From 13703cdb023c09b1d01acee9891f81ece36703c6 Mon Sep 17 00:00:00 2001 From: Alekhya0824 Date: Fri, 12 Jun 2026 15:12:15 +0530 Subject: [PATCH] fortinet content UPlift --- .../Fortinet FortiNDR Cloud/Package/3.0.3.zip | Bin 16151 -> 16274 bytes .../Package/mainTemplate.json | 6 +- .../Fortinet FortiNDR Cloud/ReleaseNotes.md | 1 + .../FortinetFortiNdrCloudWorkbook.json | 134 ++++++++++++++---- 4 files changed, 114 insertions(+), 27 deletions(-) diff --git a/Solutions/Fortinet FortiNDR Cloud/Package/3.0.3.zip b/Solutions/Fortinet FortiNDR Cloud/Package/3.0.3.zip index 2e76aabf62b2e58f51b5a25a4fbc15e4dfa852ae..cb541b8ebafa7cd639733cfda63977499c7e3259 100644 GIT binary patch literal 16274 zcmbWebFe5u4=;FZ+qP}nwr!jD*tTukwr%qs+dg~0@9oy^zODEE*qPLHb&^ikRAnkX zNq!2_z#u39000mGQl8T~tVwC$zTf}=7?=P6=>NFJPNs$~rmB`Are>CQmM)g|c63(G z_I5KG-*(%hh`)ROdxrgN^NQ_9l0boILOE(FNaX(67>QQI?Z|<=PUBlv9Ya@iuBo_y zo~e9VdBy2}#}bI-Tcb(N_ygOyx%VEkGCuFVFa_?+vFjMo2N*%DPocbd^3=%{>6*tG z#IK3&ds#3>lGohb{vhCri8l@I*9^~mE$2JD)!oiAq-b$Ta(Sszk?$QZ^wFO4gDTTo z)4CMS*H^1Ev6)c1E<~K}94H{~6*eTYAioB$tc5TTiHD7Xjok&r0R*PIP&Hix3J_dt zzw4!waD=K*L@m9Tkyb}@*L@oXvavNfv>f+M@BmvMqED@Ii`f*)bh>s>(PpMM8^br) zcayH{ZID`#vsQZ2RSPromqlOkkPemIkc(o9zOZS7)h9$~_i2Fny*GNa!5G9aX?MMR zR+Z>oe1G3g9Nho#b*oX(1P-9Uasai7Nk~#|O5_YcDKkMRX_F@(BKNixOSPV2q_6q; zeZ%W`h`-PoItHNHqnXx`$8@ArbX_}xH84Ijnwg#MErZloEztEP~MGRBOcNDU^1$aql zo-bz$F*+OcIqL{->C_^o!BWm=1nI`qPC<&aT^3p8u4G6~Zm1f{N!OgFAFOFoW|~(6 zVCfAWoUf6Y{}>-GM4+xH?lPt=nVnzdf=L1F7QLpCxV8v(96r8tj#&MK8jhUI>DGdG zw2EpMCdZ*s!kxo9{VlS7dL}_v;^f+uMD)tLxy^$l-%oBHT~BDpUJX-T-}9r59+`dB zW@4u<%(@8PqnlO4faMIUY&5jEBv9pXV}%O2gNEs7_WXQ1V%tE99D)k9TCV?F35|^_ z00;r2MI{?uS9RvqujN9S4;{vjViBD7P&u;aN!>y1x+YxEyOb(8Jj-rkXG3VzoSl^N z)S+OpEn0EMXvd4j2Nj2qr%YxnpFy>`o-ggu^WA>iDWgauwv$qX9N}lO0XlTzh7@rW)ZL+w4?Qe~!wnVh{AOsGte+ zgdRPr-w*nKT#Yvr<)h{kD+YH~I!zuQ{s(&FSELcS4NB71o@ zd`up~LwXHU@k34IO1crbAL+=H66sA<4kXb@9z$zp@P9J$RyDNioFOD;DUP76~8e&8AxA{eJ-EZInQb3QOtSND;Di85HzGo0>1 zvt6v6oy3qh;Zmmzo2Mn!aVWMwTgl^2K3Fr!@Lh%8PImljTN_ji~!^*=Oo3= zLnE0t&+uB1s8wY6a$!S|7;7a-SK3|AkAMr6!QxB>jmjn3zwL^Z@;PpbRmn-YFb(t4 zkybGYTbhnSf+nyFq>i@?5~7ThNRNxD;wJR^0A2>qQYXq3mO}0ht12BOZOLP2ErUvX zqfC(G3OKQ6`WUhYMYyJU^8&FKi)Raa;HM@}r}jNCuVe!zzN#p%XoJp~?lPnIc5g!r z`I|1cQ^Ar5#awt>LyGAXb1c?iy)?o`#0P>DS?xY=JlJ?GW_b%!kRbIWPg^{bky388 zgXCTj=EqpMvpIcE!M@GReRU4FU*$#bXZ9iA3-OD!Mq*7_Aom1JnE};^F{(go^!`|F zF|vr>5vL$PUw6&dQqt1Z6m7GU&1qS+7dg40*ih33CM_3iurAAM_NkbW!ZULLE*q7! z^K?XhUew)iRSBt0ikzj3>y?AWT)Rw82`*bF;hK1-=jUN9XVj5Bf`_4r6H!+VvZ01@ z5;x0E9IK93abhQt2^2lDSTJ=cJn)ibqjWeR($fzeap9n;opFRSVg^mJW9FkEWt3Vd za2tSY_zfFHfq-bS}fY}Oe60KvjFeLJf#$BQIc_va+*u(kVJ{b@i zqwC_}TtT!X>TvIP@St3EB#XKE$=^d8?Ox1c7w%DS(z@v}=P{mY4!si|eU4@S`=)-L zFijZNUdtj6T4>czSw;KY(ZTj0NR!Np;pMbd4l6esL_k0_*ZkbYI=Kt>Zg2RHu=rXY zn=`-fdB@=5D-_L)glivJD+94XOoY6s_>x>iv9=t3H2 zp!;xG54BxA6)$KF|0G!1oY5-odNph4@3lK1D=l2@1lZC}^54oBqSv;}g z9bM;A8Nv2g1XS%ma{5{d}5TL3tsj&z`wx@xa=#r5DXfEoaR%yp=(gN>NJ~Y>TSGF1K1h} zDBOAd^o^JHBpc*K6k;v;&U3|Ix|4zKM%Nkie}L>d1Vbf}){G18ngzH*bPLXs1_ty{ zY1z>#$?J{BG+j4&do;IFlL=aW&kE$jg|7qh#K!dbK&c{aIp;9ekj?`S4pnYzh zSC6fXao0+Xm2a{X0Jn|5jbHo2MDz8Twnj>dFZ78;$BBo`P6598Iw^;^4+~XZg_q?r z#yAuJUVi}IisR>Sxu|N?+JX28r9_VJ2o_vRPfopaXUO@kQkf2S*Tg^RRx0G=l_*nEKym+AJS}7J$r;87L zlb;YDwD$Y5qcqmiu^fg(;)|6F;qnr2-og3Q_1UL}R57|hx`zrajOOpbw(|s3$#h+4 z=cJS$XplAd-h*O~7NLUUiuj{gd(CJlHitWJ+AiZ(_9cDB`9lui(x-68Ag)bPt5uQV zcK^$2EK7vOHklI%mb-7HD_UKA`%mIh0^$49Oh>`*yra%QlKn#1JZ!tqJKjexMo$$g z5rhwf;yw{j{_XH8g;}oX^hdZ4_&bULz5v-MBvd~R(s4aKe^{^)8xjnZ0MPsxY$K)9 z=Dzrq=UXbWG{q)@n)JGjF46$4P@Xm=q<=0nqy-zSl}{6-j=sEURt%p#rJZR+d20&# zgb&DFYmdu0RdyK2L=tmenlhQ^$X+VW>ns*hWMHg{jD+~&yKEmd<#*}c-)6Vr1mcRM zb7}8u9KazHTHtog@3=EFJ-bQ%P1f;)wQw-HHP}eEmMI1Y+fg%gkBS67MmBib1O#IK zj~96MD=8g1zC z!*Q~HH%1F9+v)HluLj?`i4~0{MWs5uj~2U{`b#Jr4%DWk@lIwXUFedAjPORY&O+Dc z(dv}#Q*;G{={iS`@onxoJ0kvsD$b}t5L%(sJGRJ*? z9qhu`=bsCg%FZcfQAnXIC6x3aGqC79kuz9x13;f37FU*}i$}pgto z>PG>A9Abql^9|COOG}O$qc#}YpEbU0YZ`8qa9q-JJOYAT!RZp@YqZzg?`Yq_bCu6N z)Qr?!aG^h9U1M%yTMw@m2fkorVBhub0N|F<&qkP(h0}8^b@M$?nrfGiky^iTXSjz; z!ppl=Ib<@97PXrgiZC25(cTzadlg}>02;VqG5kQwvS1(Uw<6VLLNDXeQ- zY;itNvJJsmvnVtAN0|*;ab1D{j5cA}A^BGwvU@rA{@^@_SvZ8$CFrl8>ihBfX)c?K zUpSe5v(YSKb;3B4!U^rJlQQGo_E$a?ZhZZHUV)#>lyw-9nV(=4l0aCfNEsSqtF~UG-K)sF3Q9OS3L77E}}8+1s2=eiZjLWTCl6}sk+;D|3xsm!rH-2B<_E)9v!?gUyD15qJ7v)S9jq4B<#Qm^uGfez}lcb z>oS>f1>9w`W<0sIb^(9eQ0(Z;|3VWp9Frn)ZfaQPoM}rhqG#u6h)XE2VXCo4S zcp;VM?^_IQEULWoo8F+(B6^o5!_Yk*URH$h!Kp47gL8#O_ms1vc{iP3>bRA3(`a2@ zd{z3JrXRRl&UPEAeHB?AD_GYp8#fqtyDT#CsbCYi0fn2ap>rc_#Pinl@*TC9@~1C(Ql<(twcfXgv_Tx3wd6FuGC?OoV6< zw7roXIA$^ZGo#K0_C>%-G->#r7aukkY8c2MdcP0CNGFZ^Q2~2sdy^PQrA>g-j0mKS z!TQ!?*747Y?(qmVUE4o7cnXYD^qDh{>h^klJzU>^BWsRt7Xl@@0+?JSYYwv7ThKHH zuo?FxF~;Ae`zs`RyCJt(VQ$*jxlA58%~9-iSZm2|?i8bTg!hQ%jDOK}CBG{-46j9i zfx;3pMvQ?twK2t{WDYBxmw~Pj&b-_Sz-Tx)D!9ZC0tys-nMHyysp)m*K6m~WP=UgV zr5ri(qaT=`@RtHBMo$Jg4|b5sqA*DbXWF zL|H9X&eXqb?oT@t=X7lNU{1`RDeTxZa)?J}gg@NbVl%{3`o8Ml7DlQoii#HWhF-Hq zWPebcbmsIsCRdRVmsU3ue@wNZfg^Lomj3C3rSpU!D03Qm7I2%jVxu4Oyt`mi=_DMV0dwU1dFE)~JZp=2Qd8|I4UO|47)y#dp2g8X|kzg_g_U#F%0x<2jd(sy+ci0L#GX)YWgpdp25!-) zSTNd`PQPYj>_7q^zT1NyIPI-?bAI(afcj)Sl}z&$z2~$58HaX6{#Jm0Jj5TmBzRbI zUw#!sMYiSxaWO1sLQPGjoiL(u>P?t;2sb3_NJg(f>^4rg3XBxC2lGn<3ghwl zwK7^B9f)KraQFo%m`#BQGzI(Dy1vUYH~4Ql{l)^dy%l9!Ot<^V7}T51k*;U9t|#9L zgfAsQeb&GpJmPU{?*$cvWm7cm5{cqKvTB$?#2k?)a;mhUNr3&0UWxI@Z zRh(J2d-kp2ovTXmk^^w<;T0Q1`6Rvzlhs1btA3nt?SzC}6A!`n?NvBpkH!OF?WdOL z&s+-+0mLYE7+?l$m8qSdsO|4x9J?Pstk)m@5bfX3i)~G$_Vm-q9T2J;CV>W>=_?up z$1%Wg?xJp=vOPURfrgv_rBOa;|cZ)h5Hijzf;t$i4EjL%p$< z9v-|6;QVYda8tC_!!&?Q#0d~yX|*+RCsPWW+mn1_h187aQo13`yy zR`Bn9z5C8%=r-JCYi!yZC;$alay8_fayXtjNnZO{IJ@)fKMWQMo33ughJe;NrGJ z!nmK!H{7z9dUtk{>M2XQbGnN?571?9^!duZO=U`MFUD2et(`r(CZ_T|gO3;$>(WE< z^Qb0ro-w7n92sn%;yP7)m>CClzB~xU77-)Q#iJv%UZmpSl&=BGW;7HUDq8z*Qp?J8 zDx%+*326&5Hi4)9zqfY~K1k}%W_gjn05`tZBq3}(yG8CeV2kj-X~UINQ^TL3pC49w({_FkRV0QpJ>HEMg#vsN_P2IZ4Gfp*G4C7A3K!J7$&W&t| z2q~B6<}!ms9=>Oonh@^+)^%@5?T&vpw*74*?xus9k(l(@k;Y)gB?`;W>;q6fLnJzM z#o6D$h82B}DvewvINZ0f(`@}y?x`3;+HJ2zvcgT9>;}Oi=65bYqZMI8v`X@SDpUUxrKw$DI%JUK4ws~i zgXxe(R6jMK*_J%1rjB=lT}T|;SdSoe6t^fvWZTvV5T&uG(j+upr;|8I5`!XfZUqYd zV;Q85Ykqk}=mhRkBy0@2>IiLo+u>DdRqDo053?Za^?F*A%)?B>^RlhlfL9pN-gk>( zq#F$71K5N>uHf4#jf_A*u{E)zF6XKlM@efj*}0@(S2ll}Vl7`&YO`6aV=cj=*_pLq z(QO?rUSF_xYQbW)^%avIk!f@k6xJ~A#JV9@uEbhuOSKj4@L0DPZz?$-wFdF2UaA*V zs>M-4p>UM=rLezWA5#=9di=bJ&Oq1aKAD@8ql4 zth8&c%(vC3bF^A*mWPtia;NLs&&10EcUQE08A;5L$4=9*@*dNlPtK=PumDG8$C61U zVV%T^t6PF;{|OYYF&`b()sC9Kg93#@6>pHU1ZsZbS(I074IJ4hHY1HnHZ1o%v# zYc|04I5jNKh$$C<9#&z9fg0l%2YBcuhgx0Me@nkHcX7x1kcQsL3I3TCTmtTS)^ktF z@4;ipx}9CQ zv=W`NKpipzT{7u#U9cf!(fW)=>k_Kcu6Uoe0cPIxiXNpbDyf*aQQ7%X-f>f2xKSFh zQ5v{YwCiHn!jCQu0cr}^B~WnKrRSbV%kGnwn?jXCL5=G(En7)!Qkqz(KNe9xAW(ay zQGOj(ywp+94XCTOQD2F!I&TomSt^%LEsr4UsZ+?KR#xtxps#7(Nh7!y~zM4m#ET*xvV~&BNx|+dKuE!{7fOEQbC}KKAao+99H& z^gCFKh51Y?D{-#cXrD5qMHOCJsg$HA$(q2;NXu#k1lNy zfBKJYihs7<-2N$88kXrXV102v1r9uddk&PBG4GHerlI1uZo_Bx2+*#;OCy<(=`FAdi*@G?j}8VBVUj1PM$i&bg#7DHmfxUB_ph zwohiXZ#r&|LyVZ4AfIMl;dByL-N;mCxa5!y&Ue3$Tk-tCii-~!>tB4#epfK#@xhRn z9xakT;4J+JDE=@kJQU22#M2iTs?N3#ZJd%iE2DPE4nLWvNV{! zvVhCv3@^cF9!3`veV!SpcblBB95+gCf8k8*b zsYR{Mxzpk0SMR={LEcx zS;r!!nKVv?Yzq3YTAy;>p+oJ|Of*7*z>1x2iO+VM@}WE5+=0mwnJP#*1QsC>nN`4lqSxzI0=n}G{PapL+Q-gH2I)HKV9c9x&e93K|)E<9|p1h0+zRa9-L|BQ}5`QM%H7AN* zk?_*xXwA`$;$=UV1+GmX@DDJA@2hY)o#p<=)DT1%Vs?;NV(PDwaAM>MoY$4FS8IzU zzTL00yODH8-{)6ps7x4YBQ+mM#1V1#aII|m+x&_$yWpW(1mY_s;?dFuAK@V%VPW^= z2D!-g|ATzmso(x9`X~MWO@%BNx5z{{{}+iJ8ss4`;?{P`hmZeU{g*4|Q!gLh{$HX9 z`QPtjRE+)4k{EEq|FxhzUH%2~KX38Br{7FSL~0Tt77~GFGQR0zk*dVA`S^VWNv*d( zub7^ZNNB4PD($|JIc3=!^T`YKZe&BRs7g@0*U=%|lPVhV1rFdDkg%AL(oRsT(kdGK zkNKHq&49w4gMzVxG>{o=3s{|cwSqq_`LsxOY#jO8>}E-RbcIy5*mcY+W65@ipLzw)qe0Ca@9X^+aL-C|X~EH~>|<|Q zg}vJZS>^=NQyn#+#fo6}Yg8B;_Q-|}G20B%P-Ik4#kDf8;Mdme#~w0M2j#gGD(sRW z@*|BdK)qCcaiO@w{M(%_pcX991c_t@|0$f{eG$XN?;Gifaedp}ia5xQ31Y+VHFz~9y!;|v{Sr3`6b>kJ$d9QgP5*ruYrG~> zROTyD#$-2=$z+-!%G8-rMItD}2u~=dDZ!|=$RXhlVxzoSg(fAxo`3?ANHSyV+y9q1 zPn={+zl&6fe9{bMj{ZP)@!b~#2GPkg%HL3?TbINBTMu4q?_F^8AuXT|p(9pl2TcLj z2k-$Wv0DWgo$E#?`S6VYquN1abkK>8|Ct)KhfW(^X zxlH+2JrF>*gX9N>0!+w?+PEScPRobkCt*R*fs?v3DhN5Fq)B@p04dU!&o9WM)d zwG6aX7^oh89Bkueuq8kuMqZ0R3j3UB5h#H*>vx)gqz(n(PdkAvqutC&769m(@EKBC zq4|uN;TrR|PFOI|jTw+m9`Go26R+)dTdB|cXQ9D3MnbnKFap6U3b)ULJ-??1 zT+cByKAT`Ma-{4NDzOt2mfJ?&C&W2v;qr4@_1RLhV0@U(B*>n<&w7zw2?LB6VxWzn zJqJrN47jhbq>vokRy#icISBr3>i%oRND*D+;oqW{ z)p$ZRU-}zda)OegJ{t? z+hfn{3Q+DlKB7~oS>tJS1`VRj8zCJJz|(NrI!j_=6TOC>M^ch1&d>m23iwkfIyJ&2 z!cYd@xv?HYcMiSi>H_8q&7qO|2-il8JPqQmy|&Mtg}e0|J}dU)TIF?A&5CC3s6Xz2 zr%}1A{zC<~<8UuJK0?F~h|?IVh|KDAuL0ukGAiH$v+z*?NA4u=4rFGlpvo^BA!Pb=&GebAz4U$bV_Eh!v|Verx#<$O@ZMs{lWKX?+&8kJrH%I42rD_o53<-+w%0n&}zu?=o3jS|9 zkRCrcIKzqsPWTx)x;PZ5lIb44ft-bH5byhU%H0ro_vj_Jf?cr5apUecaU5t!wQCFx zzXJO-|4RK&=Ld-Cd-ut(H%xzwWWvQ>;W>LvLhR*z&vq2o$R;Dr={RbOMI4zNUG1m;-<|!Lj2w=oY}%zt8!$Sk3`afuVk>V&9V#PdjbLf zj)X5EK=ZhHpy@`vl(oINp+)dd!;RD-5XL)FqQ8AT!L7z`QXk(9C2g-A9^rAfladdd zNs#6aeebxQQ6VjBrf~7rJG&b6A$XStrK-ZIekZz57j%y8S~pcxzK{TWrR;xjtvA1J zY&1LkQ_3pM4OHu3@nm%b=Yh%v4v|iAC$(laFYF~F_Q()=adj~NZE`lhAOC4tXJ*8` z2^O4VI_rf)`~Ld$*;tQsrgWZm6utFxj^K9ZogJW5w%#td8rU4YgoV+u404}<#}_)& zHDt87_taT8RKAN;fqruU8!!1IX{=y)dWkVB}M!Up@(C#=Ttl-_SF@@^!k z2x9;Qat5WOCRK2mL<9Tv0MqS_slNy$v=G|OpWN01*lkO%+X;1gb-f>M_^x|P+4YR- zr~RN>`#;KkPc($M8}IfXx*JdI-*oof$UDjIh1B!