diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json b/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json index a5d15385..7dd43557 100644 --- a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json +++ b/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json @@ -29,7 +29,7 @@ "kind": "shared", "properties": { "displayName": "[parameters('WorkbookDisplayName')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Security Copilot Audit Workbook](https://learn.microsoft.com/en-us/copilot/security/microsoft-security-copilot)\\n---\\n\\nMicrosoft Security Copilot is a generative AI-powered security solution designed to enhance the efficiency and capabilities of security professionals\\n\\nIt supports end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management\\nBy integrating with products like Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Intune, as well as third-party services like ServiceNow, Security Copilot leverages security-specific plugins, organizational data, authoritative sources, and global threat intelligence\\n\\nThis enables security professionals to gain wider visibility into threats, prioritize response efforts, and streamline decision-making\\n\\nCopilot for Security provides actionable guidance for incident response, translating complex security alerts into concise summaries and offering step-by-step directions for triage, investigation, containment, and remediation.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"f16d570f-12c1-48f2-94fa-7e114263a291\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot Audit\",\"subTarget\":\"audit\",\"preText\":\"Copilot for Security Audit Data\",\"style\":\"link\"},{\"id\":\"ab2c8e5c-1a0f-4041-ab18-c9b387ecf33b\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot Sign in Data\",\"subTarget\":\"Signin\",\"style\":\"link\"},{\"id\":\"03e3f1de-2a0f-4f14-ad2f-cba53365c4b3\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot SCU Events\",\"subTarget\":\"SCU\",\"style\":\"link\"}]},\"name\":\"links - 2\",\"styleSettings\":{\"padding\":\"0\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"41bb3efb-b37d-47d6-851a-64929f841597\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e3388fc6-e10b-4a86-bdc1-22677adcb351\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":2419200000}},{\"id\":\"eede023b-bfca-4112-accb-440efb5709ab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\\r\\n\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"b68ed14e-d0e2-41b2-9444-b38c88394beb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"1ba9eace-73f1-4958-a0a7-11bdb68195b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nIdentityLogonEvents\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Medeina Portal\\\"\\r\\n| extend IPaddresses=tostring(IPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by IPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Succesfull Sign ins By Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nBehaviorAnalytics\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| extend IPaddresses=tostring(SourceIPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by SourceIPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Failed Sign ins by Location \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityLogonEvents\\r\\n| where TimeGenerated >= ago(24h)\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Security Copilot\\\"\\r\\n| extend User = AdditionalFields.[\\\"ACTOR.ALIAS\\\"]\\r\\n| project AccountDomain, User, ActionType, AccountUpn, IPAddress, Location, ISP, OSPlatform, DeviceType\",\"size\":0,\"title\":\"Successfull Sign ins for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"100\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Failed signins to the CfS service exposing user, reason, and other necessary information.\\r\\n\\r\\nBehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| project UserName, UserPrincipalName, ActionType, EventSource, SourceIPAddress, SourceIPLocation\",\"size\":0,\"title\":\"Failed Sign ins for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActionType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"User did not pass the MFA challenge\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"\\t Other\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Invalid username or password \",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Flow token expired - Authentication Failed\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Device Authentication Required\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"100\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| summarize Failedlogin = count() by ActionType\\r\\n\",\"size\":0,\"title\":\"Failed Sign ins By