From 07bebdb806b7673449a3e8d55d8fd7b3bf38deb7 Mon Sep 17 00:00:00 2001
From: v-atulyadav <104008048+v-atulyadav@users.noreply.github.com>
Date: Thu, 7 Sep 2023 12:01:45 +0530
Subject: [PATCH] update zip for branding validation

---
 Solutions/KQL Training/Package/3.0.0.zip      | Bin 116462 -> 116461 bytes
 .../KQL Training/Package/mainTemplate.json    |   2 +-
 .../KQL Training/Workbooks/IntrotoKQL.json    |   2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Solutions/KQL Training/Package/3.0.0.zip b/Solutions/KQL Training/Package/3.0.0.zip
index 6cf0eee4013c0f3b91d6d1b28b9f38d05602ba20..7b8bb88892f64c45a2b1e818fd41394a15d1e935 100644
GIT binary patch
delta 2500
zcmV;#2|M=gjR)<G2e5Jn4JTkHSADq}gS@^00N8_n2e*F*0cW&-tC63f6t`AjNu+;>
z7nITPREDZX^6T)qDw}4Qc?rKxe|(8@TU~=a{fWBf#d#KsBoWwtWHDZPxuo<C9Fu^-
z=5x+Ux^bi`T0H-nG9>=lxS2I)AZJH&Sl+OJ2JbR~NU0zyS92a`>9xE^CC7VN74;E0
znY>D+c@rzV1+WW$^bB2L_!Fss!%VXr=nc4#4t&0dyR1_!W6(t#6#AypOZSX3)ycPO
ziY_&`J6pp1RVQn24qW}I32a{&+9oubDLM5<m@I?aCRg03P4?~P1@K-HzcYfH_?_zA
z|2{*L+nE7+5YYTDN9V6pQrO?#Dt}&G<fppGc%D?FtT>8)SaQyfOx4Cj^^Hd!2!+zs
zibc$CR13)%>+6S)ci@G6Q9>>O;kGNlR~PQz#XfH3LW<vh`%N;xXmDFU-meTa_Trx{
z2DPc#TjQ-8*sndkzh7M4^=!^2up3V7G&Q|AicJ=#K5Q6l&ZCLr`jcI@#6OCC@32MW
z?&(UAEre-*Ct@iV!RtagT!m2WxYgVK<kjVeoW7)cJm<KDfp-DXsLW{JEjNgWIrZpq
zGwi08Sc0iHnM2w*!Jlt{Pn6bZlsMHd>BWtV`$!cJMnRroEifC9drJ$~_R+q2EB(WA
z(aOj|EU#?*P^-Mb!^g2a81Qej|LYN}@*1&N7Wwagx*|{+BzpXlNIqP*PPm&s3&Pft
zv9?R8%QGj&!J%=Zp5ER*>}W}ZP-Xw8M6w>DPQYxAbygstS77xiae2;Qw*gZ|8+1;o
z(rPQ*N!DELe=51n+b??|BV^SQJ!4F(mYN9XWtOycLs?wCM7e@rV><A>$}-;i#bRT9
z(FKctFYn2^wbZS%bQ@Vn8^NyW-^wT144`EjKUYUWniBE{a4L!C21adU_U>C#-J6w!
zG1gdB<04;9XRj!^l8~?W&AO?akoa8(t8Ww+J|+;vi}GUxDYX6vSAk*AM=;j4@{MtC
z)2R~WZtLAggiO;BsXmDs|3{*p3)Q+ei2~_=JR|NryI|D?3e@8G;LF29bS^7Db0cx7
zPRUrC6D68ebczDgJE-pNi7{oD{ETivletcPKyeHz*8~5qgRa=~Q1($`j^mHf5hrF)
zolTKPX%6_?#)%AtuftiHRD0sGM{7`Y4_03@=McSmdaQjDQ6s@1O=D6gb+2y5*2>I(
zw$yd4>;kFyn)ng9?vHc}xroaqtLT$i1jBaE!=^69#dmd8m!C)qUSUE$`mCqY=`2D0
zb(ixyb?{XD)z!h1ewDYlfWcoBu>Y<fzoQz*VsQ2QXC>{S-fpt~b?Y~cBvL}q9A4Bh
z`QwIrZ74R%O~PcAxcwCAKt<7ebuL|hq0vT;R5JZmj=h^suJ?A^>*Te%bkp{F3su|=
zy{_M)w^ebUCf?+U1_J0b!fY1jOROoitjKlB47$e=eX3J(z^hxWWl%(=;w2;Fhn!<U
z*eRPWsZ<cW$rAL%igRvyk47xZtF~QTHVpH6=XS-)8Li0or109^*PSTcNaWvt{anI!
zd%zB%t8FO_(j%isc%V-lWNa13Z4???xiY5bKr8MUkL59^3mFD%1jv%In49Psq9e1Q
ze@Xk&k+N3&Ow_^?$0k?53KlWlm7ZoY6x29DyBdo-2hIZl9(DL=b6{vE*Zwx7+7m=o
z9$;?(8%Ou|22&iYCq;CZk3t21%Q~k3ck}(>(px=-VHPv!sPbfqpzl<MtWGMRL|Hvs
zMRk>znFQP!JF)37jz=E&*bMo^G9640bOMis$u3788bzdkk!*^^rNvSxX6_7|)^Dlj
zKvJd;zF;s*o-n8_j+U80fp>i0?pfE~8#Suz(J|ox>lVk>pbd4fYoMTi=|cw#v><^g
zrw4<#?*~I8OI8x2v5|VV01Ml&ccfNR0}uPWp?f_$fXZ`&eWzZLF>+KBYRfW7y8>UM
zw|@8arIr*FSF5wm>{`ePcTDssUoGTh2X5+zsco__woH$s$KDGA)8&CX_L%E9ZeO{f
zn>9jqtH0AI0iw80zw4=g=Y!Jl4Ne}#N{oNmEF+>mLa)HueXVTT7ky{?sT6@RE%0Es
z`of}^XK{7h!OgZeu_<Y9ad@oc>P2!YXV@g7W(nD*HDj2t)=G-?UL@68IE^-I;i$xz
z4a2FMtcQXUU-!RiVqPxy>t3sq`i=LA(iE*)kbY>fNtkkT9NUS1>AALRMxN)GF}KE{
zA6OI5N_*I@|AcN2%YDD$s=i0f+hXrzr3J5WTYarEfna+K;w?+7@I;teXfL7tP6nO?