*A3J^_kFnkTu?DFA|D>AZxAAdL zYt$LQXLhtgNALF*%?@a(zC3tZLx@eQ13wKR@xFmzJqL##BnVfuLf%pHOAQc|FDJDz zWJwDi7CF=CW2^IgH`+-*CMM71v;BH5;JV9MHUk5cU82oTAC|WA#$^*{dXL-$xp+xv zDVPVW4*U56>QDp??zWp!F^45xPlTrG+mYYj zPhVxzGlNijdikUef4_&m(V26OWjzBs`Y*9j0O+=(#dw=8use#nzewE$Jr9sRsyA55 zQTl<*J(4WV#@uCR8F}#Nz*a2`g{?U-WNE?;_5yv&xXepyqGDnt{X~5W; z7XY-})-W}Pc1@PbzjI2y%|j_ytPGJoG$pl7}>|9QR$G=`Ur3Hm&-Pd|SZR3RL< zP(61#O||E1u{CVQ@5#i(#4y%0`IsC0tYTl+Og%KGeLe}D&z%oKgfc&&)V=YU*98Yx zQEd|j$M{8|LG{g$x?=+5}v_ z(w%6=J9O35X3gi6^^m+U?kthvC0CF?Y!yH(REvM&l&ZmmACOkX0HY1iv{5>Z2lP9u zY17En)r|N`UBbsZt9!c%$2-~w#MpQ@P_BkeTEJzo`XLawwFK(O{HR|0i$3E@2Jj`l zlQF|d{-7rhbXrFj1-Qg@JL;WxeEdZ-L`<=g?eJiV5BAJ9yq+$?G4}*e74-C)o~;Av zPXUn#8??G;y@#bLt{eDHyA4LwOR$2(Q02Jpo*@z(xGJCq%|$dpF*a$dW_XZcqs@D5 z1x>1nW41K=)wB-jXZ3?_0cpTd0y%R7Z85+K5N)vsA{Q_zKNev+z+!*+oEAmG7B?{Q zzd6e_NnVRWt-R(4io}!bUY3RP_zT&OO>pEJ59|;h79o&J5#WJ-3luJ9FA63MgL`@Wi8+ zj!E#zoUah>(irJTeFDo$e`BJMhTZN|lR#@T0yyMptoISrvqBWPYEe2KtawRe^nCo= z6+f(ljuJ#vPzhja8p>d&2>HojB2y;xX6<}$9uG7qJ9gYPi;(RUF^gJFFz!3MoxiUe zv{opuZVQqdX0c|dR)snweeZL}s7APoT4gX}zuqjEVYxCS{uH=UpqvWh?H{lABswOc z%fIrK#TaaDH_D_T_5WDZw8Ms}{F_)KPse}dJI5hv()cS9h1R=aBvMcYPyVAEeG=G8 z-K;PBgQ8v&+#~ScVTZ&I>Oys}DuusPDuvi)!Ja~nl6OZdVlqbMHE$-vBJ_t5v)S zld43thTE>68RHBh-qh?Z&ZPkO?>~=f;N=KF$ZKv1DdSnx@K7QhB>V%*e%=KRzjgWp z^!R}uuV-)~j;1?I!OBe45A!bgb(P&E`At<~h9Z6Q6Cjs11wfnB6+fjwl6%)av_LHa zy!J-|8z`;<^@PwblozL%8*c|(4x1X}94iuc#Ozrn+~lzq~AhDT4v2kM*qAw z$*q~~c({}PuEv&sx>xMZ>uo0f%p*ej1?1z*W-OMDrbE$hA04;)n^4Y$L)*{0q8yjy ztDAeVJTuD0Fxh)5E#j)B4d&3ac;T+|N5$1+PmlX2txIQR&E2@1zHDHW#HJ#NZ+SvL zrId@`PgW|J_PL7w_S6q1=jY7Cj_^#T`oL(p>1609f)y)=qe#&2503y*rqS(b-|M4a zqSmUzJoXdXnD7)HEZJ&3I5-*)-exK@W*nK@o+gZVlCGsDyM9n+N%YQy5#zs@hFsO= zKemdn$!pEje2S(ebA`xtKCo+2-;(rRoyhLFamV8u=48qPUcPqC71ZkrlM}!iJQM;N zmXy$ffjg(ThxhEgV_R%V#vjI%-!)}liOY*NMA=EVv`%g}d0R;Ob%p7!elpqhr+!0i z+|6=#xvRqC=kJmWm1%!6s!Ul7>efryk{EP--$-MUsSauSgYP0l-zZ!bmC4|}6ea!O z(SbH{B($Onf6m8kk>l}>ER$iS@dJ7stH*H=Y%aB@gGOrPko<%YBTj(PL@`cKa{^%D z*~N-gazMAAbZ5M7hzl2L>q zAygi}yt<4U8@hZojX)Lv;&Iexlf_sUA~l(kPic(&&Zm6Or^U6Z4I!GriJBL@eMkhm zGw^pM>~Nr-Hm{USZJw&_^oRz3QHIQ*`S_zA5!8-EVyQFaSf;s(lUyPFp7*?%i`tCG5iObw3KChF086ztm`+36Rp`!$UAHs8I#OOE6=KdTnrH3JyG+=z_&0_n4_<%z?JZQ3V5Q z@qeP0BF04)d-NDWM;VcchqtfzN&m7}!y8QDcicUIHv(sHN*dMxwKt zLPnMK&IJsptJQyxSa5OU@~7pv|Lpd^H!1s2R&GQ(3=cClZ{VZA5el{kJji(WMRtmul#L3f2W^8UU5Wt-6zF@G78~f5W{FxTk8&03=1<0Q9G^YCkWoyqMvU=yi z(|Yn9VvH+)BFqu0>&>?ws;ErQ!83E&R`*?4!!?DXH$h30fcDueNiJ+|giCJ&LjE|Bzqd#B{r88+eNI0?*Nd-S(a!)D@k(pxXrTdgEUIJW)=eHQ zX`xgr)Uz$>Urv{i+qCqKK6}po>t7KT`6%8pWO$@=8-UvE)0kyh(#O`v zkMe;`?t{c90y7feJsVebZ9AuTdALW-Q#Gz(_|<34gNSZYH9HKGH@pYasi1=dh4lWM z%JnhZ1?MqHfA|O!!80a%xmQ?bV`(jxelF<((5V+*94g`(MtHi^j0M^^6a$Fk0yZ{I z+}YZY+t`}pN(j2qeJAYb-NYe~Eb3k@WA*h`>6Aw5)4iffGYo}TWpby-or&ulw!oCT zCxA6OJGv%sQ^*S0^V0S!`#-#K)&GeYy>ErL7=rT{D&E0=7TZdHAvW z>_i*|Wm=NOZu;H4t3p$TlU_XqC133owp? zB~^Im+;+Td0moGj{Jn+UlfAC;KwMuoDR|@f*nzbN8c8A2$1LUxPdgz6R91w<&fx|E zxaiO7c3~296T|Rx^@j6mcM~=#x<3QQ&oC3vFdt!hkJ}gTbTR4v)@Mqzl3@pMvmikt z$AiQHe#EC*&przH3{-B*I;icb<bbWxAPuJp_wuCWQLzj7)Z-ZnkZ8X2R&uJ@` z7#j<96{FCZ53s2?t?=pf$^$LQ05qm=5LKXZpS3|t=Z>tU_Nq*GFp2kC`-wXM#epMX z&jl6M+@uA}>!c>n)(MpeOt$4$;is=Z+<6vqAxV#=MVyCk zu`i%fuKnw*ubcNe5{xvlayn){$~1>O%0!0P!W#PB8`djejaIfuGS8V^EU9wXZN2Y& zl-g9`DwBLmb;ZL}t=@BVm>Cq3FuytQG>3&06%@}uMnhLyM_YS;T{5^}*ZK#982?H@ z8~g_(IBV(Jq#9gyzNzQBwKLdfGKS^k39sQ=O!U6N!Rc8mjL!lTCIl}|sBzExarpO} zMX8;q&5Jqek-u4oe6-}b`?kCRlKvM1Lc%FKjUY9PJ@=Br#5fTeM`i7}^(L(}t3 zSf_GvMZ6qbT#K;0-iVGtKo>-d9;x_(0Lwa%)!@HhB#OV$H@VV74w0^;u6sc6^!IVK z48?r<62wfOn`G=$_5p#P@AC7{0W1(eYh@S`R|NOW9R`2MgpO}TcgGwr?`a{I={VUqZ@8_qpZx=UlV3f{vLKN z9Ou;?AR%s8%Jx|B^4_*|UEj13RqZ}D6VJ5yixC~tJ`gYi_5`@7@~r#d`aw%@pkrVP z2BsOef3|X^b*i=p06tXwAspK_(da)^BZTKp>Njr;MI39nbavP%WAZE}X4J|UWeX-) zeC!k&G%Z%TbfCD@94fF;f>9vj0V0a;s{?{4R99o-39PU>m z2o1@86=+~SyndXgq*I?WtB}(f{@iyD2DU67P=MA1R@zQcV@7D`}K6SQv@C7mB;grMx2?9N_jxyxct znXvjr$ZNWUqv6)-312=+k9`R^pkUdPKql^i4-+% z(L=OJ+PqB{Yha@guucVsnqeVi*D+VK(5=7iNoVHPRT$FCY2bDJLA%M(Kv(;kW=taB z6AhU=?D`(aI^;DGP!p=NODDX4O+$=ydH5cQ_sG-*p;d3O@*R+*#I*H0a25Bm)jQ26 zue}U6Vz;EUnj~zH;=7u7Si>p-tBWX?6fE3~g94~(X#?bGuCyA3M@5+Ik$m!u-vaC2 zYTs7(TkJf*=M*}P`9RYx*Mj|iOc;Tnf1ffK#R=3mP*asl>F(SD5c4f`p2C@@(m~qP z(}sJ_OjO11&dJE{C;u;c_urkW^Y440;%z5y}{H^8jFkIvoOY0X%((JV|W3{Q511PF=qUiC~sEUM{>y zViP>aELCuPA(7z-gjq+6VbnNGZMAu|3&BblSY>U>KdpDR(sCM7emQJ<7*p#8B*JuQ z;9FyYPERUoQgxsvCF~3Y<0=^1e#?i&xX43-t#Bj-OQTWHAi((5m{H*glW`Pzv%mgU z6vkq1^)sr0zlfBsQ|mJAzy}Mrw|F6 zD56SdK=h2~$I%o^VC|-aL33p>_xC49&46m**Y5YX^i-9kW+h`Ls1yJTd5zL?YtM2k z&+}noZbbO%p&L6T1dM=x^e1Flh?H*ILzTZjhYgr!c zC)L!AteGtHC~>$@S@;D;b`X&|<@nifgwmnC|FwkOdoSi;^(+)6?riodn>}t1)%b5^ zLtABwz31Fu7mV}EoN1*bu*GdWIJ55y=sTbr4~2e9F#rGn literal 16151 zcmZ|0V~{3M(4V(kIucb(smKtM@YKtP!PtR~K8My_URR$^x6R`yn|Ru1+I z)-DeA)0$uQhi%9|f(p!vIztGi+*)~-$gZ_=$(`50>z(3BI|UKJztb$U;K?h<%pBZt z^JW($FOyxvmLSO|KjwGv-)C#Y5l(&lS(6bZf#w8C zU3Jht23EO6G_|)=pKRPR`cu-=t-o(i(lc2ne?G6#4I)J}^P`U3$g5w86~4_?@1vDn@SW>5DhoRWT{3ktcV0qKColu^yoI(&)cR~g>I`(PB_LM(6xtU zAK2dg%-G*6qUp}e%arYXYFDTJsZA+S`Ot_2M6TChB43G_bB_IR_A>15pN2(0jkN3< z&_{_oIX~nye10B*?MThQK~8Jv2CErz;;BnZH=_>Yq~U=(B8Aq=O7rCV6q<@ZXM^6q zzX<+-bIyc!%e3|G=W<4}ASRFKI$RiiRGoA&KeU*epX@G$eP0Zhf4prk!+&?BR7{*S z6H!u*H&R=H7p-iE6+UzOh=}fe*DH2{gfOd>A@~f%u(_y2J1lX=ZJ;XTA8oKq2{{A3 zNnu&4M(1yN81>w?hct z`BFb0Emn^I4%yi;a4CTuqgLGs^V4}z9u873oJ0Et{?Og%`g%R&SZ6v|q`DCrRGma( z=i%z-^{t`FdEgXiL8!O^1%Xn!^O@2;5$m#7^4N)j7bEZ*MOs@!0gK_^BHWfG=M=byj2oPQ`xci04S1jP7%cx-XTBV!9%@VnpNYtn<)-mXU? zMfWq{lj}f~qQ(vmi7o|O75!(WnJXpZ(i!CqvS;K2czOAGCG1{EaR}qKZypES%OCJ0 zi)gDSXs`5%>rG`CBE8u_r6VD6$yo)(w>$EHf}Prf$1JEA3RgN%m46p$R*FDaA(;lf zHLx+Mn`}0lH;H*ZgC=8{W42_cq5^)S8o(tV`VSB)B-1C3DlW?HA8YiG8ztvzy2awT z`Gw!-j?87pmTaLxQw%(8-BXt@%U*18f7ji8>x-R6pK(EuxYQbR>5JWyIA_M}3J{WB zhWk4!^T19w@-snoE%(a{9k^WPOF-k5PbdU}5u0zgFU*7CxNatxQ)`XfhPYY##vm2S zKve>=U3r1n4}e1I~O0?T=GYOYN=`)82k8Krx zXt5|F0Q!&@q?R6{KOHF8w8}X8{R;5g*}qKuQJy}Z@O+g`;}b>?hBZG5@tKjtDIY7Kh!y}Z>$ zZ|+VveU{f7bH%?@N7vZ=)|X^pAGMF^o1d~vr+-$2j#c{J$K(h(%I zWhk8R)6%hWd;fzQwJr*fNRIrYOz+S}2mNIfTL`VxUcUf}$i2wJTkSs}mf~;EqZkda zM)ItpS1oC`LVJtM>wRpi?D)xQ_*Q~hRR=4Tov}8}QTlN=`vgD!0GI#t)$Ag#QXWp| zaT5zb!%o7ds_=s!ZN{UmiLdmb+PYcZPw**m%kSQ(%}yM@?D&vLzw~RE$dqmyem$g{ zHGcJvbm?!g3DMZ{4tS@g!ItpA+TDK{oL`fJUG0v<&yv%6S^?OjXM+d4McinJ;PSpP zwi2<~JP6u~FxODZW}bxVnBm-a%0C#IIol|hh_*e5@egLk|B{-&E*4`Usobd@&zhB- zmHYu#{Qsrxlgfy!bPgaOp&?)(V^E){=f0bhct9lQ{4;=OX4-MysvpvEYt(&pl!T`VBU2uWv5V zauCC5BLmhk4}=qYBT;yNPdmBs?sKO5NWJN8Y^NtV&*$sxnAg)(Vmngvnlf8}@nM2| zmv*Rd*l?G(d4sok-Lrjz*XAp5e=FAQB9Nn?Ii&Lg{k6W^@(k`j3J_QP3yUZ+3y3u5 zscv}%(BwWuw9}zn2ZZeI!|I5w`V-N7??EPV9wwUU$iL1yeP$7f4oDxV%-d601KyIw z!Q?cRWJAG`)PIY9-(9@vT$&y*ZqWz!rh`ps^#wu^F_Ie{@X{$SRWRPscVxND%VL4= zT+vVnx%Ops?=@DQ;lS{YYoy1o8>4&;P{2YzG3@2{Lg9Uz>@lA3cG7PT`GBhUQyI(V zqk2AOWLInWo6?Ki+~^dFn@)3iwA+aHuv-{e)*D(&&O>4aF*SUDk=PFibUtIEu0kk& z@Y?@GgV!8_uJ!7qJ<+yyX<<2?z*MQbPFDx)zW0Ya&fwYGko?$f>-)?!ABUz*g5E-8 z;z53^st4RpNdvVQH{2fgzTA_c-!EgYenN5Jm3s7f%&pBl>-dxZ8E8cVXy>1x@{{MA zZK{uflR}js<1dB`oI-mHDQtdF7hc(3K3s2azo6%Ed`Q1U9@X&peW|sYO$UmMKQn&P zUarT;-H^;e8$EmWRj22ozUB+YRk3Qa)=^Oyi-;1?pSTiA^!((Tz;;c_YTM7N(PetW z3VA3o0ZN!80~*>KH23P~LvU?yi_$rfBcKwU|EPMV3*FjI#&34sCTnL#>z6047aYm< z^bkY(5P|!2{ALhz6IT++c<+bD3z|YW^rAIXQ>5s(iWGht;JvpnxxHAr&S0ZW+7?p& z#G?SRo({YghPe!LPB52|NSsfxDd1M}5qdP2smmZkTBdSlgZSoEMQgn0NCPXqkx%$; z%c09yx#UJX`fZV{64=%eHxO(Z8ov3FMva#Ql7R4$7IYlL8{HRugMx-#0ftkkpt@T; zCOledZ73}v=CEbqasw52lR=Vlw)y=m{A;!4r83WMwZ8QQll8V0T*KM4RR6^zQhrFL zGWiVam1!7eJgd(GQ+_~>xf%JRkJU8e((zo)b0v2d&-y&MzGtjG6p?Q)!VL1! z>-qJrtglA>tr4x-iA%$%%$$xwLC3B6%{1-eYp?9;^Cr(QKkC@vO4uB#b7hiW6Ph}b z6aA4!H6Do%*6l^ft2_5-GkNK?x9e$08U}f(@aGCXj&c6~-QdtrK}TV8v3tOlM~M5b&X9x<{u=9k5IGq`b~aYEea%Bsqm^} z6|wH41-U)JzRLDw;h5QD0wp( zxE@<-t7DiGV4LGjR~``e%?^-U3GZ{HHx43=Y)$(U@}dvNo?yeMd)U8Be~YpbiI84eg8>hvu7GsC)gAoR;W@0nlavvA4{BUo@cfTa_pGl&c?QbE_u2AdFg}xifF;ZH_ zuzy4JCwh&!NlNOAJvXL}4b0aQ7ZEdYac#dl#KN#&V8b}TPXnkFwW4{yR~D7S7BbsYY}8sR{6lOVdpb9zsfgSe#(3fll&c$;j3aQA433H4H}f zh;4a(xytM@YOWy}t#J%PuS(nM6anNu`xM{Uy0e}X_bp)XkpfiSBUzTEJs27I1)=!3=6CL*tRI8pW$^MKy|Kr9f;|$7B z9gja&DE;M8CNH7s;O#@xbUzR>C9umH)&hGa0(4_EM~xRyGK98;ry-qg`~2{3q?Yb{ zAt-6jqc?$vvg`pvOgCTkVKOi5kz>NTnT55i+F9pIc#?Kq`E^KV+FCOBX%xWdZYeOr z?JF9p+3r}dD4b&o#w>Uxg?H8VBvhq+cd|u18d^tGG_46FmNit0ARa4QQ$}Rww56_{ zkMgl`E%zE%I2-?t8Ecj`L7?+plT4wPPt&{+PXk8l$52JBg)2%@kWN7VmsBvoBCoP8 zl4*8?0MHg1lp@I%e~L!2EjLUunTw%D_=|sv@9H`yC*Wt~LbIh9K><@3FPJgDwaH%k zO*%9f4T#dI>w9Ns_{x}KhNt-gGP9-)B0m80()wUppezem1g-Cig3?M}HV7y0n$yAH z$NBy9qjjayg0VNe`2A$~e7x~-akcg++^*g8Z7S!32&!6fOcvwU7#=Eb->Pw9bfnwS z-A5WE5^OtRym0Q$^`r_PBTV!H5ik+j}!@C%!+3mob2j6+sOk7E(v1U&x<8GI~ z&-c}GyXN5TeSK}51F+f26qZqDQM2D==62b*yn{-%Kr0#gc{*nhr&)haiaM_`i{$Tv zb_@N8Up!r%j5DDQ+*2s9hc%}D;_hmcY93WNYkDlm&Rhn6hG}GQs6nTpKW2iz$bpOO zNL0qDSfMA-nng5af60~cK2szc@OzyG+tb%%!M&BsSZQ4#8eNe^7-GGW`TRQh>xC_? zY?OM|4WmpvQMFF`b{~nE*Yx+3+~d1y|kzj7Zv*U*WEz%FqWjgTmYoMWY{dcc0eR#n_o5 zc@>JIy@_B1ZCPo79Fcgx1ndl>&mKmFwR{FOml)ykVZJGQsBpQ%rv6PO<;C6l`mCn! zM~mBz)@lXcoD$1~bDl-_&Se4^dT7QZA*-!uu%tb(6fw1#7Zmi=LRCDJH#c1>tkaQ2XX3Pd%&Al591YmB6w`E9s4_Q8Gue{_1fZyL` zI*TM``Tx2)wrI^~$={bT*53`A=#ZBl^2j>{YTIKcLR2nPrj5jG?8)8g?nW(7>~|#N zC22M?L3kNx^{u|TZ8uYjkkBP=VQe4Kz&Dl>|E55)fr(m57iLX&5X)%d;@^T6_KP~3 zlyn+;6{eur%B!bIK(b78N;eqFX_TGC(zQKTee5Qas^-KyUr(X*)=Sr|Tw-cPCLGkVo{MePU@p(~geQtgDGc`joJ* z;izKuvIH@=ClleGmma8N9h`7*aA;&M%e*U5UVNobZ5tWuGfuC66P))gszlm98{WjZ zMc&gGn~s>uF~zG&`hZLDbOMZ*eQY%!b0|A$QRnRkR3L%q*gs#Dc;8!1tzYtx1%=|u za`Pl|-Adfag|2E)%ntLl#AR`ZetG@D<&Jj{q^P}4Ar)bmp!0Ev=rDX7rUs&Ae5-&D z2#qD!