation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9ff7f038-1fa5-4ac1-84cb-ef8c6e91a183\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Sensor_ID\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3e100d32-5ad3-4a4f-a486-f65be2c62101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where ob_confidence in ({Confidence})\\n| where isempty('{Sensor_ID}') or (ob_sensor_id == '{Sensor_ID}')\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| project-away su_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ob_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ob_context\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Context\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ob_evidence_iql\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Evidence IQL\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Type\",\"label\":\"Type\"},{\"columnId\":\"ob_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"ob_observation_title\",\"label\":\"observation_title\"},{\"columnId\":\"ob_confidence\",\"label\":\"confidence\"},{\"columnId\":\"ob_category\",\"label\":\"category\"},{\"columnId\":\"ob_class\",\"label\":\"class\"},{\"columnId\":\"ob_context\",\"label\":\"context\"},{\"columnId\":\"ob_evidence_iql\",\"label\":\"evidence_iql\"},{\"columnId\":\"ob_evidence_end_timestamp\",\"label\":\"evidence_end_timestamp\"},{\"columnId\":\"ob_evidence_start_timestamp\",\"label\":\"evidence_start_timestamp\"},{\"columnId\":\"ob_description\",\"label\":\"description\"},{\"columnId\":\"ob_observation_uuid\",\"label\":\"observation_uuid\"},{\"columnId\":\"ob_sensor_ids\",\"label\":\"sensor_ids\"},{\"columnId\":\"ob_event_type\",\"label\":\"event_type\"},{\"columnId\":\"ob_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"ob_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"ob_intel\",\"label\":\"intel\"},{\"columnId\":\"ob_source\",\"label\":\"source\"},{\"columnId\":\"ob_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"ob_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"ob_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"ob_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"ob_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"ob_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"ob_src_geo_city\",\"label\":\"_src_geo_city\"},{\"columnId\":\"ob_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"ob_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"ob_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"ob_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"ob_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"ob_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"ob_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"ob_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"ob_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"ob_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"ob_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"ob_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"ob_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"ob_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"ob_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"ob_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"ob_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"ob_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"ob_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"ob_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"ob_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"ob_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"ob_dst_annotations_locations\",\"label\":\"_dst_annotations_locations\"},{\"columnId\":\"ob_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"ob_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"ob_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"ob_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"ob_uuid\",\"label\":\"uuid\"},{\"columnId\":\"ob_customer_id\",\"label\":\"customer_id\"}]}},\"name\":\"FNC Observation List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Observation\"},\"name\":\"Observation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections Charts**\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3e9b6847-1b6c-4ba5-87d6-a3d4b0e36046\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"88270ace-134e-4577-b2fd-58b4a7a0cb36\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"16f11673-0de7-4f81-94d8-5fcea8b83222\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"cab3ce23-4ea0-4565-a7fb-2009f888198f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_severity, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_confidence in ({Confidence})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_confidence, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections List**\"},\"name\":\"text - 5 