Reason\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"Signin\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"061dd12a-4223-4b86-8d66-51dd276c35ae\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"0e871995-794b-4969-a964-4d4aeaa29e9b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"88276ecc-5d60-47cd-acfc-e1e61c4e3545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"ca3cd047-6606-44e1-87a6-117bf68ab98e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"81626c63-e609-4a86-9d65-c57d01c8307e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| distinct AccountDisplayName\\r\\n| count\",\"size\":3,\"title\":\"Total number of users for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| count \",\"size\":4,\"title\":\"Total No: Prompts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 325\\r\\n| where ActionType == \\\"UploadFile\\\"\\r\\n| count\",\"size\":4,\"title\":\"File Uploads\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where ActionType == \\\"DisableCopilotPlugin\\\"\\r\\n| count \",\"size\":4,\"title\":\"Disabled Security Copilot Plugins\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where DisplayName == \\\"Security Copilot - Anomalous Operations by Copilot for Security User\\\" \\r\\n| where DisplayName == \\\"Security Copilot - Anomalous sign-in activity by Copilot for Security user\\\"\\r\\n| where DisplayName == \\\"Security Copilot - TI map IP entity to Prompts\\\"\\r\\n| where DisplayName == \\\"Security Copilot-Audit logging settings changes\\\"\\r\\n| count \",\"size\":4,\"title\":\"Security Copilot Detections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where ActionType == \\\"UpdateCopilotSettings\\\"\\r\\n| count\",\"size\":4,\"title\":\"Changed Security Copilot Settings\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\"\\r\\n| summarize count() by AppHost\",\"size\":0,\"title\":\"Security Copilot Prompts Per Experience\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"CopilotEventData_AppHost_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"40\",\"name\":\"query - 15\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\" \\r\\n| summarize CountPerAppHost = count() by bin(TimeGenerated, 1d), AppHost\\r\\n| join kind=leftouter ( CloudAppEvents\\r\\n| where RawEventData.RecordType == 261\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\" \\r\\n| summarize TotalCount = count() by bin(TimeGenerated, 1d)\\r\\n) on TimeGenerated\\r\\n| project TimeGenerated, AppHost, CountPerAppHost, TotalCount\",\"size\":0,\"title\":\"Prompts over time \",\"color\":\"turquoise\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"exportFieldName\":\"CreatedTime\",\"exportParameterName\":\"TimePicker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"categoricalbar\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"UserKey_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"promptCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"CountPerAppHost\"],\"group\":\"AppHost\",\"createOtherGroup\":null,\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Count of prompts\"},{\"seriesName\":\"Copilot in Intune\",\"label\":\"Copilot in Intune\"},{\"seriesName\":\"Copilot in Defender\",\"label\":\"Copilot in Defender\"},{\"seriesName\":\"Copilot in Microsoft Purview\",\"label\":\"Copilot in Microsoft Purview\"},{\"seriesName\":\"Security Copilot standalone\",\"label\":\"Security Copilot standalone\"},{\"seriesName\":\"Copilot in Azure Firewall\",\"label\":\"Copilot in Azure Firewall\"},{\"seriesName\":\"Copilot in Microsoft Entra\",\"label\":\"Copilot in Microsoft Entra\"},{\"seriesName\":\"Copilot in Defender External Attack Surface Management (EASM)\",\"label\":\"Copilot in Defender External Attack Surface Management (EASM)\"}],\"ySettings\":{\"label\":\"Sum\"}}},\"customWidth\":\"60\",\"name\":\"Prompts over time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\" and AppHost !contains \\\"unknown\\\"\\r\\n| summarize interactioncount = count() by AppHost\",\"size\":0,\"title\":\"Security Copilot Prompts per Action\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"40\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\"\\r\\n| summarize CopilotInDefender = countif(AppHost == \\\"Copilot in Defender\\\"),\\r\\nAutomation = countif(AppHost == \\\"Logic App\\\"), \\r\\nStandalone = countif(AppHost == \\\"Security Copilot standalone\\\"), \\r\\nCopilotInMicrosoftPurview = countif(AppHost == \\\"Sopilot in Microsoft Purview\\\"), \\r\\nCopilotinMicrosoftEntra = countif(AppHost == \\\"Copilot in Microsoft Entra\\\"),\\r\\nCopilotInIntune = countif(AppHost == \\\"Copilot in Intune\\\"), \\r\\nEASM = countif(AppHost == \\\"Copilot in Defender External Attack Surface Management (EASM)\\\"), \\r\\nCopilotInAzureFirewall = countif(AppHost == \\\"Copilot in Azure Firewall\\\"),\\r\\nTotalPrompts = count() by