-J9fmmcaEsjNRHIn2YW71ypq_WnJ&#x@?C{a2zbadq&2-^r%kxmB=VPF^cl{ zk(U)8Bl?|3qRFYHXJ>9JS2*#WGkVjOe}>8Qzw3|2rj>ANW$qZ3KM+-&mrS5=s;0I5 zX~>;X9lqr3^;-BG`86UoUc<*C3+Rg0j&~w3;qqS&;ehW9sM>#y{m|-nh-b~tHNWsS zdMxs3WRdM5F=!_Pd?Uoh3RTbqxG@rs?Z=;UU4IL=+?Mj5pz4n z=$WZ>XM;`MNg;BOO4*4SqbQ;3gjPC*0CS(I&&5RqoRti+aN=DI2XjV%)^?36x&`MS zoQU*i<&4&sSkd+VscTORgmdW5g1S6yd%%S}9wltAOGv^6hcciK2;O6Kbjh0;u=N$) zbJ~HkTv)!q1&Swq5Nwql(`#jE=#{ox7kgNZJ8~#PvL|^a6fo|6OR*(+)QFsN;M&Q8 z`c%LR>fQRZCAt1VOMG5NelGLZC;i(gKjz^E#_uNA=03#d?^SQk#0m15H>iaErq7Lo zo_JFUFVS9DU!JliR^>plLMS=JbG>Jq#^#nh_2@+L_(>x;Z-c1rTgG_3(BiK<+}&JiEdp%fTK(%jI+$Ygy9Fxxq!2v`90zx9HkNc| zg+KNMs1Y$ib!pnCg~jT7+06L4W7vuROcymGDMyZ=n~hzp`P~7{p$4s|1kzk3E#MGQxz?5GDu$9kq z`yl{Ac&n5esb#1P5;Y!&k+HQL`k*Cft-pT>gSYY%y6yR<-QCqi8KrlC%7-N)wY$ zFb1hXp(ajbS5_uLjhG~B7}26hgzi#9;m*fQ9Yd>65yN=;6&XWBn>>btN%I7yn=-W6 zrWh%^S3uSWIQF(OLGCPWlZwKLj5vWSv$psq~t{ptfX(yg^kIR6Gxw2iC?Q5t+`8 z0SpdH&bHP}DADGWOwAyv*zm`!-t@T%LPvK4rG0+czHH?=-3Dn>CCxTr4W|)4&E7l~ zr)J}z;rakquMlGVn$a$D3(SU7wT0b$QvTy-Lf$7~1fd8O@{MqX_rqTR?{b5#g?>4o@?Q>g=K>Ud{l#(H?*tp~JIk55^E`3W zI5p$ewgNK5euhQ0;jZ$Dxh2Z2N`5~Ie!FsVy)yW%zu-qDn{R(V z3ntWrqO=0vAW_x7RMNe{d~^W@7(2pTx`wv_^IUQNf7o0-85Dx&?IS%*+W=XEYUiRd^cZV<++op|n1y z%s!tePcyi+ERtCsUckl;4H)x(MoXGpDLfSVBM>7c~~xm+tTQFK>I_7APCpn#j~X>-Gj^ff!9$+pB_ zM*g1X5|l%OTi5`V=qIY?m-;uH$t*NXz*xZn58g8{L5smS_~#W_U(E?KBG%DDg#~)P zQD6v{Z4>{S`CN}5hGL{8?VoXVLWv2YCbiJ8!B1BKEoS7+s=zQ|g@6eL!s=T1-_U&p z4?MW3ZiNa9><6dN5a@$OiK)ab%ns$3R(t*NSJ)M}Ikf=Yc`?ghl-~?RvguH^R!jEC z;9PSdp;Da37HD}Fj>9w@!aF!zkuqp0&yZ*{rn2Eeq2-d;E?nYcig}{avrhO~ZMod? zEF$f(vQ7-gr+u>OQxxJ9_>W>p(~A_eR{lv8rsde0RC-TL#8DL?e zb1DGAVW7%y^~*#l3cVj>hsfMa8`YUH$U*C!tfts89#%p0os%3uC4A~O`90mGh>YWq zQQfe~M@8)%WJqBJouk1gC{>RPyHYYrj!l)Jct%Uj;!uXp?{>rucumJ!_a8LV>)+$0UDC9{7HR# zp(Js!q`Rq^ln#mq+XW9}-IcPFJZq>NRdn2|rEtxY&G zNQxuSC{qPR*cvVg$lj*DGDz9khe#xTWz(368->eY>H4eEwN4xdGeU^zrDAVmux6M} z!j47@ez*D1G{lbbSp8B?@@tY7NCK%%RS9FPYxPN9qH&ly;?+4;fcHpL&c8xEhlnH# z<-v~sLl`;6T?WWr7eR%`=s5;_`^O;qd59a=D7?CIT<%cjABe?q091#lqZ7F(Te@l8xq|-!p-+gtNKemvOqa-UiE7zIbY7% zc{pPN0A+A-f9ri4<&X=t%ZF^Q{`LTXav*_yKn%qc>zB6Lyc-=j{30_Zd_`a<`v|vN zOE;`t&xPE4fP{4g>|%Vh~rO>L#5v&L4Mo(q}BaO@_#q;vZAhMol(r`NTIUEMcnAQlGy0m*s&FG!`qe?XW6{sYqd{T~o+;1#rSeESFNf0D-WpVu6>(A=4! z0PO#7LM(s&-x;xcNf4p7p#{q8AJ7HREuZ)tvb<5yrjOj`$-?0HoOdEfqM>q>>p{w| z`yz$zB}V=8y^`*wBF;2d!sMPkyj?VWOU*K~QbA?do#O<#~P4%&&`NbZe60 zm(&XvavGc(U$fr-`R;>r4vsgtf00X%{k?v~IyK+&8XlsTL`MAg}k8`DN_T-s>f7Y(d46 ze0U|#IxhQ$EqlS;e}-!A4A^Sd;CR8@e}-7?RK8rw^{6B{)cNQ37cZXk9dw0=2@I5Y zLG5akAb2mmL9C|e#7r@^dFu=F0SvvQ`y{j=a8Kdc8t3!9KqeO-mSTQ&|NOL0W*|!CTV6Um+RL8G^2Gf#s&3>w*hkzvnN}L=R+(>wp!3q zzp&5kkjZ-G$Ol*kf-oRO2vVffa_SV0>Crr?R(9=(uBQBE_hgzsw}fhX3=V-?lL+m* z&o-hC?puu$jUxFX_*GCM)|B~W-cs*g6ibxYywv=x)5gt26U+(n_w!znVwYt6B$#=^1b4&UTEt<^&t&w7N zOe%XHM_4aIO}T%yKHc%5ys+Dy+vqK5i|(VoC)eJ;*Ed?Xw%cZ$n7+yjsioA{u?r;CIV0O^YF^| za2n(#b4Y=QqS77O=UUJ#^Ut8eon93p^jB-|vAd>>iklO2qaE(|x4Xmb^5x?#;ObiI zbX7k?wXRPZn%XLFFtkpll%?;K+_pM*`c>u@9_aKb^avSm6^k6p% z8oC`_!k3_DcOHbuu(g^Ni9R~9F2s1^_#uD-Ea-i6g&Gr4h@dZmz%rJEZ|?Ih-d^Vg z!9V4TS20swo3hlYx#XrMPZK*g$w1Yk>D-7pab$jDlN9Odx|yNn#;9+&Xo49-vMSBa zZP>y@9wym%<^p!DN5P0BSqr|f^H)qfY$iM9*Wa1 zr^TAtvs#|~4_bRP6PTo+>17F*2|`%$a$B*3^1a)Tzps0E&(^-~_v`)m1bA8?>wzzuB<(o(QlPAxli+6CIgcIIucV(yO1c<%(Ed}4 z;+q563wA^v9=6~ELH0tgU??xgEF@YNUc6#RN&8gxJ!>8&UWLnKm*?%G=bU8+b+%H*?wjg_io)KR-&jTHVe-&0?_dC@Zb!Y-5RZA ztfeR%5xeuH8V5zN)}x}+7L_Dn<-i`3ie6-F|8`5Ovg%h>pHfK*bPb*99v8E7Wx;mt zO4+#URIf;0W|vbn7i@0tDws~)%vd}Iwdn!qJ#Qj|KPX$pd{I=QFe+-m4 zt$6xd-W+>uwZlP^sqs{e9BK(-z^#MS?3oizlz{Z~tmMW-j3W8no1;A!t}Yf)nB2JX=l4)W;* zv__C{TQj35{r$Qfcyzo8_~|5FCt}b(WP_FeI}obKeYh>lg67eu8i|HkCKYSI&)E@Y zX0E;lowY3A`Z_y=yG|QQ;gg{hY-5f{_fW?ipTQ$JMG^SUH~dt57vVr72Z)qoaT2CT zFOsyh*+af8H*<`18e7ZYR^FyJi*1B!U<~D5IHcqKtgM&x-sr-B;2zKaK+yt2OGFLu zFQrFya=)ZT@xK>wIFdU8LEcKDVytCr=(0L~RVh2N(ul|O|G`D_xuKmvjh59q!XBn_ z7!J_ZiFj5YmQO#eg>iq6#CoLk@oBpxFWszOUE{&QM}RQ#fJ?hY)_egqf@-|UpKf=V z^2zyrb)4J5(!n*kOvKg+qboA7b1XNY7&X>lr@IVBB$edK3zH0{np{kJNv zQ%9xUEBk#y3anJhPuwy1mAW+^$cphbwapMIx(tp``XOO3mb~Q-Q(vw@b^8)QcLZX4TB2utjPPD!$HlPxCF8njJ7_x`VXbN~ zWBU>@yMKOv-jNOK>y5+NR4!1_duG&@8JU#VJXsOpm2&%j+UPX9*=Mkx-EFXgreU#!~#BUEEF!4PY+xI$jb&cocvYYxHzt~g#1 z#OtT)dCRePqR9B{dzM2_iotpX!0D*6f6KuwEnK0K3>|NvM8AdE$!t|lfzHdRh5%vs z^B+l)6*q(+EOl@^%!0toNjbym0GN$3V&!ag=#9u5^I{iZ)~#O;i$qV*!O`W@G_}*}YwT2mDy2K09sc z>Xmq;>)t@jjNR)s;~HJ!?UP5FQGy565!pL$97~*C;PfmH zu|>O94DpMxhF!U6iE~cUC}3RF)Zwwk)F4^eUMh7?#;70y)bztfM}ow6rq(Ho!H%jW z5g~Cdc|?7`eoLS-Q6rruaGBc;AsLtyyxW_(6{$;=tX|SfhGMCPPxmvGiuA{Uv zrBTFvvffwovY<)0kZxw0pkqgeI^=1-i`=Y5KT}2bei=MgXo(0JIaVks!fUC!VI?oF zYx|^5Nju0pM$|6M&Mo*H$4H!O`y5Y68Ne_TDk(y1p$cFjS7S?W(kuM(ekkqwhe-ZE zD&>>9TmzPoCZOyel<`A&nF=f+Nx&Tq6$k5=I)Y3KR4B)e**LI;w58^kD=b7#+WcKK z5O^xUiYn(47*uX@VxPJ^R;{crM8>hG3nBM6n)rmxUOzdnQYnOh_C)$prKp9{feAVd z)BXY>b!|{7Rczt|j%QRSh_ZgIK`PsFN#%~c5@epR3^}hPejo(BQm2&JHH2Lrue8@P z#9IA!ag#ad)|kACdOe8Cvl1DKLk~`@8h=3u@d7zpmA3_S@bW+XhK3qOtRsJz=)hqF zb?`e$kI8EpdK)fwp?2S z0v-9>=Ro0;X!Bl*@JiPOqra|9h)gM7gzZs}0r`vQCaG4$aq9?|12_o{eU1#!jZVz{ zvMyChsGnnMk}6;p)8d6V&bKa6OUeHm%I@>x-U4ocfY<)i@e1y`@Q|bN zw`wqF@Lnmam6Ow$vtBQrt3{^B9;5P`+FNpO_;Jn z`ze(9Z#S$=n68EX*lUAG4JjjG6C>4!JVPQZDc%*0;iHYJOVUH3`q8tr_i1mQ$29vm z*u~>{7&Nq86F>f{{~A*bzJ{+rfaM3VOK0$5;`AThrVo=jUx}}qdVVat&R~5H*R{i( z*!M=I0D{{0#alP;oO`2PcL@HyJ%r2ktGe5@n>$M;*N&SuLCupmoQm%)U+DLEX7|y< z`}sEb!4>RA(azcIIQ}bMBDfJzi@x}N2%P6MEM9a4Z!Oxu4r@<>0Jvu6Tq3$nyVlia z;fiNNz7LbEr*KdoJ}$ib8rC!SjY+A+tuJ>IA!a9@&>n9K<=>eV(S*0Qn<(Lvlsii* z`MwXJJl+Rsc^4fsR+$nfJ<;iR$&@T2FJA)OYsR#`3^~YiOP#Q(TOWtRp=rRF1wh{& z7$3}^oeq(`%MFWWKT(rFgwTSa^aLeQDqQ+F$7Y^FHA+*P?zP1h(bnLf>M;Cm51C{UFM890!i*hwxPwM3>2k7k(O z5}sw5-kPz<0uI8=!}%o%ql=FPA(YLdOVmz%$zcEj)9SJs&&?c|AOhhcdyaz>dz{w8 zLs7HCE2Ga}qceV8&(jXY&`gw~=}8G8dWs$O47!YzdUU zEM7CDC&Ni>Sx^r{ee}}ugRhews3#B6N4YHWTIZ=@ZV4}bTY+xxf{YcGXgZQW?j38z z;Df;eUA5HTn*(3|o$Lqv@TGBi*gA=7-emnliZ-YtRmWL?9VS~F==y(b{Bw^e4ZJOX->e>zJviI%iKy(2Ke?;t&p9Hg?L76`RYEJ5Qw z-!Sv0;+gOSL}VCu2z{**q-|n{zD7t7r%7DERW~RFVW}Wjyhcb0!UEZWN+Yijq`~=? z-h`xC7l_^unE1n%6`%&WQExF%T1JVrPElRxs9{D1p&I14)-AaK#%m$aAR^L@yFZdmlpNQ_2&eLaeu% zP+T)YeiFdtKLOOdx=uC*VOCrIcPySpcG~kzQldO`$;$3V$g_L2iQk_O2kt}C-Ga^W z>N^5|W02IturYU&u-VID?go)#v?vg}G4Wd$ra1LIacw40Q(ZhYmHEx2q z^!?g*Xk^y%muM%%hbKE4QsbIC#%$4>v&I~I!MR0fXoQ>zi5%NY_&W12?sU#cJ6VA} zyyQ=h&6(N@~zXl&6Y?2Orxp@(kp5aW3L%z5o0ZIkxz6Zu`k zO*$t(MkOV;<$vlrr|^4XH;)+2S6U>)3z0n_p67*hPtV=)eLSb$pYM$<=G@|hE4XBi z-*(&NdK|weULE5h@WkXd-7{DlK5mei<`X*IZ|i1_2#*JWbtYb(G5^M9tTsuG9zN%B zw&e6DY<@Xmihb_2S$IHP-`}0xdGg`WvsO6dcZxW`5&ml==aytShu{#b$TPLiWbj=t zwK(y4h2*p3Krm!GpE{~}xo3*+W(yqjhnQbo^&iqD%(PbTO#3~ynC#-*< z;M^+CGWJ+k-}%>P(Q%m^0P#8N79c|&?zy(96Ul$)_|mFR#xO#G+CdTdG{$gOZL%lu z^S3rUHeGLCS#aS`bXN2`z|7eM&1+qSUB-bF(Wf0@g!IEZ-s_V3O+V&Dj4k%FxUelG zY+ADVBA!aj-gY`#%nBIhj~^lxI9pGlqouJOPiafJ*J)tPt*6Y84HG$IKbpA8c2?N$ z8BahL-f`Ac%3K}nQBt;+A~1B3Lg}z;xh6PTGAzm|OCbT4ZWevvDKxYmN6#VY&S#jp zHQ8~{Ukx;KW)I|yBU%{NXOQgqX%IB$4yqRPfWlEkP!`y+w21XtjCog#KOA4OF0c~S zT0&Km=(_uU)J0rI^j4PTXZg_6xIAXsQ0aWRC(u)1VF$zdL2t<}x1h z*Vv1)u~d*748owRl^Wt;9gvCu%lJXsR%df?R>2Bh(?s`9M_ooI9&i47dkV8}t^&Z% z%h;Jl)1IsX^{G0O@F^NHdq4l-5|s0BBK-*&q=baj(0A>|Y7VRkPT$CKx})n}FaeC* zz

4z7pBfgg_QX3i4zOq>TrIhAO}Fh#AS?7wsBMwLJGWI0rPD*k49AFIzR&<4p8B zUqsQ|+8Y*yM3Zf;%llGq1bAQA-}a0$Swhn>oz<^RsCCYM`U8d^m^HLIu)$kQeYI;< z9A>TNH(i(zeVw-Xpb!JGu_7?kiCm+nyA2lR&ssY5I=7L3f-rm!?>9+83_-Z*`U2<1 zbCy`G;bxz2zTJ5et66X8LN*c<+q(%x9WKwCT3_h%zpp}=PUq$Ar^I7bT1n^aZwCMe z8PTJAhI}OP;X?ZUfAhB5SQyWKP9GG8^m5py531@LX+t6w)@ z9BO)6;I0MUEgBq!u{7t|6&CbwEo!jpwJ4y( zWGyaj-s0~-!)D)fLrACb&VCjfc{R}%S1uFpe0zLqD}rVOf(?Xe>1%OkKhIP2?iD?7 z$}wvTO6x+juWQwun@iWr&|h(6LR;~^pY309G4#?ATXZ`NboPylm|%XR5mGw7(7P}s z4ny)mgGMv%hNRw^RpPyh&&k016xb+I2?V|~=DCH_kReGJbdi-~q?`%2Z(07(t>_}d zjj%{)s!Ty3h(!*|RFl&>X##ai^7LcOHxnx6j3tLJf|BfJp+zJb*eoJ5oDBT*P>5vT z0krudrr~PgS)^TkFX3Seus9h-!qE41Fd=&qyuDBiolgx5c<>++`>rLfuu4V)0fl-IW$is{|H91fCqs!UG-|+Mc}Zjb zLw&uDhu$yC?=mFK7W>74XPxHYo>i4THP}*h{&GG#^gx>FmI$_@Pnt89e6(Ad2JU-eLJ@0$YA)5F13d%C!7-Z6uq+tdHL!M$VlB)O#_ z^UR|eBK$+EsWUcrM-1rR&a*(D?ZReUu)UbgJmz>qgr5I3=j{iz7`SN+AhQ0rpM>Va zHGZpqo0l7i!=@RMG5tP5id6b5B9q+fFdZGtM;~WLON=TdM&;s1IaML*(p-bMB*|Ha zf9&|0wnz2LiiI1>pb0-}KSL8TQ!(!Y+@gOf69z+xR1HswJLjj^iz}GL$kdP&&aYu@ z0bHd4H7!EWTXd1^h*tg9!i^Z8+_Cq*L_-~mYa{{es-@U8{%&%_(~=oYCJ*yFm5=}} zn-EiHrMitC^feygw0E#}RoB*O{C0O`QBZ0-jOD}%YDs{hH5zw)F!tI|Ec(d6Jm!{D~=6aRCn5vj17-XIf z7F1;emHaoZs}Tcm3N2!$UHR@}&C)GY+^-kQ@$ZD(#?);W8LBtt^VE?dz6IYxRTV>e z0@@2@nOi(_u*{Vgm#)m3@uNc@71s(>a8si)Or^)OJfV+m`c3bah`h8VH}@HRL7&df z&=;vJj!2_Aihy46$Y1;m1!n8p^lL$<(NfP3-<2P=--3!Vz#wR#|8M&FKPuaQkD{Re vsQ(8U{r_C#|0Kix&k{gDMM16qnC<@;HBM0m9O6GNApg#gf7(yrKePW2F=}vu diff --git a/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json b/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json index 2e2b8dbb654..841755903ec 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json +++ b/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json @@ -481,7 +481,7 @@ "resources": [ { "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -546,7 +546,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "[variables('parserObject1')._parserName1]", "location": "[parameters('workspace-location')]", "properties": { @@ -622,7 +622,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## FortiNDR Cloud workbook\\n---\\n>**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Parsers/Fortinet_FortiNDR_Cloud.md) to create the Kusto function alias **Fortinet_FortiNDR_Cloud**.