zZ|Hp}1xb#L9XW5CI{=^T<96B>ft+xh2Eo`d-N3^#WUwqp&crt3aU4ye3En8=-A$lO
z6coMukXOs{Bfsu{Bh}Ak-b18sWMLKK8`xC;e|uNA+cXS??~!<iDA$A1B7~5#NJG7t
z1VTfaxEdFsO}2_8jhd7ni3{F=H{?k;Kepq<cH(RupsCd^nl4U`<74|fC-(RGwN%Yo
zH<FS?Y|6*=HiGE-B&axITIuVtFlrC*=JsaN$%_8woG^xe=_Fs$tJYp~ntr|Attmf2
z>pETfJU!aiqbg75b5!NIg(}bDK2>>4y7`_sPgjcP;qia}Cz3zUTFD=s!OWrU)3(|_
zl=iW++Xs_WLY&t)ptO(k9z3MkdrfeZ_Bl%XI2vD`^TF<Zsx`&`ADpyLzeCBgcb4|C
zN+iguPnY&EG3=Zm?PHXkFxJRY_bBaiA!KM;6Q?Nq+*W|ZEn@R!$hC$B(g_~g^B~uF
z8&=5wmj}cFIv%-M^3Zh^#&i_$VKhr(WbJFXF8p!>kc@m>D%2vnmtVvI9DhkedqygB
zbI1s`w3RA*$2@Epkl&<vg`9-HfBp*U&xowxI(yvqQzI+CTxpiUPYG>k&Kc#g;^G_L
znW550iolcOO`gbTk5!hXEb)kix6mpDN}`B86SX3!R5ojSMb7snA;kB5?un93s(H_Z
zdN5~si!sHRDp)VI_?Ad9_Yj-BAxp%R2<LrbZdL2!lZ2NF#Q`87-DKKEvbOfpv(?kl
z+<VcU<??GHj+4#})^I?;*+F9TmrBI}H49@HQk{7VL0dgDrI(7u0a7il+IRpr1#;Tu
zSv^77yxZpZ8P7Z&)_#W)oS*#*i~ahcE0oDLFgsr`8d|axmkGuJ8!COVMTRd_paf^v
z%RT1K0Wx$dsn<$=ZL4>vgxt7_Bi)>99KsA#?Hkq{mrlk3R}Cj%Cs%#B8iTyP0RY&S
Ovc>^622;iX00015D)ILK

delta 2535
zcmV<D2^jY6jR)?H2e5Jn4XRxyS6MJ`ZoR$%0Mvtj2e*F*0cW&-LbO!WXDENSf=VLw
zL%g7DhNm)2HIiS3PgU78!>mjAb^7B=l-cSUZ0S$bH80MySR{zR)+3AY!pkM4cHnpf
z3^t#0R?=-FRng-2*OVRc&&I8+IRhCxn#0nD#WQ%90Yo|lQMj7(I7_eP9V$8A$*L%i
zh{@zND$QG1;VpoFU7%O!3PYbr0UTzU<v?q|g>>HYMcieZY8itb+Mvugm0h}LjHyn%
zT~lzWxz*Vc=C3+Ydvnn0PfcF?!qE1h(M-pwH^F2T+%~!5Ms2WfH!ptolJ=bu+{Eux
z@BH@}mfX$+(1U>He>pmTr4qva_E!1w>H<I2MaJ`_8fC?QQN)sSeq^dPCaP{c?m#G%
zZdNQ{exq7Q##moFe7plM?28go{fFCX|F16Gzl%NG%4HP4{q~z=e$n8ze!O29Xzas3
zTMTM5v$wumH>h8Gd4Io{y6f4TO<*US*lB8daTJ>@Onula*qlcb$Mq+>Y=?god){G-
z$la5bB2x%|Q%=M(E&|tubhZki+Hsq={i&<V4>^5F_jt~6`vUI*qEVUAo?C7X5p(L%
z<7UWBEwKbsZ!m|nX@WoB0G}wW(I{`KU($;k8S{}U9*lxK!#ZF#AorFQuI(dz^)~v4
z<)W31g;-wM^r2RHg9ndec_`rDXz$k}R^>Hfu`Kd`-*rWx5=iv;Cy{u#Zk=#9eHMhR
zC1Y)OQkQ2=jDthtMm@c~eb~{G2%*aUPl;qbM4f!u9P6w=K(D~+Q{wWR!A=9Fj5g?;
z(xlZkxRa>4+W%B?o3~%~LPp4{C3?k}RxLFV&dV%m>xQzpdWmuczs7Xfd6i|n^^3*E
z+M)}87GK_zb!(|xXX!RFkT!x{)4!EVvKc_jHh!*-gES@N58zZ1&kc;)$m-p<rn)yP
z31h6Ws>VgWoX%cRVkIG8@0oQ|IU(`84piSLE__TNh!^F@2vTVM53T~ko{wOhYvmi`
z-lkI}%H7txj|iEjBT{`5HU5u8Jr}BVZxRK6(s@SQd3M373lylu@xhmehv-;VKITT!