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a613556b-fcd7-440a-af79-47b839e8f76b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"9196914a-cd13-4897-8d8f-2e497721452a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"0b5bbec6-76d8-422c-89a4-95162c9300cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\"},{\"id\":\"876e2140-cacb-4d7c-88ed-354ecd7e86a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"fb9f063f-c68e-4f27-8693-160f8759f8b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RuleNames\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"FncEventsDetections_CL\\n| summarize by rule_name_s\\n| order by rule_name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where de_confidence in ({Confidence})\\n| where de_rule_name in ({RuleNames})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| sort by de_created desc\\n| project-away su_*, ob_*\\n\\n\\n\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"FNC Detection List\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"showExpandCollapseGrid\":true,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"de_event_count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_events\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Events\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_indicators\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Indicators\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"active\",\"representation\":\"greenDark\",\"text\":\"Active\"},{\"operator\":\"==\",\"thresholdValue\":\"resolved\",\"representation\":\"gray\",\"text\":\"Resolved\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_rule_url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"indicators\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"de_device_ip\",\"label\":\"device_ip\"},{\"columnId\":\"de_event_count\",\"label\":\"event_count\"},{\"columnId\":\"de_events\",\"label\":\"events\"},{\"columnId\":\"de_indicators\",\"label\":\"indicators\"},{\"columnId\":\"de_last_seen\",\"label\":\"last_seen\"},{\"columnId\":\"de_status\",\"label\":\"status\"},{\"columnId\":\"de_rule_name\",\"label\":\"rule_name\"},{\"columnId\":\"de_severity\",\"label\":\"severity\"},{\"columnId\":\"de_confidence\",\"label\":\"confidence\"},{\"columnId\":\"de_resolved_by\",\"label\":\"resolved_by\"},{\"columnId\":\"de_resolution\",\"label\":\"resolution\"},{\"columnId\":\"de_resolution_comment\",\"label\":\"resolution_comment\"},{\"columnId\":\"de_date_resolved\",\"label\":\"date_resolved\"},{\"columnId\":\"de_rule_uuid\",\"label\":\"rule_uuid\"},{\"columnId\":\"de_category\",\"label\":\"category\"},{\"columnId\":\"de_created\",\"label\":\"created\"},{\"columnId\":\"de_updated\",\"label\":\"updated\"},{\"columnId\":\"de_first_seen\",\"label\":\"first_seen\"},{\"columnId\":\"de_muted\",\"label\":\"muted\"},{\"columnId\":\"de_rule_muted\",\"label\":\"rule_muted\"},{\"columnId\":\"de_mute_comment\",\"label\":\"mute_comment\"},{\"columnId\":\"de_muted_by\",\"label\":\"muted_by\"},{\"columnId\":\"de_date_muted\",\"label\":\"date_muted\"},{\"columnId\":\"de_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"de_account_id\",\"label\":\"account_id\"},{\"columnId\":\"de_uuid\",\"label\":\"uuid\"},{\"columnId\":\"de_username\",\"label\":\"username\"},{\"columnId\":\"de_hostname\",\"label\":\"hostname\"},{\"columnId\":\"de_primary_attack_id\",\"label\":\"primary_attack_id\"},{\"columnId\":\"de_secondary_attack_id\",\"label\":\"secondary_attack_id\"},{\"columnId\":\"de_rule_url\",\"label\":\"rule_url\"}]},\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"name\":\"Detection\"}],\"fromTemplateId\":\"sentinel-FortiNdrCloud\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## FortiNDR Cloud workbook\\n\\nUse this workbook to review Suricata, observation, and detection activity from the Fortinet FortiNDR Cloud parser. Ensure the Kusto function alias **Fortinet_FortiNDR_Cloud** is deployed first, then use the time range and filters to focus on specific sensors, categories, severities, and confidence values.\\n\\n**Prerequisite:** the Fortinet FortiNDR Cloud Kusto function must exist in the workspace.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"parameters\":[{\"id\":\"time_range_param\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"isGlobal\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000},{\"durationMs\":2592000000}]}},{\"id\":\"subscription_param\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\"},{\"id\":\"workspace_param\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\"}]},\"name\":\"parameters\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"29a65c20-978d-447b-b11c-f437f6c7fd7e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Main Dashboard\",\"subTarget\":\"Main\",\"style\":\"link\"},{\"id\":\"514047f6-4d61-4f59-9f79-6c22c20645c0\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Suricata Dashboard\",\"subTarget\":\"Suricata\",\"style\":\"link\"},{\"id\":\"f20fabf1-3a44-417d-9e97-3d62d1990c8d\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Observation Dashboard\",\"subTarget\":\"Observation\",\"style\":\"link\"},{\"id\":\"392a41e1-a18c-4a6d-8144-c51e27a8bf4e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Detection Dashboard\",\"subTarget\":\"Detection\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"50650aa0-d12f-49ad-ba0d-e7a6a10b0a85\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by