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"29a65c20-978d-447b-b11c-f437f6c7fd7e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Main Dashboard\",\"subTarget\":\"Main\",\"style\":\"link\"},{\"id\":\"514047f6-4d61-4f59-9f79-6c22c20645c0\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Suricata Dashboard\",\"subTarget\":\"Suricata\",\"style\":\"link\"},{\"id\":\"f20fabf1-3a44-417d-9e97-3d62d1990c8d\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Observation Dashboard\",\"subTarget\":\"Observation\",\"style\":\"link\"},{\"id\":\"392a41e1-a18c-4a6d-8144-c51e27a8bf4e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Detection Dashboard\",\"subTarget\":\"Detection\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"50650aa0-d12f-49ad-ba0d-e7a6a10b0a85\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by su_sig_category\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suricata Counts By Category\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-Suricata\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by ob_observation_title\",\"size\":0,\"showAnalytics\":true,\"title\":\"Observation Counts by Title\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-observation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_severity\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-detections-s\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_confidence\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-detections-s - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Main\"},\"name\":\"Main Dashboard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b566fdf-c574-466d-8a25-eec9e314f560\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"0ce88674-9bf5-4c52-8286-28d3cf030e18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\",\"styleSettings\":{\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| summarize Count=count() by su_sig_category, bin(su_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5d5a54f3-6fca-4368-aea2-a2d0326daa62\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"03cace3a-c0d6-4184-a1aa-346c67578b6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"},{\"id\":\"0eea038f-b090-4021-9998-3b85c1abe20b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Name\",\"label\":\"Signature Name\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_signature_s\\n| order by alert_signature_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d60df3de-0e80-4f12-8234-bb8a4ea27cfb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensorID\",\"label\":\"Sensor ID\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| where isempty('{Name}') or (su_sig_name == '{Name}')\\n| where isempty('{SensorID}') or (su_sensor_id == '{SensorID}')\\n| project-away ob_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"observation_title\",\"formatter\":5},{\"columnMatch\":\"confidence\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"class\",\"formatter\":5},{\"columnMatch\":\"context\",\"formatter\":5},{\"columnMatch\":\"evidence_iql\",\"formatter\":5},{\"columnMatch\":\"evidence_end_timestamp\",\"formatter\":5},{\"columnMatch\":\"evidence_start_timestamp\",\"formatter\":5},{\"columnMatch\":\"description\",\"formatter\":5},{\"columnMatch\":\"observation_uuid\",\"formatter\":5},{\"columnMatch\":\"sensor_ids\",\"formatter\":5},{\"columnMatch\":\"device_ip\",\"formatter\":5},{\"columnMatch\":\"status\",\"formatter\":5},{\"columnMatch\":\"indicators\",\"formatter\":5},{\"columnMatch\":\"last_seen\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"su_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"su_event_type\",\"label\":\"event_type\"},{\"columnId\":\"su_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"su_src_port\",\"label\":\"src_port\"},{\"columnId\":\"su_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"su_dst_port\",\"label\":\"dst_port\"},{\"columnId\":\"su_intel\",\"label\":\"intel\"},{\"columnId\":\"su_sig_name\",\"label\":\"sig_name\"},{\"columnId\":\"su_sig_id\",\"label\":\"sig_id\"},{\"columnId\":\"su_sig_rev\",\"label\":\"sig_rev\"},{\"columnId\":\"su_sig_category\",\"label\":\"sig_category\"},{\"columnId\":\"su_sig_severity\",\"label\":\"sig_severity\"},{\"columnId\":\"su_payload\",\"label\":\"payload\"},{\"columnId\":\"su_source\",\"label\":\"source\"},{\"columnId\":\"su_proto\",\"label\":\"proto\"},{\"columnId\":\"su_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"su_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"su_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"su_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"su_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"su_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"su_src_geo_city\",\"label\":\"src_geo_city\"},{\"columnId\":\"su_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"su_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"su_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"su_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"su_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"su_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"su_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"su_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"su_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"su_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"su_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"su_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"su_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"su_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"su_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"su_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"su_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"su_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"su_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"su_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"su_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"su_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"su_dst_annotations_locations\",\"label\":\"dst_annotations_locations\"},{\"columnId\":\"su_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"su_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"su_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"su_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"su_http_status\",\"label\":\"http_status\"},{\"columnId\":\"su_http_protocol\",\"label\":\"http_protocol\"},{\"columnId\":\"su_http_url\",\"label\":\"http_url\"},{\"columnId\":\"su_http_hostname\",\"label\":\"http_hostname\"},{\"columnId\":\"su_http_host_internal\",\"label\":\"http_host_internal\"},{\"columnId\":\"su_http_host_geo_lat\",\"label\":\"http_host_geo_lat\"},{\"columnId\":\"su_http_host_geo_lon\",\"label\":\"http_host_geo_lon\"},{\"columnId\":\"su_http_host_geo_country\",\"label\":\"http_host_geo_country\"},{\"columnId\":\"su_http_host_geo_subdivision\",\"label\":\"http_host_geo_subdivision\"},{\"columnId\":\"su_http_host_geo_city\",\"label\":\"http_host_geo_city\"},{\"columnId\":\"su_http_host_asn_asn\",\"label\":\"http_host_asn_asn\"},{\"columnId\":\"su_http_host_asn_org\",\"label\":\"http_host_asn_org\"},{\"columnId\":\"su_http_host_asn_isp\",\"label\":\"http_host_asn_isp\"},{\"columnId\":\"su_http_host_asn_asn_org\",\"label\":\"http_host_asn_asn_org\"},{\"columnId\":\"su_http_host_annotations_applications\",\"label\":\"http_host_annotations_applications\"},{\"columnId\":\"su_http_host_annotations_environments\",\"label\":\"http_host_annotations_environments\"},{\"columnId\":\"su_http_host_annotations_locations\",\"label\":\"http_host_annotations_locations\"},{\"columnId\":\"su_http_host_annotations_owners\",\"label\":\"http_host_annotations_owners\"},{\"columnId\":\"su_http_host_annotations_roles\",\"label\":\"http_host_annotations_roles\"},{\"columnId\":\"su_http_host_annotations_tags\",\"label\":\"http_host_annotations_tags\"},{\"columnId\":\"su_http_host_domain_entropy\",\"label\":\"http_host_domain_entropy\"},{\"columnId\":\"su_http_length\",\"label\":\"http_length\"},{\"columnId\":\"su_http_method\",\"label\":\"http_method\"},{\"columnId\":\"su_http_content_type\",\"label\":\"http_content_type\"},{\"columnId\":\"su_http_refer\",\"label\":\"http_refer\"},{\"columnId\":\"su_http_user_agent\",\"label\":\"http_user_agent\"},{\"columnId\":\"su_http_redirect\",\"label\":\"http_redirect\"},{\"columnId\":\"su_http_xtf\",\"label\":\"http_xtf\"},{\"columnId\":\"su_uuid\",\"label\":\"uuid\"},{\"columnId\":\"su_customer_id\",\"label\":\"customer_id\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"FNC Suricata List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Suricata\"},\"name\":\"Suricata\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fcd15fc8-790a-448e-8a61-1a1ec5f70e05\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"fd7ebd99-2ba4-4240-86de-1c109bc10fba\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Observation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| summarize