zQk{;mHXlkftLOv;rgl)x-4kQVF8LYVfF|>t`hemXRGtU^T?bsT=b`MQ#2m*TqZ3Zd
zpgNl(kJ23Qw~Z4S3SWn_GO6~&WslaN=nkyDX3imc^z>N!CZa}y0h-37PU>FWY^{}l
znQf`-TA2k>@ip-y^4uTk7IG1nO;*t-GYE$5o`+3cii_{+sxCi~6uiP@eDqgOrNdc*
z`s*&|ck1A&_^YdfC;cjKaRGzBC}96xKYmB`jm6;V_s>e&L%rQ({p;3m8VRI?pgFv#
z<MGE0_u5cwl$(UfDsl5E(t!%1_v&1Kx;~?g9I0gbtsHwdom}tjw%5sPb?K(<^%knQ
z8+Kj4MQ^L(K25yI3k?L&DTLW9&X-tEYFUx%lo@n~Bl=XQ<a}2*TFZclO2bP=#t%8i
zVz5&-TT+=Ic#|dQixp?w^d5~^mRD`Nx@;Kc_0H{zl`~qA?@8gcyRSP@x{=6#zx$bl
z?e>5jLRZ^T8l*=?j_@#_IK<d0jN2$OwsKue&tX>FGakz$P8Tu+*a(g#WidC=GepN_
zLI0BWrQ>9+*qNw<Cyq?6eibZYx+gu&WEiM%dUiDqcMhBf0zB&Q(dMAgPOklJNVO-3
zsx-jf05*>8?+vCnR8NZNE+2(|3Y2wD0Pg1d!=<-+48tsD&{5^c5<%ao>{y*pKuNNC
zwu<U1Co>7SGj?LrVH}S;@Ua>4iDf#N8t4Qb3zJ=rJ2VPN|03BG3rmZoP|VyJHm%=M
z&w->&A9}%HmONchTO2JjgM#k(zTLB~yEkf7*rOxD1J*5!tw9^=P}e|zLDL5g7HB~N
zQ%(;CZ{H7wMwYB3MPnoNYylRwVed$-rUoANc|-SlZUB|%2K!FEB4gyJCe)TCl6D2Y
zMsNM@>q{*uD6Up#o!PaB6YiMkQNCKl$qwAq4^!J@VQiTmM~}T12BymcckD6OaooOA
zLpN)L>{frLQT{`5oqpGUQ_BaX;TxPhij^4uvROhzeS}_twfkDxv@iP3^HUiDV_M*$
zZuNylG0)=axPzN*Z(&o?-s13B$<>SGRL-zTM9mViO>4$5VXc)E>%B;-wQw43*1}Oq
zF&l<cH(3t_CBE)|)x^A9?$^Cmr}P`|6QwCybs+uFVv{iC<~X*06Vr2T*Ni;RF=K9x
zLqD)4o|X2nUH|Fa9+vxl!!>=6nm5JX$w~`e;kNo(WdXtV7{ptaRpE&+wa{Kd`<)Ct
z3Et5APzsV98#{8|HuwKM*~iVaEdn{=I1PfaW4eKdCCFe|j+}{Y#^X4eL=(JC$h(_B
znJ6ZD`5~{C<wt&h-AAgQ%e;q3-^ijW#y9`p-qr0k4MX93B;Fy)^`Nu}A*3wQP%kEd
z(2yps#zkn8ts+UICgn%sf_LBzc@oZ#?KrWWI9ms3YPE}|i<9H{*#6Fm{e2Kr`?XZf
zIyaJzMQq5&^)`a!`Xs10Vp{2Iu`p^6@aFbr(us=x=A1BphUp|%(yP{9bDDm=-K{A<
zL2Ei)+B`kV*P|j&=W|r#xrHLn;yx95Ose^wFi%&8=izaG|0i-k&sw=3oxRMV>(jQ{
zKa};cGusD~6hfTWIH0VL^Bz2;*?UcJl=V5v`ZyY2p7X)(eyTOa{~w&JPrpOSvUisC
zvC1RJt526P^)c+6AnRk4oiNtOQuiq9b0H*XS`(+J`rKB0#4TX+WyrOL2GR*0+VddS
zcpFy8{g(#B0XiPHS@O_z6~=TF@L@DdVr1-VxGwy11CWe-Tq@Kes+V5G0UUopLwiOl
zbaO}uwv?4Bd&eAX7?9tjd4+t0zkmJ;>d%O*;5vKU@>3%tzg%gS!A}WoX3iPqvD)Gr
z-kG7&M~b|Y<4vB(Xn$3fr7Z7=g}2Zu1<Ij_JrlJer&Km;dqvLoB_YK3eC~;oOsaX$
zgnBS%d5bZ{m?{`AwfL3@G4~Lgydg`(lnCd2VqR72<CA2U3B>^*Af05|CbG8n(zDgm
z(cF8{p5^juB8`*I4c2f#z}Z1!^Os4*0W}L^7*d>h3qe~wGi8^F#Q{=(rrLM_HwALq
zrCB{e*}U84_!-YU9oBw_3Y?$)3yb~wp(~WhHZVJ1FdAC23?L`F=JO}dyVyzr%zo2a
zz5b(KR3!dv-n8B#b+JW)FI1oeXV=R;=FR~!bSkOWN`7stcc_HixPl|yoNFAy3{>qK
x)*F2M2>$*6P)h*<6aW;LTE+oN4XRxyS6MJ`ZoR$%0MwVU#sM}4RK@`S001X*2A%)_

diff --git a/Solutions/KQL Training/Package/mainTemplate.json b/Solutions/KQL Training/Package/mainTemplate.json
index 2bc264955f6..6c8ad20b018 100644
--- a/Solutions/KQL Training/Package/mainTemplate.json	
+++ b/Solutions/KQL Training/Package/mainTemplate.json	
@@ -166,7 +166,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"345358d7-fa59-4e01-80ff-fd274e78d073\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"github\",\"label\":\"Github Repository\",\"type\":1,\"description\":\"This is the github repository we will use. Generally you won't change this\",\"isRequired\":true,\"isGlobal\":true,\"value\":\"Azure/Azure-Sentinel/master/Tools/IntrotoKQL\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1b617550-b934-46a2-9a71-e48ef40aab00\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AllExercises\",\"type\":1,\"query\":\"externaldata (tab:string, section:string, exercises:dynamic, markdown:string) [\\r\\n    @'https://raw.githubusercontent.com/{github}/all_exercises.json'\\r\\n] with (format=\\\"multijson\\\")\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e397ee05-93c3-42be-9560-80bc6b6bc178\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"json\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"CustomEndpoint/1.0\\\",\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"https://raw.githubusercontent.com/{github}/all_exercises.json\\\",\\\"contentType\\\":\\\"text/plain\\\",\\\"ignoreStandardHeaders\\\":true}\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"json\"},\"queryType\":10},{\"id\":\"451a0851-dea1-4c88-886a-ed9736612ccb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AllDatasets\",\"type\":1,\"isGlobal\":true,\"query\":\"externaldata (tables:string) [\\r\\n@\\\"https://raw.githubusercontent.com/{github}/Datasets/all_datasets.json\\\"\\r\\n]\\r\\nwith (format=\\\"multijson\\\")\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":10},\"name\":\"parameters - 16\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"ccd64330-9dc6-4388-b618-d20767f2f962\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Welcome\",\"subTarget\":\"Welcome\",\"style\":\"link\"},{\"id\":\"589778dd-4b96-4c61-a58c-eb32f5e43c41\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Overview\",\"style\":\"link\"},{\"id\":\"09338df5-091b-46d4-9fee-63b69cb4ee76\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Scalar Operators\",\"subTarget\":\"Scalar\",\"style\":\"link\"},{\"id\":\"e536ef91-d9ea-413f-96dd-357b47ac21fb\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Advanced Aggregations\",\"subTarget\":\"Advanced\",\"style\":\"link\"},{\"id\":\"f7f6fefd-09cc-4c02-8b94-071d85ee892a\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dataset Operators\",\"subTarget\":\"Dataset\",\"style\":\"link\"},{\"id\":\"14e62080-54b6-4194-b7e5-d5bcb22d4621\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"External Data\",\"subTarget\":\"External\",\"style\":\"link\"},{\"id\":\"7cdfef8c-7c30-4c46-9d6e-0c6f91d0886e\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"String Operators\",\"subTarget\":\"String\",\"style\":\"link\"},{\"id\":\"2e2c5a51-b3cc-4812-9235-bf1da9c42ed7\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Anomaly Operators\",\"subTarget\":\"Anomalies\",\"style\":\"link\"},{\"id\":\"084b5b60-1666-4d85-a580-cc37bcd17027\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Misc. Operators\",\"subTarget\":\"Misc\",\"style\":\"link\"}]},\"name\":\"links - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Welcome!\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Summary\\r\\nWelcome to the Intro to KQL workbook. This workbook has been developed to assist new and existing users learn and grow in the Kusto Query Language (KQL). The goal of this workbook is to introduce the most commonly used KQL operators that are relevant to Microsoft Sentinel. By the end of the workbook, your knowledge will be at a 200 level. </br>\\r\\n\\r\\nThis workbook will be a living resource in that it will continue to be improved over time based on feedback, requests, and newly introduced scenarios. The version of this workbook is currently <b>V1.1.</b>\\r\\n</p>\\r\\n\\r\\n### Structure\\r\\nThis workbook is comprised of multiple tabs. Each tab contains several key items:\\r\\n- Operator: choose an operator to study.\\r\\n- Exercise: choose an exercise to practice.