Merge pull request #11366 from dhwanishah-crest/InfobloxInsightIDBugFix

Infoblox Insight ID Bug Fix
Azure · Nov 6, 2024 · 2947ef0 · 2947ef0
2 parents 296879d + 6fa0ff4
commit 2947ef0
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 63 deletions.
diff --git a/Solutions/Infoblox/Package/3.0.1.zip b/Solutions/Infoblox/Package/3.0.1.zip
diff --git a/Solutions/Infoblox/Package/mainTemplate.json b/Solutions/Infoblox/Package/mainTemplate.json
diff --git a/Solutions/Infoblox/ReleaseNotes.md b/Solutions/Infoblox/ReleaseNotes.md
@@ -1,3 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
+| 3.0.1       |   07-11-2024                   | Byug fix in Infoblox_Workbook **Workbook**                    |
 | 3.0.0       |   15-07-2024                   | Initial Solution Release                    |
diff --git a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json
@@ -5540,7 +5540,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"66b112e0-3187-4faa-9357-d229e98002ca\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \"All\"\r\n| join\r\n    (\r\n        AssetCount\r\n    ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n    ThreatLevel == \"High\", 5,\r\n    ThreatLevel == \"Medium\", 4,\r\n    ThreatLevel == \"Low\", 3,\r\n    ThreatLevel == \"N/A\", 2,\r\n    1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n",
+                    "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \"All\"\r\n| join\r\n    (\r\n        AssetCount\r\n    ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n    ThreatLevel == \"High\", 5,\r\n    ThreatLevel == \"Medium\", 4,\r\n    ThreatLevel == \"Low\", 3,\r\n    ThreatLevel == \"N/A\", 2,\r\n    1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n",
                     "size": 0,
                     "showAnalytics": true,
                     "timeContextFromParameter": "TimeRange",