Count = count() by ob_observation_title, bin(ob_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"High\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"High\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"High\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"55ad269b-ead8-4f61-b429-669d632b53e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"43131f54-c638-41a3-a54c-d8768c2df468\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Ovbservation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9ff7f038-1fa5-4ac1-84cb-ef8c6e91a183\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Sensor_ID\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3e100d32-5ad3-4a4f-a486-f65be2c62101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where ob_confidence in ({Confidence})\\n| where isempty('{Sensor_ID}') or (ob_sensor_id == '{Sensor_ID}')\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| project-away su_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ob_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ob_context\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Context\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ob_evidence_iql\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Evidence IQL\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Type\",\"label\":\"Type\"},{\"columnId\":\"ob_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"ob_observation_title\",\"label\":\"observation_title\"},{\"columnId\":\"ob_confidence\",\"label\":\"confidence\"},{\"columnId\":\"ob_category\",\"label\":\"category\"},{\"columnId\":\"ob_class\",\"label\":\"class\"},{\"columnId\":\"ob_context\",\"label\":\"context\"},{\"columnId\":\"ob_evidence_iql\",\"label\":\"evidence_iql\"},{\"columnId\":\"ob_evidence_end_timestamp\",\"label\":\"evidence_end_timestamp\"},{\"columnId\":\"ob_evidence_start_timestamp\",\"label\":\"evidence_start_timestamp\"},{\"columnId\":\"ob_description\",\"label\":\"description\"},{\"columnId\":\"ob_observation_uuid\",\"label\":\"observation_uuid\"},{\"columnId\":\"ob_sensor_ids\",\"label\":\"sensor_ids\"},{\"columnId\":\"ob_event_type\",\"label\":\"event_type\"},{\"columnId\":\"ob_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"ob_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"ob_intel\",\"label\":\"intel\"},{\"columnId\":\"ob_source\",\"label\":\"source\"},{\"columnId\":\"ob_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"ob_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"ob_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"ob_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"ob_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"ob_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"ob_src_geo_city\",\"label\":\"_src_geo_city\"},{\"columnId\":\"ob_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"ob_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"ob_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"ob_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"ob_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"ob_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"ob_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"ob_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"ob_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"ob_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"ob_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"ob_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"ob_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"ob_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"ob_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"ob_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"ob_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"ob_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"ob_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"ob_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"ob_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"ob_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"ob_dst_annotations_locations\",\"label\":\"_dst_annotations_locations\"},{\"columnId\":\"ob_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"ob_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"ob_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"ob_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"ob_uuid\",\"label\":\"uuid\"},{\"columnId\":\"ob_customer_id\",\"label\":\"customer_id\"}]}},\"name\":\"FNC Observation List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Observation\"},\"name\":\"Observation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections Charts**\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3e9b6847-1b6c-4ba5-87d6-a3d4b0e36046\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"88270ace-134e-4577-b2fd-58b4a7a0cb36\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"16f11673-0de7-4f81-94d8-5fcea8b83222\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"cab3ce23-4ea0-4565-a7fb-2009f888198f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_severity, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_confidence in ({Confidence})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_confidence, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections List**\"},\"name\":\"text - 5 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a613556b-fcd7-440a-af79-47b839e8f76b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"9196914a-cd13-4897-8d8f-2e497721452a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"0b5bbec6-76d8-422c-89a4-95162c9300cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\"},{\"id\":\"876e2140-cacb-4d7c-88ed-354ecd7e86a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"fb9f063f-c68e-4f27-8693-160f8759f8b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RuleNames\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"FncEventsDetections_CL\\n| summarize by rule_name_s\\n| order by rule_name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where de_confidence in ({Confidence})\\n| where de_rule_name in ({RuleNames})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| sort by de_created desc\\n| project-away su_*, ob_*\\n\\n\\n\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"FNC Detection List\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"showExpandCollapseGrid\":true,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"de_event_count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_events\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Events\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_indicators\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Indicators\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"active\",\"representation\":\"greenDark\",\"text\":\"Active\"},{\"operator\":\"==\",\"thresholdValue\":\"resolved\",\"representation\":\"gray\",\"text\":\"Resolved\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_rule_url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"indicators\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"de_device_ip\",\"label\":\"device_ip\"},{\"columnId\":\"de_event_count\",\"label\":\"event_count\"},{\"columnId\":\"de_events\",\"label\":\"events\"},{\"columnId\":\"de_indicators\",\"label\":\"indicators\"},{\"columnId\":\"de_last_seen\",\"label\":\"last_seen\"},{\"columnId\":\"de_status\",\"label\":\"status\"},{\"columnId\":\"de_rule_name\",\"label\":\"rule_name\"},{\"columnId\":\"de_severity\",\"label\":\"severity\"},{\"columnId\":\"de_confidence\",\"label\":\"confidence\"},{\"columnId\":\"de_resolved_by\",\"label\":\"resolved_by\"},{\"columnId\":\"de_resolution\",\"label\":\"resolution\"},{\"columnId\":\"de_resolution_comment\",\"label\":\"resolution_comment\"},{\"columnId\":\"de_date_resolved\",\"label\":\"date_resolved\"},{\"columnId\":\"de_rule_uuid\",\"label\":\"rule_uuid\"},{\"columnId\":\"de_category\",\"label\":\"category\"},{\"columnId\":\"de_created\",\"label\":\"created\"},{\"columnId\":\"de_updated\",\"label\":\"updated\"},{\"columnId\":\"de_first_seen\",\"label\":\"first_seen\"},{\"columnId\":\"de_muted\",\"label\":\"muted\"},{\"columnId\":\"de_rule_muted\",\"label\":\"rule_muted\"},{\"columnId\":\"de_mute_comment\",\"label\":\"mute_comment\"},{\"columnId\":\"de_muted_by\",\"label\":\"muted_by\"},{\"columnId\":\"de_date_muted\",\"label\":\"date_muted\"},{\"columnId\":\"de_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"de_account_id\",\"label\":\"account_id\"},{\"columnId\":\"de_uuid\",\"label\":\"uuid\"},{\"columnId\":\"de_username\",\"label\":\"username\"},{\"columnId\":\"de_hostname\",\"label\":\"hostname\"},{\"columnId\":\"de_primary_attack_id\",\"label\":\"primary_attack_id\"},{\"columnId\":\"de_secondary_attack_id\",\"label\":\"secondary_attack_id\"},{\"columnId\":\"de_rule_url\",\"label\":\"rule_url\"}]},\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"name\":\"Detection\"}],\"fromTemplateId\":\"sentinel-FortiNdrCloud\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## FortiNDR Cloud workbook\\n\\nUse this workbook to review Suricata, observation, and detection activity from the Fortinet FortiNDR Cloud parser. Ensure the Kusto function alias **Fortinet_FortiNDR_Cloud** is deployed first, then use the time range and filters to focus on specific sensors, categories, severities, and confidence values.