\\r\\n- Data type: corresponds to the data table that is being used in the exercise.\\r\\n- Answer: decide if you would like to to see the answer.\\r\\n- Summary: details about the operator that has been selected.\\r\\n- Example: samples of how a real query would look like with the selected operator.\\r\\n- When to use: advice around when the selected operator is used with Microsoft Sentinel.\\r\\n\\r\\n#### Exercise Space\\r\\nThe exercise area is made up of 6 main items:\\r\\n- Question: selected exercise to perform.\\r\\n- Answer space: location where you will enter your answer.\\r\\n- Expected answer: the expected answer that you are attempting to achieve.\\r\\n- Your answer: the results from the query you have written.\\r\\n- Answer Checker: lists if the answer you have entered is correct or not.\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Workflow\\r\\n\\r\\n1. Select a tab to navigate.\\r\\n2. Choose an operator to practice.\\r\\n3. Select an exercise to attempt.\\r\\n4. Enter your answer and confirm if it is correct. If not, reference documentation and content until correct.\\r\\n5. Move on to another operator or attempt other exercises for that operator.\\r\\n\\r\\n### Helpful Links\\r\\n\\r\\n**KQL Public Documentation:** https://docs.microsoft.com/azure/data-explorer/kusto/query/\\r\\n\\r\\n**Pluralsight KQL Course:** https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch\\r\\n\\r\\n**KQL CheatSheet:** https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/azure-data-explorer-kql-cheat-sheets/ba-p/1057404\\r\\n\\r\\n**Log Analytics Demo Environment:** https://aka.ms/lademo\\r\\n\\r\\n**Microsoft Sentinel Compiled Level 400 Training:** https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Welcome\"},\"name\":\"Welcome\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ad61717-0dd7-430b-a948-cef2d3618738\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Section\",\"label\":\"Select Section\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"print tab = todynamic({json:value})\\r\\n| mvexpand parse_json(tab)\\r\\n| evaluate bag_unpack(tab)\\r\\n| where tab == \\\"{Tab}\\\"\\r\\n| distinct section\\r\\n| serialize Rank = row_number()\\r\\n| project value = section, label = section, selected = iff(Rank == 1, true, false)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\"},{\"id\":\"0c106e37-c059-4b2b-a80d-c4119629d1a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Exercise\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"print tab = todynamic({json:value})\\r\\n| mvexpand parse_json(tab)\\r\\n| evaluate bag_unpack(tab)\\r\\n| where section == \\\"{Section}\\\" and tab == \\\"{Tab}\\\"\\r\\n| mvexpand exercises=(exercises.value)\\r\\n| evaluate bag_unpack(exercises)\\r\\n| extend packed = pack_all()\\r\\n| serialize Rank = row_number()\\r\\n| project\\r\\n    value = tostring(packed),\\r\\n    label = name,\\r\\n    selected = iff(Rank == 1, true, false)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b2ae8bac-db12-4c75-8d3e-42c002d288d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dataset\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"let exercise = todynamic(\\\"{Exercise:escapejson}\\\");\\r\\nlet dataset = iff( isempty(exercise.dataset), \\\"Weather\\\", exercise.dataset);\\r\\ndatatable(tables:string)[\\\"{AllDatasets:escapejson}\\\"]\\r\\n| mvexpand todynamic(tables)\\r\\n| evaluate bag_unpack(tables)\\r\\n| extend kql = base64_decode_tostring(kql_reference)\\r\\n| serialize Rank = row_number()\\r\\n| project value = kql, label = name, selected = iff(name == dataset, true, false)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2f5c56e7-dee3-46e7-b699-e331079e1d47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Question\",\"type\":1,\"isGlobal\":true,\"query\":\"print(todynamic(\\\"{Exercise:escapejson}\\\").question)\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e5be7ed3-5eed-4b66-9db7-a0c2c132783b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Answer\",\"type\":1,\"isGlobal\":true,\"query\":\"let answer = todynamic(\\\"{Exercise:escapejson}\\\").answer;\\r\\nprint(base64_decode_tostring(tostring(answer)))\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d4ecbbf3-25a0-4130-bc7d-50edead67b01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Markdown\",\"type\":1,\"query\":\"let markdown = todynamic(\\\"{Exercise:escapejson}\\\").markdown;\\r\\nprint(base64_decode_tostring(tostring(markdown)))\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c94574f-3e3d-4d73-bed8-3eeebed298d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ShowDoc\",\"label\":\"Show Documentation\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": false}\\r\\n]\",\"value\":\"No\"},{\"id\":\"ad9dc5ed-16a0-4157-88a2-bfe937e34e3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ShowAnswer\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : false},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": true}\\r\\n]\",\"label\":\"Show Answer\"},{\"id\":\"4f9a31b5-1f75-42af-85a7-c96af37a0d0c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LetDetected\",\"type\":1,\"query\":\"let result = iff(\\\"{Section}\\\" in ('Let','Union', 'Parse', 'Materialize', 'Function'), true, false);\\r\\nprint(result)\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Error\",\"label\":\"Seeing Error\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : false},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": true}\\r\\n]\",\"id\":\"9edc3ceb-a3a7-42bd-8ce1-e7ad666934e4\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"100\",\"name\":\"parameters - 4 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Fixing the Error\\r\\n\\r\\nThe error you are seeing is due to workbooks in Azure requiring external data sources to be marked as trusted. As this workbook pulls all of its content from GitHub, the repository must be marked as trusted. This is on a user session level and cannot be set within the workbook template. To fix the error:\\r\\n\\r\\n1. Go into edit mode.\\r\\n2. Under the hidden parameters at the top of the page, click edit.\\r\\n3. Check the box next to json.\\r\\n4. Click on the edit pencil icon.\\r\\n5. Click 'run query'.\\r\\n6. Click 'mark as trusted'.\\r\\n7. Click save.\\r\\n8. Exit edit mode.\\r\\n\\r\\nThe error should be gone and the content will be loaded.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Error\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"The Kusto Query Language is the query language of choice within Azure Sentinel, Azure Log Analytics, and Azure Data Explorer. Kusto is similar to SQL in syntax and logic. The basic structure of Kusto appears as so:\\r\\n\\r\\nTable | operator clause/predicate\\r\\n\\r\\nThe table will specify which logs will be queried. The operator will dictate what type of filter, action, etc.