AccountDisplayName\\r\\n| sort by TotalPrompts\",\"size\":0,\"title\":\"Top Users Prompts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Automation\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"Standalone\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInMicrosoftPurview\",\"formatter\":4,\"formatOptions\":{\"palette\":\"purple\"}},{\"columnMatch\":\"CopilotinMicrosoftEntra\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeDark\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInIntune\",\"formatter\":4,\"formatOptions\":{\"palette\":\"magenta\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"EASM\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInAzureFirewall\",\"formatter\":4,\"formatOptions\":{\"palette\":\"brown\",\"aggregation\":\"Count\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"CopilotInDefender\",\"label\":\"DefenderXDR\"},{\"columnId\":\"CopilotInMicrosoftPurview\",\"label\":\"Purview\"},{\"columnId\":\"CopilotinMicrosoftEntra\",\"label\":\"Entra\"},{\"columnId\":\"CopilotInIntune\",\"label\":\"Intune\"},{\"columnId\":\"CopilotInAzureFirewall\",\"label\":\"AZFW\"}]},\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"60\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\nCloudAppEvents\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\n| extend ClientIP = tostring(RawEventData.ClientIP)\\n| extend IPaddresses=tostring(ClientIP)\\n| where isnotempty(IPaddresses) \\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\n| summarize interactioncount = count() by ClientIP, country_name\",\"size\":0,\"title\":\"Security Copilot Interactions by Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"latitude\":\"_TableName\",\"longitude\":\"_TableName\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"maxSize\":100,\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"SignInCount\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"40\",\"name\":\"query - 2\",\"styleSettings\":{\"padding\":\"0\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType in (\\\"320\\\", \\\"321\\\", \\\"322\\\")\\r\\n| project TimeGenerated, AccountDisplayName, Operation = ActionType , ClientIP = RawEventData.ClientIP, CopilotSettingsEventData_Resource = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| sort by TimeGenerated\\r\\n| take 50\",\"size\":0,\"title\":\"Security Copilot - Promptbook Interactions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Create\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Delete\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Update\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ClientIP\",\"formatter\":5}]}},\"customWidth\":\"60\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 313\\r\\n| extend Operation = tostring(RawEventData.Operation)\\r\\n| where Operation contains \\\"Enable\\\"\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property <> \\\"FileUploads\\\"\\r\\n| extend PluginsName = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue == \\\"Enabled\\\"\\r\\n| where PluginsName !contains \\\"ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| mv-expand todynamic(PluginsName)\\r\\n| project TimeGenerated, AccountDisplayName, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Enable Plugin Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"PluginsName\",\"label\":\"Plugin_Name\"}]}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 314\\r\\n| extend Operation = tostring(RawEventData.Operation)\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue == \\\"Disabled\\\"\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property <> \\\"FileUploads\\\"\\r\\n| extend PluginsName = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| where PluginsName !contains \\\"ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| mv-expand todynamic(PluginsName)\\r\\n| project TimeGenerated, AccountDisplayName, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Disable Plugin\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"PluginsName\",\"label\":\"PluginName\"}]}},\"customWidth\":\"60\",\"name\":\"query - 13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 325\\r\\n| extend Operation = tostring(RawEventData.Operation)\\r\\n| where Operation <> \\\"DeleteFile\\\"\\r\\n| extend Property = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| where Property != \\\"Skillsets.ApiValidatorDefangUrlSkillsetTenant\\\" and Property != \\\"Skillsets.ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| extend NewValue = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue)\\r\\n| extend Property1 = substring(Property, 9) \\r\\n| extend Enable = NewValue\\r\\n| extend SettingLevel = case( Property1 contains \\\"AllowAuditLogging\\\", \\\"TenantLevel\\\", Property1 contains \\\"tenant\\\" , \\\"TenantLevel\\\", Property1 contains \\\"allowO365DataCollection\\\", \\\"TenantLevel\\\", Property1 contains \\\"User\\\", \\\"UserLevel\\\", \\\"Unknown\\\"\\r\\n)\\r\\n| project TimeGenerated, AccountDisplayName, Property1 ,SettingLevel, NewValue\\r\\n| sort by TimeGenerated, SettingLevel asc \",\"size\":0,\"title\":\"Change Setting Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SettingLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"TenantLevel\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"NewValue\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":null,\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"labelSettings\":[{\"columnId\":\"Property1\",\"label\":\"Action\"},{\"columnId\":\"NewValue\",\"label\":\"Value\"}]}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"audit\"},\"name\":\"group - 12\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"variables('WorkbookSourceId')\"],\"parameters\":[{\"id\":\"59e79699-280b-4339-8cd2-55624b203cac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"fefebdf8-9122-4dc4-ae76-5817d7e3bace\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"6cbd900c-7049-484c-a0eb-d23c1ac5ff38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"37403463-ff86-47c0-8d04-3f432d0413a3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"8ac8842a-fc4e-44fd-9542-72baf58224f1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| sort by timestamp\\r\\n| take 1\\r\\n| project toint(newValue)\",\"size\":4,\"title\":\"Number Of SCU's\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"newValue\",\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"30\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| where timestamp > ago(60d)\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| project timestamp, previousValue, newValue , changedBy\",\"size\":1,\"title\":\"SCU Chnages\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"70\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where ResourceProviderValue contains \\\"copilot\\\"\",\"size\":0,\"title\":\"SCU capacity Activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"SCU\"},\"name\":\"group - 4\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"variables('WorkbookSourceId')\"],\"fromTemplateId\":\"sentinel-UserWorkbook\"}", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Security Copilot Audit Workbook](https://learn.microsoft.com/en-us/copilot/security/microsoft-security-copilot)\\n---\\n\\nMicrosoft Security Copilot is a generative AI-powered security solution designed to enhance the efficiency and capabilities of security professionals\\n\\nIt supports end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management\\nBy integrating with products like Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Intune, as well as third-party services like ServiceNow, Security Copilot leverages security-specific plugins, organizational data, authoritative sources, and global threat intelligence\\n\\nThis enables security professionals to gain wider visibility into threats, prioritize response efforts, and streamline decision-making\\n\\nCopilot for Security provides actionable guidance for incident response, translating complex security alerts into concise summaries and offering step-by-step directions for triage, investigation, containment, and remediation.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"f16d570f-12c1-48f2-94fa-7e114263a291\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot Audit\",\"subTarget\":\"audit\",\"preText\":\"Copilot for Security Audit Data\",\"style\":\"link\"},{\"id\":\"ab2c8e5c-1a0f-4041-ab18-c9b387ecf33b\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot Sign in Data\",\"subTarget\":\"Signin\",\"style\":\"link\"},{\"id\":\"03e3f1de-2a0f-4f14-ad2f-cba53365c4b3\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot SCU Events\",\"subTarget\":\"SCU\",\"style\":\"link\"}]},\"name\":\"links - 2\",\"styleSettings\":{\"padding\":\"0\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"41bb3efb-b37d-47d6-851a-64929f841597\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e3388fc6-e10b-4a86-bdc1-22677adcb351\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":2419200000}},{\"id\":\"eede023b-bfca-4112-accb-440efb5709ab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\\r\\n\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"b68ed14e-d0e2-41b2-9444-b38c88394beb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"1ba9eace-73f1-4958-a0a7-11bdb68195b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nIdentityLogonEvents\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Security Copilot\\\"\\r\\n| extend IPaddresses=tostring(IPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by IPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Succesfull Sign ins By Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nBehaviorAnalytics\\r\\n| where ActivityInsights.App == \\\"Security Copilot\\\"\\r\\n| where ActivityInsights.Resource == \\\"Security Copilot\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| extend IPaddresses=tostring(SourceIPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by SourceIPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Failed Sign ins by Location \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityLogonEvents\\r\\n| where TimeGenerated >= ago(24h)\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Security Copilot\\\"\\r\\n| extend User = AdditionalFields.