su_sig_category\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suricata Counts By Category\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"exportParameterName\":\"SelectedRow_0\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Suricata Counts by Category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by ob_observation_title\",\"size\":0,\"showAnalytics\":true,\"title\":\"Observation Counts by Title\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"exportParameterName\":\"SelectedRow_1\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Observation Counts by Title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_severity\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"exportParameterName\":\"SelectedRow_2\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Detection Counts by Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_confidence\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"exportParameterName\":\"SelectedRow_0\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Detection Counts by Confidence\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Main\"},\"name\":\"Main Dashboard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## FortiNDR Cloud workbook\\n\\nUse this workbook to review Suricata, observation, and detection activity from the Fortinet FortiNDR Cloud parser. Ensure the Kusto function alias **Fortinet_FortiNDR_Cloud** is deployed first, then use the time range and filters to focus on specific sensors, categories, severities, and confidence values.\\n\\n**Prerequisites:** the Fortinet FortiNDR Cloud Kusto function must exist in the target workspace, and the workbook should be connected to a workspace that contains FortiNDR Cloud data. [Deployment steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Package/Content%20Hub/Workbooks/FortiNDR%20Cloud%20Workbook.json)\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b566fdf-c574-466d-8a25-eec9e314f560\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"0ce88674-9bf5-4c52-8286-28d3cf030e18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\",\"styleSettings\":{\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| summarize Count=count() by su_sig_category, bin(su_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true},\"exportParameterName\":\"SelectedRow_1\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"name\":\"Suricata Events Over Time by Category\"},{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5d5a54f3-6fca-4368-aea2-a2d0326daa62\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"03cace3a-c0d6-4184-a1aa-346c67578b6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"},{\"id\":\"0eea038f-b090-4021-9998-3b85c1abe20b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Name\",\"label\":\"Signature Name\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_signature_s\\n| order by alert_signature_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d60df3de-0e80-4f12-8234-bb8a4ea27cfb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensorID\",\"label\":\"Sensor ID\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| where isempty('{Name}') or (su_sig_name == '{Name}')\\n| where isempty('{SensorID}') or (su_sensor_id == '{SensorID}')\\n| project-away ob_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"observation_title\",\"formatter\":5},{\"columnMatch\":\"confidence\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"class\",\"formatter\":5},{\"columnMatch\":\"context\",\"formatter\":5},{\"columnMatch\":\"evidence_iql\",\"formatter\":5},{\"columnMatch\":\"evidence_end_timestamp\",\"formatter\":5},{\"columnMatch\":\"evidence_start_timestamp\",\"formatter\":5},{\"columnMatch\":\"description\",\"formatter\":5},{\"columnMatch\":\"observation_uuid\",\"formatter\":5},{\"columnMatch\":\"sensor_ids\",\"formatter\":5},{\"columnMatch\":\"device_ip\",\"formatter\":5},{\"columnMatch\":\"status\",\"formatter\":5},{\"columnMatch\":\"indicators\",\"formatter\":5},{\"columnMatch\":\"last_seen\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"su_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"su_event_type\",\"label\":\"event_type\"},{\"columnId\":\"su_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"su_src_port\",\"label\":\"src_port\"},{\"columnId\":\"su_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"su_dst_port\",\"label\":\"dst_port\"},{\"columnId\":\"su_intel\",\"label\":\"intel\"},{\"columnId\":\"su_sig_name\",\"label\":\"sig_name\"},{\"columnId\":\"su_sig_id\",\"label\":\"sig_id\"},{\"columnId\":\"su_sig_rev\",\"label\":\"sig_rev\"},{\"columnId\":\"su_sig_category\",\"label\":\"sig_category\"},{\"columnId\":\"su_sig_severity\",\"label\":\"sig_severity\"},{\"columnId\":\"su_payload\",\"label\":\"payload\"},{\"columnId\":\"su_source\",\"label\":\"source\"},{\"columnId\":\"su_proto\",\"label\":\"proto\"},{\"columnId\":\"su_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"su_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"su_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