Create IncidentsPerDepartmentWorkbook

Workbooks/IncidentsPerDepartmentWorkbook

@@ -0,0 +1,87 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "# Incidents Per Department",
+        "style": "error"
+      },
+      "name": "text - 2"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "let HostDept =\r\n    _GetWatchlist('VMsPerDepartment')\r\n    | project wl_name = tolower(trim(' ', tostring(coalesce(column_ifexists('name', ''), SearchKey)))),\r\n              department = tostring(column_ifexists('department', ''));\r\nlet Incidents =\r\n    SecurityIncident\r\n    | extend AlertIds = todynamic(AlertIds)\r\n    | mv-expand AlertId = AlertIds\r\n|extend AlertId = tostring(AlertId)\r\n    | project IncidentNumber, Title, Status, Severity, CreatedTime, AlertId;\r\nIncidents\r\n| join kind=leftouter (\r\n    SecurityAlert\r\n    | extend Entities = todynamic(Entities)\r\n    | mv-expand e = Entities\r\n    | extend host = tolower(\r\n                        trim(\r\n                            ' ',\r\n                            tostring(\r\n                                coalesce(\r\n                                    e.HostName,\r\n                                    e.Host,\r\n                                    e.DeviceName,\r\n                                    e.Machine,\r\n                                    e.AssetName,\r\n                                    e.FQDN,\r\n                                    e.DnsName,\r\n                                    CompromisedEntity\r\n                                )\r\n                            )\r\n                        )\r\n                    )\r\n    | where isnotempty(host)\r\n    | join kind=leftouter HostDept on $left.host == $right.wl_name\r\n    | where isnotempty(department)\r\n    | extend AlertId = tostring(SystemAlertId)  // <-- Cast to string\r\n    | project AlertId = SystemAlertId, department \r\n    ) on AlertId\r\n    | where isnotempty(department)\r\n    | summarize IncidentsCount = dcount(IncidentNumber) by department",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 2592000000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart"
+      },
+      "name": "query - 3"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "let HostDept =\r\n    _GetWatchlist('VMsPerDepartment')\r\n    | project\r\n        wl_name = tolower(trim(' ', tostring(coalesce(column_ifexists('name', ''), SearchKey)))),\r\n        department = tostring(column_ifexists('department', ''));\r\nlet Incidents =\r\n    SecurityIncident\r\n    | extend AlertIds = todynamic(AlertIds)\r\n    | mv-expand AlertId = AlertIds\r\n    | extend AlertId = tostring(AlertId)\r\n    | project IncidentNumber, Title, Status, Severity, CreatedTime, AlertId, IncidentUrl;\r\nIncidents\r\n| join kind=leftouter (\r\n    SecurityAlert\r\n    | extend Entities = todynamic(Entities)\r\n    | mv-expand e = Entities\r\n    | extend host = tolower(\r\n                    trim(\r\n    ' ',\r\n    tostring(\r\n    coalesce(\r\n    e.HostName,\r\n    e.Host,\r\n    e.DeviceName,\r\n    e.Machine,\r\n    e.AssetName,\r\n    e.FQDN,\r\n    e.DnsName,\r\n    CompromisedEntity\r\n)\r\n)\r\n)\r\n                )\r\n    | where isnotempty(host)\r\n    | join kind=leftouter HostDept on $left.host == $right.wl_name\r\n    | where isnotempty(department)\r\n    | extend AlertId = tostring(SystemAlertId)  // <-- Cast to string\r\n    | project AlertId = SystemAlertId, department \r\n    )\r\n    on AlertId\r\n| where isnotempty(department)\r\n//| where Status == \"Closed\"\r\n| summarize arg_max(CreatedTime, Title, Status, Severity, IncidentUrl) by department, IncidentNumber",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 2592000000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "gridSettings": {
+          "sortBy": [
+            {
+              "itemKey": "CreatedTime",
+              "sortOrder": 2
+            }
+          ]
+        },
+        "sortBy": [
+          {
+            "itemKey": "CreatedTime",
+            "sortOrder": 2
+          }
+        ]
+      },
+      "name": "query - 4"
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "# Alerts Per Department",
+        "style": "warning"
+      },
+      "name": "text - 1",
+      "styleSettings": {
+        "showBorder": true
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "let HostDept =\r\n    _GetWatchlist('VMsPerDepartment')\r\n    | project wl_name = tolower(trim(' ', tostring(coalesce(column_ifexists('name',''), SearchKey)))),\r\n              department = tostring(column_ifexists('department',''));\r\nSecurityAlert\r\n| extend Entities = todynamic(Entities)\r\n| mv-expand e = Entities\r\n| extend host = tolower(trim(' ', tostring(coalesce(\r\n        e.HostName, e.Host, e.DeviceName, e.Machine, e.AssetName, e.FQDN, e.DnsName, CompromisedEntity\r\n))))\r\n| where isnotempty(host)\r\n| join kind=leftouter HostDept on $left.host == $right.wl_name\r\n| where isnotempty(department)\r\n| summarize AlertsCount = count() by department\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 2592000000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart"
+      },
+      "name": "query - 2"
+    }
+  ],
+  "fallbackResourceIds": [
+    "/subscriptions/65c959c3-fcac-4ebc-966b-98754151cef0/resourcegroups/rg-tier0-la-zan/providers/microsoft.operationalinsights/workspaces/la-prod-tier0-zan"
+  ],
+  "fromTemplateId": "sentinel-UserWorkbook",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}