[\\\"ACTOR.ALIAS\\\"]\\r\\n| project AccountDomain, User, ActionType, AccountUpn, IPAddress, Location, ISP, OSPlatform, DeviceType\",\"size\":0,\"title\":\"Successfull Sign ins for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"100\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Failed signins to the CfS service exposing user, reason, and other necessary information.\\r\\n\\r\\nBehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Security Copilot\\\"\\r\\n| where ActivityInsights.Resource == \\\"Security Copilot\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| project UserName, UserPrincipalName, ActionType, EventSource, SourceIPAddress, SourceIPLocation\",\"size\":0,\"title\":\"Failed Sign ins for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActionType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"User did not pass the MFA challenge\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"\\t Other\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Invalid username or password \",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Flow token expired - Authentication Failed\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Device Authentication Required\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"100\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Security Copilot\\\"\\r\\n| where ActivityInsights.Resource == \\\"Security Copilot\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| summarize Failedlogin = count() by ActionType\\r\\n\",\"size\":0,\"title\":\"Failed Sign ins By Reason\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"Signin\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"061dd12a-4223-4b86-8d66-51dd276c35ae\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"0e871995-794b-4969-a964-4d4aeaa29e9b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"88276ecc-5d60-47cd-acfc-e1e61c4e3545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"ca3cd047-6606-44e1-87a6-117bf68ab98e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":null},{\"id\":\"81626c63-e609-4a86-9d65-c57d01c8307e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| distinct AccountDisplayName\\r\\n| count\",\"size\":3,\"title\":\"Total number of users for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| count \",\"size\":4,\"title\":\"Total No: Prompts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 325\\r\\n| where ActionType == \\\"UploadFile\\\"\\r\\n| count\",\"size\":4,\"title\":\"File Uploads\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where ActionType == \\\"DisableCopilotPlugin\\\"\\r\\n| count \",\"size\":4,\"title\":\"Disabled Security Copilot Plugins\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where DisplayName == \\\"Security Copilot - Anomalous Operations by Copilot for Security User\\\" \\r\\n| where DisplayName == \\\"Security Copilot - Anomalous sign-in activity by Copilot for Security user\\\"\\r\\n| where DisplayName == \\\"Security Copilot - TI map IP entity to Prompts\\\"\\r\\n| where DisplayName == \\\"Security Copilot-Audit logging settings changes\\\"\\r\\n| count \",\"size\":4,\"title\":\"Security Copilot Detections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where ActionType == \\\"UpdateCopilotSettings\\\"\\r\\n| count\",\"size\":4,\"title\":\"Changed Security Copilot Settings\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\"\\r\\n| summarize count() by AppHost\",\"size\":0,\"title\":\"Security Copilot Prompts Per Experience\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"CopilotEventData_AppHost_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"40\",\"name\":\"query - 15\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\" \\r\\n| summarize CountPerAppHost = count() by bin(TimeGenerated, 1d), AppHost\\r\\n| join kind=leftouter ( CloudAppEvents\\r\\n| where RawEventData.RecordType == 261\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\" \\r\\n| summarize TotalCount = count() by bin(TimeGenerated, 1d)\\r\\n) on TimeGenerated\\r\\n| project TimeGenerated, AppHost, CountPerAppHost, TotalCount\",\"size\":0,\"title\":\"Prompts