"su_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"su_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"su_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"su_src_geo_city\",\"label\":\"src_geo_city\"},{\"columnId\":\"su_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"su_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"su_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"su_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"su_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"su_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"su_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"su_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"su_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"su_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"su_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"su_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"su_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"su_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"su_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"su_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"su_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"su_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"su_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"su_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"su_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"su_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"su_dst_annotations_locations\",\"label\":\"dst_annotations_locations\"},{\"columnId\":\"su_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"su_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"su_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"su_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"su_http_status\",\"label\":\"http_status\"},{\"columnId\":\"su_http_protocol\",\"label\":\"http_protocol\"},{\"columnId\":\"su_http_url\",\"label\":\"http_url\"},{\"columnId\":\"su_http_hostname\",\"label\":\"http_hostname\"},{\"columnId\":\"su_http_host_internal\",\"label\":\"http_host_internal\"},{\"columnId\":\"su_http_host_geo_lat\",\"label\":\"http_host_geo_lat\"},{\"columnId\":\"su_http_host_geo_lon\",\"label\":\"http_host_geo_lon\"},{\"columnId\":\"su_http_host_geo_country\",\"label\":\"http_host_geo_country\"},{\"columnId\":\"su_http_host_geo_subdivision\",\"label\":\"http_host_geo_subdivision\"},{\"columnId\":\"su_http_host_geo_city\",\"label\":\"http_host_geo_city\"},{\"columnId\":\"su_http_host_asn_asn\",\"label\":\"http_host_asn_asn\"},{\"columnId\":\"su_http_host_asn_org\",\"label\":\"http_host_asn_org\"},{\"columnId\":\"su_http_host_asn_isp\",\"label\":\"http_host_asn_isp\"},{\"columnId\":\"su_http_host_asn_asn_org\",\"label\":\"http_host_asn_asn_org\"},{\"columnId\":\"su_http_host_annotations_applications\",\"label\":\"http_host_annotations_applications\"},{\"columnId\":\"su_http_host_annotations_environments\",\"label\":\"http_host_annotations_environments\"},{\"columnId\":\"su_http_host_annotations_locations\",\"label\":\"http_host_annotations_locations\"},{\"columnId\":\"su_http_host_annotations_owners\",\"label\":\"http_host_annotations_owners\"},{\"columnId\":\"su_http_host_annotations_roles\",\"label\":\"http_host_annotations_roles\"},{\"columnId\":\"su_http_host_annotations_tags\",\"label\":\"http_host_annotations_tags\"},{\"columnId\":\"su_http_host_domain_entropy\",\"label\":\"http_host_domain_entropy\"},{\"columnId\":\"su_http_length\",\"label\":\"http_length\"},{\"columnId\":\"su_http_method\",\"label\":\"http_method\"},{\"columnId\":\"su_http_content_type\",\"label\":\"http_content_type\"},{\"columnId\":\"su_http_refer\",\"label\":\"http_refer\"},{\"columnId\":\"su_http_user_agent\",\"label\":\"http_user_agent\"},{\"columnId\":\"su_http_redirect\",\"label\":\"http_redirect\"},{\"columnId\":\"su_http_xtf\",\"label\":\"http_xtf\"},{\"columnId\":\"su_uuid\",\"label\":\"uuid\"},{\"columnId\":\"su_customer_id\",\"label\":\"customer_id\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"heatmapPalette\":\"greenRed\"}},\"noDataMessage\":\"No Suricata records matched the selected filters and time range.\",\"noDataMessageStyle\":\"warning\",\"exportParameterName\":\"SelectedRow_2\"},\"name\":\"Suricata Event List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Suricata\"},\"name\":\"Suricata\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fcd15fc8-790a-448e-8a61-1a1ec5f70e05\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"fd7ebd99-2ba4-4240-86de-1c109bc10fba\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Observation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| summarize Count = count() by ob_observation_title, bin(ob_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"High\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"High\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"High\",\"heatmapPalette\":\"greenRed\"}},\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"name\":\"Observation Events Over Time by