\",\"style\":\"success\"},\"conditionalVisibilities\":[{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},{\"parameterName\":\"ShowDoc\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"}],\"name\":\"Welcome\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Section} - Exercise: {Exercise:label}\\r\\n\\r\\n{Markdown}\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"ShowDoc\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"markdown\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"NotWelcome\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"<p>\\r\\n![Question](https://shields.io/badge/-Question-informational)\\r\\n<br>{Question}\\r\\n</p>\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"text - 9\"},{\"type\":1,\"content\":{\"json\":\"<h3>Answer</h3>\\r\\n\\r\\n```\\r\\n{Answer}\\r\\n```\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"ShowAnswer\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"markdown - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Question\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"341ea875-d1ff-4cbc-a9f6-421eeb82368c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Query\",\"type\":1,\"description\":\"Enter KQL query here to answer\",\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"kql\",\"multiLineHeight\":7},\"criteriaData\":[{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"{Dataset:label} | limit 10\"}}],\"timeContext\":{\"durationMs\":86400000},\"label\":\"Put your answer here\"}],\"style\":\"formVertical\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"50\",\"name\":\"QueryControl\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Results\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let {Dataset:label} = () {{Dataset}};\\r\\n{Answer}\",\"size\":1,\"title\":\"Expected Results\",\"noDataMessage\":\"Had trouble producing the expected answer\",\"noDataMessageStyle\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":500}},\"customWidth\":\"40\",\"conditionalVisibilities\":[{\"parameterName\":\"Stack\",\"comparison\":\"isNotEqualTo\",\"value\":\"Vertical\"},{\"parameterName\":\"Section\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Exercise\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"HTarget\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let {Dataset:label} = () {{Dataset}};\\r\\n{Query}\",\"size\":1,\"title\":\"Your answer\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"90%\"}},{\"columnMatch\":\"code\",\"formatter\":5},{\"columnMatch\":\"message\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"90%\"}}],\"rowLimit\":500},\"customWidth\":\"45\",\"conditionalVisibilities\":[{\"parameterName\":\"Stack\",\"comparison\":\"isNotEqualTo\",\"value\":\"Vertical\"},{\"parameterName\":\"Section\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Exercise\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"HResult\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let get_table_hash = (t:(*)) {\\r\\n    t\\r\\n    | project packed = pack_all()\\r\\n    | summarize list = make_list(packed)\\r\\n    | project hashvalue = hash(tostring(list))\\r\\n};\\r\\nlet check_tables_match = (table1:(*), table2:(*)) {\\r\\n    get_table_hash(table1)\\r\\n    | join get_table_hash(table2) on hashvalue\\r\\n    | project match = iff(hashvalue == hashvalue1, true, false)\\r\\n};\\r\\nlet {Dataset:label} = () {{Dataset}};\\r\\nlet answer = {Query};\\r\\nlet correctAnswer = {Answer};\\r\\ncheck_tables_match(answer, correctAnswer)\",\"size\":4,\"noDataMessage\":\"Answer does not seem to be correct\",\"noDataMessageStyle\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"match\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"Answer is Correct\"}]}}],\"rowLimit\":500},\"graphSettings\":{\"type\":0}},\"customWidth\":\"15\",\"conditionalVisibilities\":[{\"parameterName\":\"Query\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},{\"parameterName\":\"Answer\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LetDetected\",\"comparison\":\"isEqualTo\"}],\"name\":\"Result\"},{\"type\":1,\"content\":{\"json\":\"This exercise includes use of a let statement which cannot be evaluated. Please manually validate if your answer matches the expected results\",\"style\":\"warning\"},\"customWidth\":\"15\",\"conditionalVisibility\":{\"parameterName\":\"LetDetected\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"Results\"},{\"type\":1,\"content\":{\"json\":\"Set the path to the Advanced KQL workbook in your environment. </br>\\r\\n\\r\\nNote: If nothing is within the drop-down, you do not have the workbook deployed in your environment. You can find the workbook within the workbook gallery.\",\"style\":\"info\"},\"conditionalVisibilities\":[{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"String\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Anomalies\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Misc\"}],\"customWidth\":\"50\",\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"ed7e252c-2ae9-4be5-9e80-267b0274a9d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdvancedKQLWorkbookPath\",\"type\":2,\"query\":\"resources\\r\\n| where type == \\\"microsoft.insights/workbooks\\\"\\r\\n| where properties.displayName has 'advanced KQL for microsoft sentinel'\\r\\n| extend path = trim('[]', id)\\r\\n| project path\\r\\n| take 1\",\"crossComponentResources\":[\"value::selected\"],\"value\":\"\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"parameters - 10\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"173f69f1-a9c0-4ebc-a497-3e7354a32236\",\"cellValue\":\"{AdvancedKQLWorkbookPath}\",\"linkTarget\":\"Resource\",\"linkLabel\":\"Advanced KQL Framework\",\"subTarget\":\"Workbook\",\"preText\":\"If you would like to study more advanced topics:\",\"style\":\"primary\",\"linkIsContextBlade\":true,\"workbookContext\":{\"componentIdSource\":\"parameter\",\"componentId\":\"AdvancedKQLPath\",\"resourceIdsSource\":\"parameter\",\"resourceIds\":\"AdvancedKQLPath\",\"templateIdSource\":\"parameter\",\"templateId\":\"AdvancedKQLPath\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"default\"}},{\"id\":\"690a89fe-5c1d-4313-b442-ce059670840f\",\"cellValue\":\"https://aka.ms/lademo\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"ALA Demo\",\"preText\":\"If you would like to test any of the lessons