over time \",\"color\":\"turquoise\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"exportFieldName\":\"CreatedTime\",\"exportParameterName\":\"TimePicker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"categoricalbar\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"UserKey_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"promptCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"CountPerAppHost\"],\"group\":\"AppHost\",\"createOtherGroup\":null,\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Count of prompts\"},{\"seriesName\":\"Copilot in Intune\",\"label\":\"Copilot in Intune\"},{\"seriesName\":\"Copilot in Defender\",\"label\":\"Copilot in Defender\"},{\"seriesName\":\"Copilot in Microsoft Purview\",\"label\":\"Copilot in Microsoft Purview\"},{\"seriesName\":\"Security Copilot standalone\",\"label\":\"Security Copilot standalone\"},{\"seriesName\":\"Copilot in Azure Firewall\",\"label\":\"Copilot in Azure Firewall\"},{\"seriesName\":\"Copilot in Microsoft Entra\",\"label\":\"Copilot in Microsoft Entra\"},{\"seriesName\":\"Copilot in Defender External Attack Surface Management (EASM)\",\"label\":\"Copilot in Defender External Attack Surface Management (EASM)\"}],\"ySettings\":{\"label\":\"Sum\"}}},\"customWidth\":\"60\",\"name\":\"Prompts over time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\" and AppHost !contains \\\"unknown\\\"\\r\\n| summarize interactioncount = count() by AppHost\",\"size\":0,\"title\":\"Security Copilot Prompts per Action\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"40\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\"\\r\\n| summarize CopilotInDefender = countif(AppHost == \\\"Copilot in Defender\\\"),\\r\\nAutomation = countif(AppHost == \\\"Logic App\\\"), \\r\\nStandalone = countif(AppHost == \\\"Security Copilot standalone\\\"), \\r\\nCopilotInMicrosoftPurview = countif(AppHost == \\\"Sopilot in Microsoft Purview\\\"), \\r\\nCopilotinMicrosoftEntra = countif(AppHost == \\\"Copilot in Microsoft Entra\\\"),\\r\\nCopilotInIntune = countif(AppHost == \\\"Copilot in Intune\\\"), \\r\\nEASM = countif(AppHost == \\\"Copilot in Defender External Attack Surface Management (EASM)\\\"), \\r\\nCopilotInAzureFirewall = countif(AppHost == \\\"Copilot in Azure Firewall\\\"),\\r\\nTotalPrompts = count() by AccountDisplayName\\r\\n| sort by TotalPrompts\",\"size\":0,\"title\":\"Top Users Prompts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Automation\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"Standalone\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInMicrosoftPurview\",\"formatter\":4,\"formatOptions\":{\"palette\":\"purple\"}},{\"columnMatch\":\"CopilotinMicrosoftEntra\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeDark\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInIntune\",\"formatter\":4,\"formatOptions\":{\"palette\":\"magenta\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"EASM\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInAzureFirewall\",\"formatter\":4,\"formatOptions\":{\"palette\":\"brown\",\"aggregation\":\"Count\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"CopilotInDefender\",\"label\":\"DefenderXDR\"},{\"columnId\":\"CopilotInMicrosoftPurview\",\"label\":\"Purview\"},{\"columnId\":\"CopilotinMicrosoftEntra\",\"label\":\"Entra\"},{\"columnId\":\"CopilotInIntune\",\"label\":\"Intune\"},{\"columnId\":\"CopilotInAzureFirewall\",\"label\":\"AZFW\"}]},\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"60\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\nCloudAppEvents\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\n| extend ClientIP = tostring(RawEventData.ClientIP)\\n| extend IPaddresses=tostring(ClientIP)\\n| where isnotempty(IPaddresses) \\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\n| summarize interactioncount = count() by ClientIP, country_name\",\"size\":0,\"title\":\"Security Copilot Interactions by Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"latitude\":\"_TableName\",\"longitude\":\"_TableName\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"maxSize\":100,\"opacity\":0.5,\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Count\",\"itemColorSettings\":null}},\"customWidth\":\"40\",\"name\":\"query - 2\",\"styleSettings\":{\"padding\":\"0\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType in (\\\"320\\\", \\\"321\\\", \\\"322\\\")\\r\\n| project TimeGenerated, AccountDisplayName, Operation = ActionType , ClientIP = RawEventData.ClientIP, CopilotSettingsEventData_Resource = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| sort by TimeGenerated\\r\\n| take 50\",\"size\":0,\"title\":\"Security Copilot - Promptbook