\\n\\n**Prerequisite:** the Fortinet FortiNDR Cloud Kusto function must exist in the workspace.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"parameters\":[{\"id\":\"time_range_param\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"isGlobal\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000},{\"durationMs\":2592000000}]}},{\"id\":\"subscription_param\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\"},{\"id\":\"workspace_param\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\"}]},\"name\":\"parameters\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"29a65c20-978d-447b-b11c-f437f6c7fd7e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Main Dashboard\",\"subTarget\":\"Main\",\"style\":\"link\"},{\"id\":\"514047f6-4d61-4f59-9f79-6c22c20645c0\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Suricata Dashboard\",\"subTarget\":\"Suricata\",\"style\":\"link\"},{\"id\":\"f20fabf1-3a44-417d-9e97-3d62d1990c8d\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Observation Dashboard\",\"subTarget\":\"Observation\",\"style\":\"link\"},{\"id\":\"392a41e1-a18c-4a6d-8144-c51e27a8bf4e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Detection Dashboard\",\"subTarget\":\"Detection\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"50650aa0-d12f-49ad-ba0d-e7a6a10b0a85\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by su_sig_category\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suricata Counts By Category\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"exportParameterName\":\"SelectedRow_0\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Suricata Counts by Category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by ob_observation_title\",\"size\":0,\"showAnalytics\":true,\"title\":\"Observation Counts by Title\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"exportParameterName\":\"SelectedRow_1\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Observation Counts by Title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_severity\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"exportParameterName\":\"SelectedRow_2\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Detection Counts by Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_confidence\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"exportParameterName\":\"SelectedRow_0\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Detection Counts by Confidence\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Main\"},\"name\":\"Main Dashboard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## FortiNDR Cloud workbook\\n\\nUse this workbook to review Suricata, observation, and detection activity from the Fortinet FortiNDR Cloud parser. Ensure the Kusto function alias **Fortinet_FortiNDR_Cloud** is deployed first, then use the time range and filters to focus on specific sensors, categories, severities, and confidence values.\\n\\n**Prerequisites:** the Fortinet FortiNDR Cloud Kusto function must exist in the target workspace, and the workbook should be connected to a workspace that contains FortiNDR Cloud data. [Deployment steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Package/Content%20Hub/Workbooks/FortiNDR%20Cloud%20Workbook.json)\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b566fdf-c574-466d-8a25-eec9e314f560\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"0ce88674-9bf5-4c52-8286-28d3cf030e18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\",\"styleSettings\":{\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| summarize Count=count() by su_sig_category, bin(su_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true},\"exportParameterName\":\"SelectedRow_1\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"name\":\"Suricata Events Over Time by Category\"},{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5d5a54f3-6fca-4368-aea2-a2d0326daa62\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"03cace3a-c0d6-4184-a1aa-346c67578b6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"},{\"id\":\"0eea038f-b090-4021-9998-3b85c1abe20b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Name\",\"label\":\"Signature Name\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_signature_s\\n| order by alert_signature_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d60df3de-0e80-4f12-8234-bb8a4ea27cfb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensorID\",\"label\":\"Sensor ID\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| where isempty('{Name}') or (su_sig_name == '{Name}')\\n| where isempty('{SensorID}') or (su_sensor_id == '{SensorID}')\\n| project-away ob_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"observation_title\",\"formatter\":5},{\"columnMatch\":\"confidence\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"class\",\"formatter\":5},{\"columnMatch\":\"context\",\"formatter\":5},{\"columnMatch\":\"evidence_iql\",\"formatter\":5},{\"columnMatch\":\"evidence_end_timestamp\",\"formatter\":5},{\"columnMatch\":\"evidence_start_timestamp\",\"formatter\":5},{\"columnMatch\":\"description\",\"formatter\":5},{\"columnMatch\":\"observation_uuid\",\"formatter\":5},{\"columnMatch\":\"sensor_ids\",\"formatter\":5},{\"columnMatch\":\"device_ip\",\"formatter\":5},{\"columnMatch\":\"status\",\"formatter\":5},{\"columnMatch\":\"indicators\",\"formatter\":5},{\"columnMatch\":\"last_seen\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"su_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"su_event_type\",\"label\":\"event_type\"},{\"columnId\":\"su_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"su_src_port\",\"label\":\"src_port\"},{\"columnId\":\"su_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"su_dst_port\",\"label\":\"dst_port\"},{\"columnId\":\"su_intel\",\"label\":\"intel\"},{\"columnId\":\"su_sig_name\",\"label\":\"sig_name\"},{\"columnId\":\"su_sig_id\",\"label\":\"sig_id\"},{\"columnId\":\"su_sig_rev\",\"label\":\"sig_rev\"},{\"columnId\":\"su_sig_category\",\"label\":\"sig_category\"},{\"columnId\":\"su_sig_severity\",\"label\":\"sig_severity\"},{\"columnId\":\"su_payload\",\"label\":\"payload\"},{\"columnId\":\"su_source\",\"label\":\"source\"},{\"columnId\":\"su_proto\",\"label\":\"proto\"},{\"columnId\":\"su_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"su_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"su_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"su_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"su_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"su_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"su_src_geo_city\",\"label\":\"src_geo_city\"},{\"columnId\":\"su_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"su_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"su_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"su_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"su_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"su_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"su_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"su_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"su_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"su_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"su_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"su_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"su_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"su_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"su_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"su_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"su_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"su_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"su_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"su_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"su_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"su_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"su_dst_annotations_locations\",\"label\":\"dst_annotations_locations\"},{\"columnId\":\"su_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"su_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"su_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"su_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"su_http_status\",\"label\":\"http_status\"},{\"columnId\":\"su_http_protocol\",\"label\":\"http_protocol\"},{\"columnId\":\"su_http_url\",\"label\":\"http_url\"},{\"columnId\":\"su_http_hostname\",\"label\":\"http_hostname\"},{\"columnId\":\"su_http_host_internal\",\"label\":\"http_host_internal\"},{\"columnId\":\"su_http_host_geo_lat\",\"label\":\"http_host_geo_lat\"},{\"columnId\":\"su_http_host_geo_lon\",\"label\":\"http_host_geo_lon\"},{\"columnId\":\"su_http_host_geo_country\",\"label\":\"