learned, you can use the ALA Demo workspace here: \",\"style\":\"primary\",\"linkIsContextBlade\":true,\"bladeOpenContext\":{\"bladeName\":\"DemoLogsBlade\",\"extensionName\":\"Microsoft_Azure_Monitoring_Logs\"}},{\"id\":\"295f7752-374b-4680-b281-c5cb8b83d384\",\"cellValue\":\"https://aka.ms/introtokqlsurvey\",\"linkTarget\":\"Url\",\"linkLabel\":\"Feedback Form\",\"preText\":\"If you would like to submit feedback for this solution, please click on the form link here: \",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"50\",\"name\":\"links - 9\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"IntrotoKQL\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"345358d7-fa59-4e01-80ff-fd274e78d073\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"github\",\"label\":\"Github Repository\",\"type\":1,\"description\":\"This is the github repository we will use. Generally you won't change this\",\"isRequired\":true,\"isGlobal\":true,\"value\":\"Azure/Azure-Sentinel/master/Tools/IntrotoKQL\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1b617550-b934-46a2-9a71-e48ef40aab00\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AllExercises\",\"type\":1,\"query\":\"externaldata (tab:string, section:string, exercises:dynamic, markdown:string) [\\r\\n    @'https://raw.githubusercontent.com/{github}/all_exercises.json'\\r\\n] with (format=\\\"multijson\\\")\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e397ee05-93c3-42be-9560-80bc6b6bc178\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"json\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"CustomEndpoint/1.0\\\",\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"https://raw.githubusercontent.com/{github}/all_exercises.json\\\",\\\"contentType\\\":\\\"text/plain\\\",\\\"ignoreStandardHeaders\\\":true}\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"json\"},\"queryType\":10},{\"id\":\"451a0851-dea1-4c88-886a-ed9736612ccb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AllDatasets\",\"type\":1,\"isGlobal\":true,\"query\":\"externaldata (tables:string) [\\r\\n@\\\"https://raw.githubusercontent.com/{github}/Datasets/all_datasets.json\\\"\\r\\n]\\r\\nwith (format=\\\"multijson\\\")\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":10},\"name\":\"parameters - 16\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"ccd64330-9dc6-4388-b618-d20767f2f962\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Welcome\",\"subTarget\":\"Welcome\",\"style\":\"link\"},{\"id\":\"589778dd-4b96-4c61-a58c-eb32f5e43c41\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Overview\",\"style\":\"link\"},{\"id\":\"09338df5-091b-46d4-9fee-63b69cb4ee76\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Scalar Operators\",\"subTarget\":\"Scalar\",\"style\":\"link\"},{\"id\":\"e536ef91-d9ea-413f-96dd-357b47ac21fb\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Advanced Aggregations\",\"subTarget\":\"Advanced\",\"style\":\"link\"},{\"id\":\"f7f6fefd-09cc-4c02-8b94-071d85ee892a\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dataset Operators\",\"subTarget\":\"Dataset\",\"style\":\"link\"},{\"id\":\"14e62080-54b6-4194-b7e5-d5bcb22d4621\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"External Data\",\"subTarget\":\"External\",\"style\":\"link\"},{\"id\":\"7cdfef8c-7c30-4c46-9d6e-0c6f91d0886e\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"String Operators\",\"subTarget\":\"String\",\"style\":\"link\"},{\"id\":\"2e2c5a51-b3cc-4812-9235-bf1da9c42ed7\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Anomaly Operators\",\"subTarget\":\"Anomalies\",\"style\":\"link\"},{\"id\":\"084b5b60-1666-4d85-a580-cc37bcd17027\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Misc. Operators\",\"subTarget\":\"Misc\",\"style\":\"link\"}]},\"name\":\"links - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Welcome!\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Summary\\r\\nWelcome to the Intro to KQL workbook. This workbook has been developed to assist new and existing users learn and grow in the Kusto Query Language (KQL). The goal of this workbook is to introduce the most commonly used KQL operators that are relevant to Microsoft Sentinel. By the end of the workbook, your knowledge will be at a 200 level. </br>\\r\\n\\r\\nThis workbook will be a living resource in that it will continue to be improved over time based on feedback, requests, and newly introduced scenarios. The version of this workbook is currently <b>V1.1.</b>\\r\\n</p>\\r\\n\\r\\n### Structure\\r\\nThis workbook is comprised of multiple tabs. Each tab contains several key items:\\r\\n- Operator: choose an operator to study.\\r\\n- Exercise: choose an exercise to practice.\\r\\n- Data type: corresponds to the data table that is being used in the exercise.\\r\\n- Answer: decide if you would like to to see the answer.\\r\\n- Summary: details about the operator that has been selected.\\r\\n- Example: samples of how a real query would look like with the selected operator.\\r\\n- When to use: advice around when the selected operator is used with Microsoft Sentinel.\\r\\n\\r\\n#### Exercise Space\\r\\nThe exercise area is made up of 6 main items:\\r\\n- Question: selected exercise to perform.\\r\\n- Answer space: location where you will enter your answer.\\r\\n- Expected answer: the expected answer that you are attempting to achieve.\\r\\n- Your answer: the results from the query you have written.\\r\\n- Answer Checker: lists if the answer you have entered is correct or not.\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Workflow\\r\\n\\r\\n1. Select a tab to navigate.\\r\\n2. Choose an operator to practice.\\r\\n3. Select an exercise to attempt.\\r\\n4. Enter your answer and confirm if it is correct. If not, reference documentation and content until correct.\\r\\n5. Move on to another operator or attempt other exercises for that operator.