Interactions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Create\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Delete\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Update\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ClientIP\",\"formatter\":5}]}},\"customWidth\":\"60\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 313\\r\\n| extend Operation = tostring(RawEventData.Operation)\\r\\n| where Operation contains \\\"Enable\\\"\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property <> \\\"FileUploads\\\"\\r\\n| extend PluginsName = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue == \\\"Enabled\\\"\\r\\n| where PluginsName !contains \\\"ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| mv-expand todynamic(PluginsName)\\r\\n| project TimeGenerated, AccountDisplayName, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Enable Plugin Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"PluginsName\",\"label\":\"Plugin_Name\"}]}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 314\\r\\n| extend Operation = tostring(RawEventData.Operation)\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue == \\\"Disabled\\\"\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property <> \\\"FileUploads\\\"\\r\\n| extend PluginsName = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| where PluginsName !contains \\\"ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| mv-expand todynamic(PluginsName)\\r\\n| project TimeGenerated, AccountDisplayName, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Disable Plugin\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"PluginsName\",\"label\":\"PluginName\"}]}},\"customWidth\":\"60\",\"name\":\"query - 13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 325\\r\\n| extend Operation = tostring(RawEventData.Operation)\\r\\n| where Operation <> \\\"DeleteFile\\\"\\r\\n| extend Property = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| where Property != \\\"Skillsets.ApiValidatorDefangUrlSkillsetTenant\\\" and Property != \\\"Skillsets.ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| extend NewValue = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue)\\r\\n| extend Property1 = substring(Property, 9) \\r\\n| extend Enable = NewValue\\r\\n| extend SettingLevel = case( Property1 contains \\\"AllowAuditLogging\\\", \\\"TenantLevel\\\", Property1 contains \\\"tenant\\\" , \\\"TenantLevel\\\", Property1 contains \\\"allowO365DataCollection\\\", \\\"TenantLevel\\\", Property1 contains \\\"User\\\", \\\"UserLevel\\\", \\\"Unknown\\\"\\r\\n)\\r\\n| project TimeGenerated, AccountDisplayName, Property1 ,SettingLevel, NewValue\\r\\n| sort by TimeGenerated, SettingLevel asc \",\"size\":0,\"title\":\"Change Setting Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SettingLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"TenantLevel\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"NewValue\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":null,\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"labelSettings\":[{\"columnId\":\"Property1\",\"label\":\"Action\"},{\"columnId\":\"NewValue\",\"label\":\"Value\"}]}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"audit\"},\"name\":\"group - 12\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"variables('WorkbookSourceId')\"],\"parameters\":[{\"id\":\"59e79699-280b-4339-8cd2-55624b203cac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"fefebdf8-9122-4dc4-ae76-5817d7e3bace\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"6cbd900c-7049-484c-a0eb-d23c1ac5ff38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"37403463-ff86-47c0-8d04-3f432d0413a3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":null},{\"id\":\"8ac8842a-fc4e-44fd-9542-72baf58224f1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| sort by timestamp\\r\\n| take 1\\r\\n| project toint(newValue)\",\"size\":4,\"title\":\"Number Of SCU's\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"newValue\",\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"30\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| where timestamp > ago(60d)\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| project timestamp, previousValue, newValue , changedBy\",\"size\":1,\"title\":\"SCU Changes\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"70\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where ResourceProviderValue contains \\\"copilot\\\"\",\"size\":0,\"title\":\"SCU capacity Activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"SCU\"},\"name\":\"group - 4\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"variables('WorkbookSourceId')\"],\"fromTemplateId\":\"sentinel-UserWorkbook\"}", "version": "1.0", "sourceId": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('LogAnalyticsWorkspaceName'))]", "category": "sentinel",