http_host_geo_country\"},{\"columnId\":\"su_http_host_geo_subdivision\",\"label\":\"http_host_geo_subdivision\"},{\"columnId\":\"su_http_host_geo_city\",\"label\":\"http_host_geo_city\"},{\"columnId\":\"su_http_host_asn_asn\",\"label\":\"http_host_asn_asn\"},{\"columnId\":\"su_http_host_asn_org\",\"label\":\"http_host_asn_org\"},{\"columnId\":\"su_http_host_asn_isp\",\"label\":\"http_host_asn_isp\"},{\"columnId\":\"su_http_host_asn_asn_org\",\"label\":\"http_host_asn_asn_org\"},{\"columnId\":\"su_http_host_annotations_applications\",\"label\":\"http_host_annotations_applications\"},{\"columnId\":\"su_http_host_annotations_environments\",\"label\":\"http_host_annotations_environments\"},{\"columnId\":\"su_http_host_annotations_locations\",\"label\":\"http_host_annotations_locations\"},{\"columnId\":\"su_http_host_annotations_owners\",\"label\":\"http_host_annotations_owners\"},{\"columnId\":\"su_http_host_annotations_roles\",\"label\":\"http_host_annotations_roles\"},{\"columnId\":\"su_http_host_annotations_tags\",\"label\":\"http_host_annotations_tags\"},{\"columnId\":\"su_http_host_domain_entropy\",\"label\":\"http_host_domain_entropy\"},{\"columnId\":\"su_http_length\",\"label\":\"http_length\"},{\"columnId\":\"su_http_method\",\"label\":\"http_method\"},{\"columnId\":\"su_http_content_type\",\"label\":\"http_content_type\"},{\"columnId\":\"su_http_refer\",\"label\":\"http_refer\"},{\"columnId\":\"su_http_user_agent\",\"label\":\"http_user_agent\"},{\"columnId\":\"su_http_redirect\",\"label\":\"http_redirect\"},{\"columnId\":\"su_http_xtf\",\"label\":\"http_xtf\"},{\"columnId\":\"su_uuid\",\"label\":\"uuid\"},{\"columnId\":\"su_customer_id\",\"label\":\"customer_id\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"heatmapPalette\":\"greenRed\"}},\"noDataMessage\":\"No Suricata records matched the selected filters and time range.\",\"noDataMessageStyle\":\"warning\",\"exportParameterName\":\"SelectedRow_2\"},\"name\":\"Suricata Event List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Suricata\"},\"name\":\"Suricata\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fcd15fc8-790a-448e-8a61-1a1ec5f70e05\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"fd7ebd99-2ba4-4240-86de-1c109bc10fba\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Observation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| summarize Count = count() by ob_observation_title, bin(ob_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"High\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"High\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"High\",\"heatmapPalette\":\"greenRed\"}},\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"name\":\"Observation Events Over Time by Title\"},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"55ad269b-ead8-4f61-b429-669d632b53e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"43131f54-c638-41a3-a54c-d8768c2df468\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Ovbservation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9ff7f038-1fa5-4ac1-84cb-ef8c6e91a183\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Sensor_ID\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3e100d32-5ad3-4a4f-a486-f65be2c62101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where ob_confidence in ({Confidence})\\n| where isempty('{Sensor_ID}') or (ob_sensor_id == '{Sensor_ID}')\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| project-away su_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ob_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ob_context\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Context\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ob_evidence_iql\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Evidence IQL\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Type\",\"label\":\"Type\"},{\"columnId\":\"ob_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"ob_observation_title\",\"label\":\"observation_title\"},{\"columnId\":\"ob_confidence\",\"label\":\"confidence\"},{\"columnId\":\"ob_category\",\"label\":\"category\"},{\"columnId\":\"ob_class\",\"label\":\"class\"},{\"columnId\":\"ob_context\",\"label\":\"context\"},{\"columnId\":\"ob_evidence_iql\",\"label\":\"evidence_iql\"},{\"columnId\":\"ob_evidence_end_timestamp\",\"label\":\"evidence_end_timestamp\"},{\"columnId\":\"ob_evidence_start_timestamp\",\"label\":\"evidence_start_timestamp\"},{\"columnId\":\"ob_description\",\"label\":\"description\"},{\"columnId\":\"ob_observation_uuid\",\"label\":\"observation_uuid\"},{\"columnId\":\"ob_sensor_ids\",\"label\":\"sensor_ids\"},{\"columnId\":\"ob_event_type\",\"label\":\"event_type\"},{\"columnId\":\"ob_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"ob_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"ob_intel\",\"label\":\"intel\"},{\"columnId\":\"ob_source\",\"label\":\"source\"},{\"columnId\":\"ob_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"ob_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"ob_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"ob_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"ob_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"ob_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"ob_src_geo_city\",\"label\":\"_src_geo_city\"},{\"columnId\":\"ob_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"ob_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"ob_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"ob_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"ob_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"ob_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"ob_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"ob_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"ob_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"ob_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"ob_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"ob_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"ob_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"ob_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"ob_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"ob_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"ob_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"ob_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"ob_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"ob_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"ob_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"ob_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"ob_dst_annotations_locations\",\"label\":\"_dst_annotations_locations\"},{\"columnId\":\"ob_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"ob_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"ob_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"ob_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"ob_uuid\",\"label\":\"uuid\"},{\"columnId\":\"ob_customer_id\",\"label\":\"customer_id\"}]},\"noDataMessage\":\"No observation records matched the selected filters and time range.\",\"noDataMessageStyle\":\"warning\"},\"name\":\"Observation Event List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Observation\"},\"name\":\"Observation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections Charts**\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3e9b6847-1b6c-4ba5-87d6-a3d4b0e36046\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"88270ace-134e-4577-b2fd-58b4a7a0cb36\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"16f11673-0de7-4f81-94d8-5fcea8b83222\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"cab3ce23-4ea0-4565-a7fb-2009f888198f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_severity, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]},\"visualization\":\"barchart\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Detection Severity Over Time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_confidence in ({Confidence})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_confidence, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]},\"visualization\":\"barchart\",\"noDataMessage\":\"No data matched the selected filters and time range.