Title\"},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"55ad269b-ead8-4f61-b429-669d632b53e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"43131f54-c638-41a3-a54c-d8768c2df468\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Ovbservation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9ff7f038-1fa5-4ac1-84cb-ef8c6e91a183\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Sensor_ID\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3e100d32-5ad3-4a4f-a486-f65be2c62101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where ob_confidence in ({Confidence})\\n| where isempty('{Sensor_ID}') or (ob_sensor_id == '{Sensor_ID}')\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| project-away su_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ob_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ob_context\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Context\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ob_evidence_iql\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Evidence IQL\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Type\",\"label\":\"Type\"},{\"columnId\":\"ob_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"ob_observation_title\",\"label\":\"observation_title\"},{\"columnId\":\"ob_confidence\",\"label\":\"confidence\"},{\"columnId\":\"ob_category\",\"label\":\"category\"},{\"columnId\":\"ob_class\",\"label\":\"class\"},{\"columnId\":\"ob_context\",\"label\":\"context\"},{\"columnId\":\"ob_evidence_iql\",\"label\":\"evidence_iql\"},{\"columnId\":\"ob_evidence_end_timestamp\",\"label\":\"evidence_end_timestamp\"},{\"columnId\":\"ob_evidence_start_timestamp\",\"label\":\"evidence_start_timestamp\"},{\"columnId\":\"ob_description\",\"label\":\"description\"},{\"columnId\":\"ob_observation_uuid\",\"label\":\"observation_uuid\"},{\"columnId\":\"ob_sensor_ids\",\"label\":\"sensor_ids\"},{\"columnId\":\"ob_event_type\",\"label\":\"event_type\"},{\"columnId\":\"ob_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"ob_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"ob_intel\",\"label\":\"intel\"},{\"columnId\":\"ob_source\",\"label\":\"source\"},{\"columnId\":\"ob_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"ob_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"ob_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"ob_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"ob_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"ob_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"ob_src_geo_city\",\"label\":\"_src_geo_city\"},{\"columnId\":\"ob_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"ob_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"ob_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"ob_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"ob_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"ob_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"ob_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"ob_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"ob_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"ob_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"ob_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"ob_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"ob_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"ob_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"ob_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"ob_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"ob_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"ob_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"ob_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"ob_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"ob_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"ob_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"ob_dst_annotations_locations\",\"label\":\"_dst_annotations_locations\"},{\"columnId\":\"ob_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"ob_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"ob_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"ob_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"ob_uuid\",\"label\":\"uuid\"},{\"columnId\":\"ob_customer_id\",\"label\":\"customer_id\"}]},\"noDataMessage\":\"No observation records matched the selected filters and time range.\",\"noDataMessageStyle\":\"warning\"},\"name\":\"Observation Event List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Observation\"},\"name\":\"Observation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections Charts**\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3e9b6847-1b6c-4ba5-87d6-a3d4b0e36046\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"88270ace-134e-4577-b2fd-58b4a7a0cb36\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"16f11673-0de7-4f81-94d8-5fcea8b83222\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"cab3ce23-4ea0-4565-a7fb-2009f888198f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_severity, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]},\"visualization\":\"barchart\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Detection Severity Over