\\r\\n\\r\\n### Helpful Links\\r\\n\\r\\n**KQL Public Documentation:** https://docs.microsoft.com/azure/data-explorer/kusto/query/\\r\\n\\r\\n**Pluralsight KQL Course:** https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch\\r\\n\\r\\n**KQL CheatSheet:** https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/azure-data-explorer-kql-cheat-sheets/ba-p/1057404\\r\\n\\r\\n**Log Analytics Demo Environment:** https://aka.ms/lademo\\r\\n\\r\\n**Microsoft Sentinel Compiled Level 400 Training:** https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Welcome\"},\"name\":\"Welcome\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ad61717-0dd7-430b-a948-cef2d3618738\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Section\",\"label\":\"Select Section\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"print tab = todynamic({json:value})\\r\\n| mvexpand parse_json(tab)\\r\\n| evaluate bag_unpack(tab)\\r\\n| where tab == \\\"{Tab}\\\"\\r\\n| distinct section\\r\\n| serialize Rank = row_number()\\r\\n| project value = section, label = section, selected = iff(Rank == 1, true, false)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\"},{\"id\":\"0c106e37-c059-4b2b-a80d-c4119629d1a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Exercise\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"print tab = todynamic({json:value})\\r\\n| mvexpand parse_json(tab)\\r\\n| evaluate bag_unpack(tab)\\r\\n| where section == \\\"{Section}\\\" and tab == \\\"{Tab}\\\"\\r\\n| mvexpand exercises=(exercises.value)\\r\\n| evaluate bag_unpack(exercises)\\r\\n| extend packed = pack_all()\\r\\n| serialize Rank = row_number()\\r\\n| project\\r\\n    value = tostring(packed),\\r\\n    label = name,\\r\\n    selected = iff(Rank == 1, true, false)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b2ae8bac-db12-4c75-8d3e-42c002d288d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dataset\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"let exercise = todynamic(\\\"{Exercise:escapejson}\\\");\\r\\nlet dataset = iff( isempty(exercise.dataset), \\\"Weather\\\", exercise.dataset);\\r\\ndatatable(tables:string)[\\\"{AllDatasets:escapejson}\\\"]\\r\\n| mvexpand todynamic(tables)\\r\\n| evaluate bag_unpack(tables)\\r\\n| extend kql = base64_decode_tostring(kql_reference)\\r\\n| serialize Rank = row_number()\\r\\n| project value = kql, label = name, selected = iff(name == dataset, true, false)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2f5c56e7-dee3-46e7-b699-e331079e1d47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Question\",\"type\":1,\"isGlobal\":true,\"query\":\"print(todynamic(\\\"{Exercise:escapejson}\\\").question)\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e5be7ed3-5eed-4b66-9db7-a0c2c132783b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Answer\",\"type\":1,\"isGlobal\":true,\"query\":\"let answer = todynamic(\\\"{Exercise:escapejson}\\\").answer;\\r\\nprint(base64_decode_tostring(tostring(answer)))\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d4ecbbf3-25a0-4130-bc7d-50edead67b01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Markdown\",\"type\":1,\"query\":\"let markdown = todynamic(\\\"{Exercise:escapejson}\\\").markdown;\\r\\nprint(base64_decode_tostring(tostring(markdown)))\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c94574f-3e3d-4d73-bed8-3eeebed298d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ShowDoc\",\"label\":\"Show Documentation\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": false}\\r\\n]\",\"value\":\"No\"},{\"id\":\"ad9dc5ed-16a0-4157-88a2-bfe937e34e3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ShowAnswer\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : false},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": true}\\r\\n]\",\"label\":\"Show Answer\"},{\"id\":\"4f9a31b5-1f75-42af-85a7-c96af37a0d0c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LetDetected\",\"type\":1,\"query\":\"let result = iff(\\\"{Section}\\\" in ('Let','Union', 'Parse', 'Materialize', 'Function'), true, false);\\r\\nprint(result)\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Error\",\"label\":\"Seeing Error\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : false},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": true}\\r\\n]\",\"id\":\"9edc3ceb-a3a7-42bd-8ce1-e7ad666934e4\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"100\",\"name\":\"parameters - 4 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Fixing the Error\\r\\n\\r\\nThe error you are seeing is due to workbooks in Azure requiring external data sources to be marked as trusted. As this workbook pulls all of its content from GitHub, the repository must be marked as trusted. This is on a user session level and cannot be set within the workbook template. To fix the error:\\r\\n\\r\\n1. Go into edit mode.\\r\\n2. Under the hidden parameters at the top of the page, click edit.\\r\\n3. Check the box next to json.\\r\\n4. Click on the edit pencil icon.\\r\\n5. Click 'run query'.\\r\\n6. Click 'mark as trusted'.\\r\\n7. Click save.\\r\\n8. Exit edit mode.\\r\\n\\r\\nThe error should be gone and the content will be loaded.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Error\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"The Kusto Query Language is the query language of choice within Microsoft Sentinel, Azure Log Analytics, and Azure Data Explorer. Kusto is similar to SQL in syntax and logic. The basic structure of Kusto appears as so:\\r\\n\\r\\nTable | operator clause/predicate\\r\\n\\r\\nThe table will specify which logs will be queried. The operator will dictate what type of filter, action, etc.\",\"style\":\"success\"},\"conditionalVisibilities\":[{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},{\"parameterName\":\"ShowDoc\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"}],\"name\":\"Welcome\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Section} - Exercise: {Exercise:label}\\r\\n\\r\\n{Markdown}\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"ShowDoc\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"markdown\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"NotWelcome\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"<p>\\r\\n![Question](https://shields.io/badge/-Question-informational)\\r\\n<br>{Question}\\r\\n</p>\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"text - 9\"},{\"type\":1,\"content\":{\"json\":\"<h3>Answer</h3>\\r\\n\\r\\n```\\r\\n{Answer}\\r\\n```\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"ShowAnswer\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"markdown - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Question\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"341ea875-d1ff-4cbc-a9f6-421eeb82368c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Query\",\"type\":1,\"description\":\"Enter KQL query here to answer\",\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"kql\",\"multiLineHeight\":7},\"criteriaData\":[{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"{Dataset:label} | limit 10\"}}],\"timeContext\":{\"durationMs\":86400000},\"label\":\"Put your answer here\"}],\"style\":\"formVertical\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"50\",\"name\":\"QueryControl\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Results\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let {Dataset:label} = () {{Dataset}};\\r\\n{Answer}\",\"size\":1,\"title\":\"Expected Results\",\"noDataMessage\":\"Had trouble producing the expected answer\",\"noDataMessageStyle\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":500}},\"customWidth\":\"40\",\"conditionalVisibilities\":[{\"parameterName\":\"Stack\",\"comparison\":\"isNotEqualTo\",\"value\":\"Vertical\"},{\"parameterName\":\"Section\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Exercise\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"HTarget\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let {Dataset:label} = () {{Dataset}};\\r\\n{Query}\",\"size\":1,\"title\":\"Your answer\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"90%\"}},{\"columnMatch\":\"code\",\"formatter\":5},{\"columnMatch\":\"message\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"90%\"}}],\"rowLimit\":500},\"customWidth\":\"45\",\"conditionalVisibilities\":[{\"parameterName\":\"Stack\",\"comparison\":\"isNotEqualTo\",\"value\":\"Vertical\"},{\"parameterName\":\"Section\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Exercise\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"HResult\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let get_table_hash = (t:(*)) {\\r\\n    t\\r\\n    | project packed = pack_all()\\r\\n    | summarize list = make_list(packed)\\r\\n    | project hashvalue = hash(tostring(list))\\r\\n};\\r\\nlet check_tables_match = (table1:(*), table2:(*)) {\\r\\n    get_table_hash(table1)\\r\\n    | join get_table_hash(table2) on hashvalue\\r\\n    | project match = iff(hashvalue == hashvalue1, true, false)\\r\\n};\\r\\nlet {Dataset:label} = () {{Dataset}};\\r\\nlet answer = {Query};\\r\\nlet correctAnswer = {Answer};\\r\\ncheck_tables_match(answer, correctAnswer)\",\"size\":4,\"noDataMessage\":\"Answer does not seem to be correct\",\"noDataMessageStyle\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"match\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"Answer is Correct\"}]}}],\"rowLimit\":500},\"graphSettings\":{\"type\":0}},\"customWidth\":\"15\",\"conditionalVisibilities\":[{\"parameterName\":\"Query\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},{\"parameterName\":\"Answer\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LetDetected\",\"comparison\":\"isEqualTo\"}],\"name\":\"Result\"},{\"type\":1,\"content\":{\"json\":\"This exercise includes use of a let statement which cannot be evaluated. Please manually validate if your answer matches the expected results\",\"style\":\"warning\"},\"customWidth\":\"15\",\"conditionalVisibility\":{\"parameterName\":\"LetDetected\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"Results\"},{\"type\":1,\"content\":{\"json\":\"Set the path to the Advanced KQL workbook in your environment. </br>\\r\\n\\r\\nNote: If nothing is within the drop-down, you do not have the workbook deployed in your environment. You can find the workbook within the workbook gallery.\",\"style\":\"info\"},\"conditionalVisibilities\":[{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"String\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Anomalies\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Misc\"}],\"customWidth\":\"50\",\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"ed7e252c-2ae9-4be5-9e80-267b0274a9d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdvancedKQLWorkbookPath\",\"type\":2,\"query\":\"resources\\r\\n| where type == \\\"microsoft.insights/workbooks\\\"\\r\\n| where properties.displayName has 'advanced KQL for microsoft sentinel'\\r\\n| extend path = trim('[]', id)\\r\\n| project path\\r\\n| take 1\",\"crossComponentResources\":[\"value::selected\"],\"value\":\"\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"parameters - 10\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"173f69f1-a9c0-4ebc-a497-3e7354a32236\",\"cellValue\":\"{AdvancedKQLWorkbookPath}\",\"linkTarget\":\"Resource\",\"linkLabel\":\"Advanced KQL Framework\",\"subTarget\":\"Workbook\",\"preText\":\"If you would like to study more advanced topics:\",\"style\":\"primary\",\"linkIsContextBlade\":true,\"workbookContext\":{\"componentIdSource\":\"parameter\",\"componentId\":\"AdvancedKQLPath\",\"resourceIdsSource\":\"parameter\",\"resourceIds\":\"AdvancedKQLPath\",\"templateIdSource\":\"parameter\",\"templateId\":\"AdvancedKQLPath\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"default\"}},{\"id\":\"690a89fe-5c1d-4313-b442-ce059670840f\",\"cellValue\":\"https://aka.ms/lademo\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"ALA Demo\",\"preText\":\"If you would like to test any of the lessons learned, you can use the ALA Demo workspace here: \",\"style\":\"primary\",\"linkIsContextBlade\":true,\"bladeOpenContext\":{\"bladeName\":\"DemoLogsBlade\",\"extensionName\":\"Microsoft_Azure_Monitoring_Logs\"}},{\"id\":\"295f7752-374b-4680-b281-c5cb8b83d384\",\"cellValue\":\"https://aka.ms/introtokqlsurvey\",\"linkTarget\":\"Url\",\"linkLabel\":\"Feedback Form\",\"preText\":\"If you would like to submit feedback for this solution, please click on the form link here: \",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"50\",\"name\":\"links - 9\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"IntrotoKQL\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
diff --git a/Solutions/KQL Training/Workbooks/IntrotoKQL.json b/Solutions/KQL Training/Workbooks/IntrotoKQL.json
index 0168282870a..28e9ffdff60 100644
--- a/Solutions/KQL Training/Workbooks/IntrotoKQL.json	
+++ b/Solutions/KQL Training/Workbooks/IntrotoKQL.json	
@@ -355,7 +355,7 @@
     {
       "type": 1,
       "content": {
-        "json": "The Kusto Query Language is the query language of choice within Azure Sentinel, Azure Log Analytics, and Azure Data Explorer. Kusto is similar to SQL in syntax and logic. The basic structure of Kusto appears as so:\r\n\r\nTable | operator clause/predicate\r\n\r\nThe table will specify which logs will be queried. The operator will dictate what type of filter, action, etc.",
+        "json": "The Kusto Query Language is the query language of choice within Microsoft Sentinel, Azure Log Analytics, and Azure Data Explorer. Kusto is similar to SQL in syntax and logic. The basic structure of Kusto appears as so:\r\n\r\nTable | operator clause/predicate\r\n\r\nThe table will specify which logs will be queried. The operator will dictate what type of filter, action, etc.",
         "style": "success"
       },
       "conditionalVisibilities": [