\"},\"customWidth\":\"50\",\"name\":\"Detection Confidence Over Time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections List**\"},\"name\":\"text - 5 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a613556b-fcd7-440a-af79-47b839e8f76b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"9196914a-cd13-4897-8d8f-2e497721452a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"0b5bbec6-76d8-422c-89a4-95162c9300cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\"},{\"id\":\"876e2140-cacb-4d7c-88ed-354ecd7e86a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"fb9f063f-c68e-4f27-8693-160f8759f8b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RuleNames\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"FncEventsDetections_CL\\n| summarize by rule_name_s\\n| order by rule_name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where de_confidence in ({Confidence})\\n| where de_rule_name in ({RuleNames})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| sort by de_created desc\\n| project-away su_*, ob_*\\n\\n\\n\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"FNC Detection List\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"showExpandCollapseGrid\":true,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"de_event_count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_events\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Events\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_indicators\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Indicators\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"active\",\"representation\":\"greenDark\",\"text\":\"Active\"},{\"operator\":\"==\",\"thresholdValue\":\"resolved\",\"representation\":\"gray\",\"text\":\"Resolved\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_rule_url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"indicators\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"de_device_ip\",\"label\":\"device_ip\"},{\"columnId\":\"de_event_count\",\"label\":\"event_count\"},{\"columnId\":\"de_events\",\"label\":\"events\"},{\"columnId\":\"de_indicators\",\"label\":\"indicators\"},{\"columnId\":\"de_last_seen\",\"label\":\"last_seen\"},{\"columnId\":\"de_status\",\"label\":\"status\"},{\"columnId\":\"de_rule_name\",\"label\":\"rule_name\"},{\"columnId\":\"de_severity\",\"label\":\"severity\"},{\"columnId\":\"de_confidence\",\"label\":\"confidence\"},{\"columnId\":\"de_resolved_by\",\"label\":\"resolved_by\"},{\"columnId\":\"de_resolution\",\"label\":\"resolution\"},{\"columnId\":\"de_resolution_comment\",\"label\":\"resolution_comment\"},{\"columnId\":\"de_date_resolved\",\"label\":\"date_resolved\"},{\"columnId\":\"de_rule_uuid\",\"label\":\"rule_uuid\"},{\"columnId\":\"de_category\",\"label\":\"category\"},{\"columnId\":\"de_created\",\"label\":\"created\"},{\"columnId\":\"de_updated\",\"label\":\"updated\"},{\"columnId\":\"de_first_seen\",\"label\":\"first_seen\"},{\"columnId\":\"de_muted\",\"label\":\"muted\"},{\"columnId\":\"de_rule_muted\",\"label\":\"rule_muted\"},{\"columnId\":\"de_mute_comment\",\"label\":\"mute_comment\"},{\"columnId\":\"de_muted_by\",\"label\":\"muted_by\"},{\"columnId\":\"de_date_muted\",\"label\":\"date_muted\"},{\"columnId\":\"de_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"de_account_id\",\"label\":\"account_id\"},{\"columnId\":\"de_uuid\",\"label\":\"uuid\"},{\"columnId\":\"de_username\",\"label\":\"username\"},{\"columnId\":\"de_hostname\",\"label\":\"hostname\"},{\"columnId\":\"de_primary_attack_id\",\"label\":\"primary_attack_id\"},{\"columnId\":\"de_secondary_attack_id\",\"label\":\"secondary_attack_id\"},{\"columnId\":\"de_rule_url\",\"label\":\"rule_url\"}]},\"tileSettings\":{\"showBorder\":false},\"noDataMessage\":\"No detection records matched the selected filters and time range.\",\"noDataMessageStyle\":\"warning\"},\"name\":\"Detection Event List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"name\":\"Detection\"}],\"fromTemplateId\":\"sentinel-FortiNdrCloud\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" diff --git a/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md b/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md index 5feef799b0d..f1094cc8596 100644 --- a/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md +++ b/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------| +| 3.0.4 | 12-06-2026 | Updated **Workbook** | | 3.0.3 | 05-05-2025 | Use Flex Consumption plan to hold Data Connector | | 3.0.2 | 30-09-2024 | Show mitre attack ids and link to detection rule page | | 3.0.1 | 31-05-2024 | Replace Metastream with FortiNDR Cloud API | diff --git a/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json b/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json index 66e2d928827..ff4f60eb5d0 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json +++ b/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json @@ -4,10 +4,74 @@ { "type": 1, "content": { - "json": "## FortiNDR Cloud workbook\n---\n>**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Parsers/Fortinet_FortiNDR_Cloud.md) to create the Kusto function alias **Fortinet_FortiNDR_Cloud**." + "json": "## FortiNDR Cloud workbook\n\nUse this workbook to review Suricata, observation, and detection activity from the Fortinet FortiNDR Cloud parser. Ensure the Kusto function alias **Fortinet_FortiNDR_Cloud** is deployed first, then use the time range and filters to focus on specific sensors, categories, severities, and confidence values.\n\n**Prerequisite:** the Fortinet FortiNDR Cloud Kusto function must exist in the workspace." }, "name": "text - 2" }, + { + "type": 11, + "content": { + "parameters": [ + { + "id": "time_range_param", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "isGlobal": true, + "value": { + "durationMs": 86400000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + } + ] + } + }, + { + "id": "subscription_param", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": "," + }, + { + "id": "workspace_param", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": "," + } + ] + }, + "name": "parameters" + }, { "type": 11, "content": { @@ -144,10 +208,12 @@ "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "visualization": "piechart", + "exportParameterName": "SelectedRow_0", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "main-Suricata" + "name": "Suricata Counts by Category" }, { "type": 3, @@ -161,10 +227,12 @@ "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "visualization": "piechart", + "exportParameterName": "SelectedRow_1", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "main-observation" + "name": "Observation Counts by Title" }, { "type": 3, @@ -178,10 +246,12 @@ "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "visualization": "piechart", + "exportParameterName": "SelectedRow_2", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "main-detections-s" + "name": "Detection Counts by Severity" }, { "type": 3, @@ -195,10 +265,12 @@ "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "visualization": "piechart", + "exportParameterName": "SelectedRow_0", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "main-detections-s - Copy" + "name": "Detection Counts by Confidence" } ] }, @@ -218,7 +290,7 @@ { "type": 1, "content": { - "json": "**FortiDNR Cloud Suricata Chart:**" + "json": "## FortiNDR Cloud workbook\n\nUse this workbook to review Suricata, observation, and detection activity from the Fortinet FortiNDR Cloud parser. Ensure the Kusto function alias **Fortinet_FortiNDR_Cloud** is deployed first, then use the time range and filters to focus on specific sensors, categories, severities, and confidence values.\n\n**Prerequisites:** the Fortinet FortiNDR Cloud Kusto function must exist in the target workspace, and the workbook should be connected to a workspace that contains FortiNDR Cloud data. [Deployment steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Package/Content%20Hub/Workbooks/FortiNDR%20Cloud%20Workbook.json)" }, "name": "text - 4" }, @@ -326,9 +398,11 @@ "visualization": "barchart", "chartSettings": { "showLegend": true - } + }, + "exportParameterName": "SelectedRow_1", + "noDataMessage": "No data matched the selected filters and time range." }, - "name": "query - 2" + "name": "Suricata Events Over Time by Category" }, { "type": 1, @@ -860,9 +934,12 @@ "nodeColorField": "http_hostname_enrichments_ip_enrichments_asn_asn_d", "heatmapPalette": "greenRed" } - } + }, + "noDataMessage": "No Suricata records matched the selected filters and time range.", + "noDataMessageStyle": "warning", + "exportParameterName": "SelectedRow_2" }, - "name": "FNC Suricata List" + "name": "Suricata Event List" } ] }, @@ -1006,9 +1083,10 @@ "nodeColorField": "High", "heatmapPalette": "greenRed" } - } + }, + "noDataMessage": "No data matched the selected filters and time range." }, - "name": "query - 5" + "name": "Observation Events Over Time by Title" }, { "type": 1, @@ -1422,9 +1500,11 @@ "label": "customer_id" } ] - } + }, + "noDataMessage": "No observation records matched the selected filters and time range.", + "noDataMessageStyle": "warning" }, - "name": "FNC Observation List" + "name": "Observation Event List" } ] }, @@ -1613,10 +1693,12 @@ "color": "redBright" } ] - } + }, + "visualization": "barchart", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "query - 8 - Copy", + "name": "Detection Severity Over Time", "styleSettings": { "showBorder": true } @@ -1650,10 +1732,12 @@ "color": "redBright" } ] - } + }, + "visualization": "barchart", + "noDataMessage": "No data matched the selected filters and time range." }, "customWidth": "50", - "name": "query - 8 - Copy - Copy", + "name": "Detection Confidence Over Time", "styleSettings": { "showBorder": true } @@ -2110,9 +2194,11 @@ }, "tileSettings": { "showBorder": false - } + }, + "noDataMessage": "No detection records matched the selected filters and time range.", + "noDataMessageStyle": "warning" }, - "name": "query - 6" + "name": "Detection Event List" } ] },