Time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_confidence in ({Confidence})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_confidence, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]},\"visualization\":\"barchart\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Detection Confidence Over Time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections List**\"},\"name\":\"text - 5 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a613556b-fcd7-440a-af79-47b839e8f76b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"9196914a-cd13-4897-8d8f-2e497721452a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"0b5bbec6-76d8-422c-89a4-95162c9300cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\"},{\"id\":\"876e2140-cacb-4d7c-88ed-354ecd7e86a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"fb9f063f-c68e-4f27-8693-160f8759f8b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RuleNames\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"FncEventsDetections_CL\\n| summarize by rule_name_s\\n| order by rule_name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where de_confidence in ({Confidence})\\n| where de_rule_name in ({RuleNames})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| sort by de_created desc\\n| project-away su_*, ob_*\\n\\n\\n\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"FNC Detection List\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"showExpandCollapseGrid\":true,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"de_event_count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_events\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Events\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_indicators\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Indicators\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"active\",\"representation\":\"greenDark\",\"text\":\"Active\"},{\"operator\":\"==\",\"thresholdValue\":\"resolved\",\"representation\":\"gray\",\"text\":\"Resolved\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_rule_url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"indicators\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"de_device_ip\",\"label\":\"device_ip\"},{\"columnId\":\"de_event_count\",\"label\":\"event_count\"},{\"columnId\":\"de_events\",\"label\":\"events\"},{\"columnId\":\"de_indicators\",\"label\":\"indicators\"},{\"columnId\":\"de_last_seen\",\"label\":\"last_seen\"},{\"columnId\":\"de_status\",\"label\":\"status\"},{\"columnId\":\"de_rule_name\",\"label\":\"rule_name\"},{\"columnId\":\"de_severity\",\"label\":\"severity\"},{\"columnId\":\"de_confidence\",\"label\":\"confidence\"},{\"columnId\":\"de_resolved_by\",\"label\":\"resolved_by\"},{\"columnId\":\"de_resolution\",\"label\":\"resolution\"},{\"columnId\":\"de_resolution_comment\",\"label\":\"resolution_comment\"},{\"columnId\":\"de_date_resolved\",\"label\":\"date_resolved\"},{\"columnId\":\"de_rule_uuid\",\"label\":\"rule_uuid\"},{\"columnId\":\"de_category\",\"label\":\"category\"},{\"columnId\":\"de_created\",\"label\":\"created\"},{\"columnId\":\"de_updated\",\"label\":\"updated\"},{\"columnId\":\"de_first_seen\",\"label\":\"first_seen\"},{\"columnId\":\"de_muted\",\"label\":\"muted\"},{\"columnId\":\"de_rule_muted\",\"label\":\"rule_muted\"},{\"columnId\":\"de_mute_comment\",\"label\":\"mute_comment\"},{\"columnId\":\"de_muted_by\",\"label\":\"muted_by\"},{\"columnId\":\"de_date_muted\",\"label\":\"date_muted\"},{\"columnId\":\"de_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"de_account_id\",\"label\":\"account_id\"},{\"columnId\":\"de_uuid\",\"label\":\"uuid\"},{\"columnId\":\"de_username\",\"label\":\"username\"},{\"columnId\":\"de_hostname\",\"label\":\"hostname\"},{\"columnId\":\"de_primary_attack_id\",\"label\":\"primary_attack_id\"},{\"columnId\":\"de_secondary_attack_id\",\"label\":\"secondary_attack_id\"},{\"columnId\":\"de_rule_url\",\"label\":\"rule_url\"}]},\"tileSettings\":{\"showBorder\":false},\"noDataMessage\":\"No detection records matched the selected filters and time range.\",\"noDataMessageStyle\":\"warning\"},\"name\":\"Detection Event List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"name\":\"Detection\"}],\"fromTemplateId\":\"sentinel-FortiNdrCloud\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" diff --git a/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md b/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md index 5feef799b0d..f1094cc8596 100644 --- a/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md +++ b/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------| +| 3.0.4 | 12-06-2026 | Updated **Workbook** | | 3.0.3 | 05-05-2025 | Use Flex Consumption plan to hold Data Connector | | 3.0.2 | 30-09-2024 | Show mitre attack ids and link to detection rule page | | 3.0.1 | 31-05-2024 | Replace Metastream with FortiNDR Cloud API | diff --git a/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json b/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json index 66e2d928827..ff4f60eb5d0 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json +++ b/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json @@ -4,10 +4,74 @@ { "type": 1, "content": { - "json": "## FortiNDR Cloud workbook\n---\n>**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Parsers/Fortinet_FortiNDR_Cloud.md) to create the Kusto function alias **Fortinet_FortiNDR_Cloud**." + "json": "## FortiNDR Cloud workbook\n\nUse this workbook to review Suricata, observation, and detection activity from the Fortinet FortiNDR Cloud parser. Ensure the Kusto function alias **Fortinet_FortiNDR_Cloud** is deployed first, then use the time range and filters to focus on specific sensors, categories, severities, and confidence values.\n\n**Prerequisite:** the Fortinet FortiNDR Cloud Kusto function must exist in the workspace." }, "name": "text - 2" }, + { + "type": 11, + "content": { + "parameters": [ + { + "id": "time_range_param", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "isGlobal": true, + "value": { + "durationMs": 86400000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + } + ] + } + }, + { + "id": "subscription_param", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": "," + }, + { + "id": "workspace_param", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": "," + } + ] + }, + "name": "parameters" + }, { "type": 11, "content": { @@ -144,10 +208,12 @@ "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "visualization": "piechart", + "exportParameterName": "SelectedRow_0", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "main-Suricata" + "name": "Suricata Counts by Category" }, { "type": 3, @@ -161,10 +227,12 @@ "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "visualization": "piechart", + "exportParameterName": "SelectedRow_1", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "main-observation" + "name": "Observation Counts by Title" }, { "type": 3, @@ -178,10 +246,12 @@ "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "visualization": "piechart", + "exportParameterName": "SelectedRow_2", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "main-detections-s" + "name": "Detection Counts by Severity" }, { "type": 3, @@ -195,10 +265,12 @@ "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "visualization": "piechart", + "exportParameterName": "SelectedRow_0", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "main-detections-s - Copy" + "name": "Detection Counts by Confidence" } ] }, @@ -218,7 +290,7 @@ { "type": 1, "content": { - "json": "**FortiDNR Cloud Suricata Chart:**" + "json": "## FortiNDR Cloud workbook\n\nUse this workbook to review Suricata, observation, and detection activity from the Fortinet FortiNDR Cloud parser. Ensure the Kusto function alias **Fortinet_FortiNDR_Cloud** is deployed first, then use the time range and filters to focus on specific sensors, categories, severities, and confidence values.\n\n**Prerequisites:** the Fortinet FortiNDR Cloud Kusto function must exist in the target workspace, and the workbook should be connected to a workspace that contains FortiNDR Cloud data. [Deployment steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Package/Content%20Hub/Workbooks/FortiNDR%20Cloud%20Workbook.json)" }, "name": "text - 4" }, @@ -326,9 +398,11 @@ "visualization": "barchart", "chartSettings": { "showLegend": true - } + }, + "exportParameterName": "SelectedRow_1", + "noDataMessage": "No data matched the selected filters and time range." }, - "name": "query - 2" + "name": "Suricata Events Over Time by Category" }, { "type": 1, @@ -860,9 +934,12 @@ "nodeColorField": "http_hostname_enrichments_ip_enrichments_asn_asn_d", "heatmapPalette": "greenRed" } - } + }, + "noDataMessage": "No Suricata records matched the selected filters and time range.", + "noDataMessageStyle": "warning", + "exportParameterName": "SelectedRow_2" }, - "name": "FNC Suricata List" + "name": "Suricata Event List" } ] }, @@ -1006,9 +1083,10 @@ "nodeColorField": "High", "heatmapPalette": "greenRed" } - } + }, + "noDataMessage": "No data matched the selected filters and time range." }, - "name": "query - 5" + "name": "Observation Events Over Time by Title" }, { "type": 1, @@ -1422,9 +1500,11 @@ "label": "customer_id" } ] - } + }, + "noDataMessage": "No observation records matched the selected filters and time range.", + "noDataMessageStyle": "warning" }, - "name": "FNC Observation List" + "name": "Observation Event List" } ] }, @@ -1613,10 +1693,12 @@ "color": "redBright" } ] - } + }, + "visualization": "barchart", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "query - 8 - Copy", + "name": "Detection Severity Over Time", "styleSettings": { "showBorder": true } @@ -1650,10 +1732,12 @@ "color": "redBright" } ] - } + }, + "visualization": "barchart", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "query - 8 - Copy - Copy", + "name": "Detection Confidence Over Time", "styleSettings": { "showBorder": true } @@ -2110,9 +2194,11 @@ }, "tileSettings": { "showBorder": false - } + }, + "noDataMessage": "No detection records matched the selected filters and time range.", + "noDataMessageStyle": "warning" }, - "name": "query - 6" + "name": "Detection Event List" } ] },